Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security

Iranians Compromised a Highly Sensitive CIA Covert Communications System in 2011 by Using Google Search: Report (yahoo.com) 154

In 2011, Iran was able to use Google's search functionality to hack into a secret CIA communication network that was being used to contact agents and informants around the world -- a breach that appears to have triggered the exposure and execution of Agency sources in China and Iran, Yahoo News reported Friday.
This discussion has been archived. No new comments can be posted.

Iranians Compromised a Highly Sensitive CIA Covert Communications System in 2011 by Using Google Search: Report

Comments Filter:
  • "Don't Be Evil"
    • Re:Ooops (Score:5, Insightful)

      by Anonymous Coward on Friday November 02, 2018 @10:17AM (#57580798)

      Google didn't do anything but index web pages. The CIA controllers who didn't take the extremely simple and well-known measures to prevent indexing are the ones who were evil.

      It's like saying car manufacturers are evil because someone used their product to rob a bank. Only the bank opened up the vault as a drive-through instead of actually securing it in any way.

      TL;DR the CIA and Iran/China used convenient tools on the internet for spycraft. The CIA didn't use it prudently however, and got agents and informants killed due to their carelessness.

      • and worse Ooops (Score:5, Informative)

        by XXongo ( 3986865 ) on Friday November 02, 2018 @10:48AM (#57580946) Homepage
        And more oops: a CIA employee named John Reidy figured out that there was a leak and warned about it two years before. His information was ignored, and he was removed from his job.

        That was actually in the news three years ago, but because of secrecy, the details of exactly what he warned about was left out. Now we know: https://www.mcclatchydc.com/ne... [mcclatchydc.com] or https://www.thestate.com/news/... [thestate.com]

        "The CIA case involves former contractor John Reidy, who asserts he was punished after warning of a “catastrophic failure” in the spy agency’s operations. “It was a recipe for disaster,” Reidy wrote in his appeal, which was redacted by intelligence officials. “We had a catastrophic failure on our hands that would ensnare a great many of our sources.” His lawyer, Kel McClanahan, said Reidy was in charge of identifying foreign sources and systems in the telecommunications and computer fields that would be of interest to U.S. intelligence agencies.

        Reidy also was responsible for developing intelligence operations against those targets, his lawyer said. McClanahan said his client is not permitted to discuss the case in more detail even with him because the CIA says the information is classified.

        Reidy asserts that he first detected vulnerabilities in a CIA program in 2006, according to the appeal filing obtained by McClatchy. Signs of the problems included “anomalies in our operations and conflicting intelligence reporting that indicated several of our operations had been compromised,” he wrote, adding that he noticed “sources abruptly and without reason ceasing all communications with us.”

      • by harrkev ( 623093 )

        It's like saying car manufacturers are evil because someone used their product to rob a bank.

        But if a gun is used, it is the fault of the gun manufacturer. So if Smith & Wesson is responsible for shooting, then Google is responsible for this.

        • It's like saying car manufacturers are evil because someone used their product to rob a bank.

          But if a gun is used, it is the fault of the gun manufacturer.

          Actually, by law, if a gun is used in a crime it is explicitly not the fault of the gun manufacturer.

          The 2005 "Protection of Lawful Commerce in Arms Act" makes gun manufacturers immune from liability for use of their guns.
          http://time.com/4967018/las-vegas-shooting-gun-lawsuits/
          https://en.wikipedia.org/wiki/Protection_of_Lawful_Commerce_in_Arms_Act
          https://www.snopes.com/fact-check/gun-manufacturers-crimes-products/

          • Context: States trying to pass laws that make manufactures liable for their product working as designed and intended.

            • by XXongo ( 3986865 )

              Actually, by law, if a gun is used in a crime it is explicitly not the fault of the gun manufacturer. The 2005 "Protection of Lawful Commerce in Arms Act" makes gun manufacturers immune from liability for use of their guns.

              Context: States trying to pass laws that make manufactures liable for their product working as designed and intended.

              Close. The context is that lawyers discovered that there is money to be made from suing manufacturers of products that kill people. After they went after asbestos and then after tobacco, an obvious next target in the category of "somebody who makes a product that kills lots of people" is "companies that make guns."

              The fact that killing people is (as you put it) "the product working as designed and intended" would not be a very good defense.

              • It's a great defense.

                Companies are not liable for what people do with their products,

                Shitheal states were trying to pass laws to make the gun manufacturers liable for their products _working_correctly_. That's because absent those laws, gun manufactures were not liable. No more than car manufacturers are liable for shitty drivers.

