Of wonder and incredulity
12 February 2014 | 0
I was intrigued by the mention of “government-level technology” that was allegedly used, and the sophisticated techniques employed.
But the more I delved into the story, the more confused I became. And hence I am posting this as a blog rather than reporting it as a news story because despite trying to stick to the facts, as pertinent to our audience, I remain somewhat bewildered.
First of all, I found it almost impossible to establish what exactly was the nature of the bugging.
Now even the term bugging is troublesome and is more evocative of John le Carré than it is of cyberspying.
My first port of call was some experts in the area of IT security and in particular, those who have significant experience of the blackhat and, indeed, organised crime, side of the fence.
A consensus emerged that there was ambiguity in the reports.
First of all, the natural inference from terms such as “government-level technology” would seem to suggest a governmental agency. But when it was noted that if something physical was used to “bug” the speaker phone in the conference room, as was reported by the Sunday Times, the opinions were that this was not the work of a government agency.
The methods used by actual intelligence agency worth its salt would be to leave nothing behind that was so easily detectable. Were a phone to be physically interfered with to turn it into an eavesdropping device, the likely methodology of an agency accustomed to such things would be chip cloning, whereby an existing chip within the device is cloned but additional circuitry is added to perform the listening and relay. These are the kinds of fears expressed when chip makers from certain large economies supply hardware for sensitive applications.
As regards the other alleged surveillance attempts, a bogus Wi-Fi network is hardly sophisticated, nor indeed is a Wi-Fi network hacked for monitoring. Both can be done for pittance with instructions available to anyone who can use Google.
As a result, the various security and