                • by XXongo ( 3986865 )

                  It's a great defense. Companies are not liable for what people do with their products,

                  That's an editorial comment, not a legal principle.

                  Companies, in fact, can be liable for what people do with their product. This is specifically true when what their product does is kill people.

                  Shitheal states were trying to pass laws to make the gun manufacturers liable for their products _working_correctly_. That's because absent those laws, gun manufactures were not liable. No more than car manufacturers are liable for shitty drivers.

                  An excellent example. Car manufacturers are subject to a whole plethora of regulations for safety. Gun manufacturers, none.

                  • by Agripa ( 139780 )

                    An excellent example. Car manufacturers are subject to a whole plethora of regulations for safety. Gun manufacturers, none.

                    None? So the BATFE and various state laws which apply to gun manufacturers and gun sellers and gun owners are a myth?

                    I have always said that the California and Massachusetts approved firearms rosters are not about safety. Can I quote you?

                    Yea, no safety laws at all [giffords.org].

    • by hey! ( 33014 ) on Friday November 02, 2018 @10:21AM (#57580812) Homepage Journal

      Most of the methods Iranians used would have been familiar to George Smiley. They looked at what the Americans obviously knew about Iran and figured out who could have told them. Then they leaned on those people and found out how they were communicating with the CIA.

      This is where Google came in. These people were using phony websites to communicate with the CIA, and Iranian intelligence used Google to uncover similar websites. Then they hacked into those websites after which they had the keys to the kingdom.

      It was the CIA's reliance on a bodged-together, vulnerable system that killed those assets. They used it even after they'd been warned by their own analysts in 2008 that it had been compromised.

      • I'm not even sure they hacked those websites. I think they just logged which IPs connect to those domains, and then spied on those.

  • The link only points to a page demanding (not requesting) access to my device. Is there an accessible link?
    • This (Score:4, Informative)

      by Anonymous Coward on Friday November 02, 2018 @09:52AM (#57580678)

      In 2013, hundreds of CIA officers â" many working nonstop for weeks â" scrambled to contain a disaster of global proportions: a compromise of the agencyâ(TM)s internet-based covert communications system used to interact with its informants in dark corners around the world. Teams of CIA experts worked feverishly to take down and reconfigure the websites secretly used for these communications; others managed operations to quickly spirit assets to safety and oversaw other forms of triage.

      âoeWhen this was going on, it was all that mattered,â said one former intelligence community official. The situation was âoecatastrophic,â said another former senior intelligence official.

      From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired â" despite warnings about what was happening â" until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials.

      The disaster ensnared every corner of the national security bureaucracy â" from multiple intelligence agencies, congressional intelligence committees and independent contractors to internal government watchdogs â" forcing a slow-moving, complex government machine to grapple with the deadly dangers of emerging technologies.

      In a world where dependence on advanced technology may be a necessary evil for modern espionage, particularly in hostile regions where American officials canâ(TM)t operate freely, such technical failures are an ever present danger and will only become more acute with time.

      âoeWhen these types of compromises happen, itâ(TM)s so dark and bad,â said one former official. âoeThey can burrow in. It never really ends.â

      A former senior intelligence official with direct knowledge of the compromise said it had global implications for the CIA. âoeYou start thinking twice about people, from China to Russia to Iran to North Korea,â said the former official. The CIA was worried about its network âoetotally unwinding worldwide.â

      Yahoo Newsâ(TM) reporting on this global communications failure is based on conversations with eleven former U.S. intelligence and government officials directly familiar with the matter who requested anonymity to discuss sensitive operations. Multiple former intelligence officials said that the damage from the potential global compromise was serious â" even catastrophic â" and will persist for years.

      More than just a question of a single failure, the fiasco illustrates a breakdown that was never properly addressed. The governmentâ(TM)s inability to address the communication systemâ(TM)s insecurities until after sources were rolled up in China was disastrous. âoeWeâ(TM)re still dealing with the fallout,â said one former national security official. âoeDozens of people around the world were killed because of this.â

      ***** EAT AT JOE'S

      One of the largest intelligence failures of the past decade started in Iran in 2009, when the Obama administration announced the discovery of a secret Iranian underground enrichment facility â" part of Iranâ(TM)s headlong drive for nuclear weapons. Angered about the breach, the Iranians went on a mole hunt, looking for foreign spies, said one former senior intelligence official.

      The mole hunt wasnâ(TM)t hard, in large part, because the communications system the CIA was using to communicate with agents was flawed. Former U.S. officials said the internet-based platform, which was first used in war zones in the Middle East, was not built to withstand the sophisticated counterintelligence efforts of a s

      • ... In 2013 ...From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. ...until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials.

        So another scandal under Obama and Clinton that was buried. He was easily the most protected president by the media since Kennedy.

  • by Anonymous Coward

    Come on guys, if you can google it, it's not "hacking".

    In fact, "hacking" isn't even about computer security; if you think it is you lack Clue and are likely spouting nonsense. Which is exactly what most of the "computer security" s'kiddies do for a living. So here: Somebody left the door wide open, and instead of pointing to the culprit you find some other idiots to point to, just to deflect the blame. Syeah right, "hacking". Nope, sheer unadulterated incompetence.

  • by Zorro ( 15797 ) on Friday November 02, 2018 @09:54AM (#57580684)

    Seems insecure.

    Maybe we should go back to typewriters.

    • not just the internet, this whole computer thing seems pretty insecure.

      Almost seems like the eggheads who designed and created these things did it that way on purpose, so there'd always be a strong demand in the future for people who understand this stuff.

  • Wow, they really need to stop picking up those USB drives people leave at the airport.
  • They made sure Google indexed their malware web site Shemales4CIA.

  • by Thelasko ( 1196535 ) on Friday November 02, 2018 @10:26AM (#57580828) Journal
    This is a really long article that can be summarized in about two paragraphs:

    In fact, the Iranians used Google to identify the website the CIA was were using to communicate with agents. Because Google is continuously scraping the internet for information about all the world’s websites, it can function as a tremendous investigative tool — even for counter-espionage purposes. And Google’s search functions allow users to employ advanced operators — like “AND,” “OR,” and other, much more sophisticated ones — that weed out and isolate websites and online data with extreme specificity.

    According to the former intelligence official, once the Iranian double agent showed Iranian intelligence the website used to communicate with his or her CIA handlers, they began to scour the internet for websites with similar digital signifiers or components — eventually hitting on the right string of advanced search terms to locate other secret CIA websites. From there, Iranian intelligence tracked who was visiting these sites, and from where, and began to unravel the wider CIA network.

    There was still some old fashioned spying going on. Without a double agent to show the Iranians a sample website, they never would have figured out which strings to search for.

    The bigger question is, did Iran share this information with China and Russia? If so, what did they get in exchange?

    • by XXongo ( 3986865 ) on Friday November 02, 2018 @10:52AM (#57580966) Homepage

      This is a really long article that can be summarized in about two paragraphs:

      Well, plus one more very important paragraph:

      In 2008 — well before the Iranians had arrested any agents — a defense contractor named John Reidy, whose job it was to identify, contact and manage human sources for the CIA in Iran, had already sounded an alarm about a “massive intelligence failure” having to do with “communications” with sources. According to Reidy’s publicly available but heavily redacted whistleblower disclosure, by 2010 he said he was told that the “nightmare scenario” he had warned about regarding the secret communications platform had, in fact, occurred

      They were told there was a problem. They ignored it, and fired the person who told them.

      • Comment removed (Score:5, Insightful)

        by account_deleted ( 4530225 ) on Friday November 02, 2018 @10:58AM (#57581022)
        Comment removed based on user account deletion
      • Also, this system was supposed to be a temporary solution to a communications issue they were having. Like most temporary solutions, it was widely adopted, and the permanent solution was never developed.

        The mole hunt wasn’t hard, in large part, because the communications system the CIA was using to communicate with agents was flawed. Former U.S. officials said the internet-based platform, which was first used in war zones in the Middle East, was not built to withstand the sophisticated counterintelli

    • by AmiMoJo ( 196126 )

      You have to wonder why the CIA didn't simply block the Google bot from trawling their web site.

      • by jandrese ( 485 )
        All it takes is one line in a robots.txt file! This was sheer incompetence.

        The thing that surprises me is that these were out on the public internet and not hidden sites on TOR. At least then Google wouldn't be trawling them. TOR is far from perfect, but it's way better than what they were doing.
    • They work mostly with China.
  • Wait a mintute! We have agents in other countries? What are we trying to do? Manipulate other countries and influence their elections or something?

    I thought Russia was the one that did that!
  • And neither the first nor last example.

    The future of real warfare between states isn't limited to military force. It's likely that any military actions will be preparatory and sustaining, but not decisive. Attacks on infrastructure, denial of access to critical information and resources, and isolation from allies can all be accomplished with information technology.

    This example is most instructive in that it shows how states with limited resources in some areas can be capable, even formidable adversaries in others. The US has the most capable military assets available, with only a few (but notable) exceptions where adversaries have sufficient assets to cause major losses to US forces and potentially prevail in regional conflicts. But in so-called 'cyber' warfare, the US has no discernible advantage. Relatively small, impoverished, or militarily weak states have equal capabilities. And non-state players can be just as capable.

    For the US, the only real hope is that it has undisclosed capabilities, which is entirely likely, or that it will focus on developing those. Sadly, unlike military force, which takes in some instances a generation to develop new and overwhelming advantages, cyber warfare changes year,y, actually, monthly, and these advances are shared virtually instantly among allies, requiring no factories, manufacturing techniques, or natural resources beyond manpower, intellect, and thought. Ask aerospace engineers - it takes so much less time to devise a new weapon system than it does to actually manufacture and refine it to the point of usefulness. And cyber warfare is cheaper too, by every measure, to develop and deploy.

    I'm confident in assuming that the US and others have the means to detect and monitor electronic communications among allies and adversaries worldwide, with few exceptions. And they constantly have to refine those methods to keep up with the changing landscape. And the only way to do that is to deploy an intercept system that captures everything, everywhere, all the time, and keeps it for analysis and exploitation. All this means our government is compelled to violate our privacy and civil rights, if not explicitly, then implicitly, as it captures all the things always, just to be able to find the enemy's vulnerabilities and secrets.

    It's a nasty business. We have no other choice. Our enemies will certainly do so, and without a shred of restraint. If they can prevail at our expense, they will indeed. And this example shows that there is no hope of ever turning back from this state. It will only get worse. All attempts to secure our information systems will only succeed in making it more difficult to find the enemy. They will use all security measures to improve their methods. But we must improve security, no matter, for all the other reasons. A vicious circle, one impossible to stop.

  • "CIA Exposed a Highly Sensitive Communications System on the Public Internet, Where it Could be Compromised by Iranians Simply Using Google Search"

  • Or many of the other letter agencies of US Govt? I am very concerned that all my tax money is not really getting a good ROI. I think we all have a very lofty ideal of what those agencies are capable of but it may be a bogus ideal that is formulated by Movies and TV and not based on reality.
  • The roll-up of the CIA’s networks reignited debates within the U.S. intelligence community about the merits of high-tech versus low-tech methods of communicating with sources. Within some corners of the intelligence world, “there was a widely held belief that technology was the solution to all communications problems,” according to one of the former officials. Proponents of older methods — such as chalk marks, burst communications, brush passes and one-time pads — were seen as

    • by jandrese ( 485 )
      To be fair, the old methods had their problems too, notably very high latency and low bandwidth. Plus they can leave a dangerous paper trail. Every system has its own risks.
      • High latency and low bandwidth may seem like disadvantages, but at the same time it slows down and limits the discovery scope. The problem with the low latency, high bandwidth methods is that once you hack one, you can hack the rest by running a script (or a google search). This is what happened here. The low tech, old methods are also susceptible to high tech discovery methods (high tech digital surveillance, data mining, etc), but their main advantage was that if you compromise one dead drop, you didn't c

    • The problem is that people could understand low tech easier, so when there was only low tech for secret communications and low tech for detection, it worked and people understood why. With high tech, low tech methods are easier to crack too. Unfortunately, a lot of people in high ranking positions think that if they can't think of a way to hack something, or simply don't understand it (try to explain specter vulnerability to career bureaucrat) they consider it secure, and make decisions accordingly - "it's

  • by misnohmer ( 1636461 ) on Friday November 02, 2018 @02:38PM (#57582406)

    Come on, Google as a tool was about as important as they fact that they used the internet developed by US own DARPA. Oh, and they likely used Intel or AMD CPUs, and probably US made Windows or Linux, paired Chrome or Edge or Firefox too.Or maybe they used an iPad, so let's change the headline to using Apple.

    The article makes it sounds like Google was the weakness here. If it wasn't for Google search, they would have used other tools with the same result. While interesting news, the headline on Slashdot is just sensationalism - notice the linked article does not have Google in the headline, or any other splashy company names.

  • MAD Mag Spy vs. Spy comic. And with the bombs

  • How dare they even think about using counterespionage techniques against the US! Don't they know that they are just supposed to do nothing and let the US win? /s

  • When the UK spied on German troop trains in WW1 it used local people who had a reason to be in the area and who would not be noticed.
    The UK had the best spies in position to spy on passing troop trains.
    The Germans waited for the information collected to be passed back up spy networks and found the spies.
    The UK failed at having a good way to pass information back quickly and with no way of getting detected.
    During WW2 UK spies had poor radio and code security skills.
    The ability to detect radio use and lo

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...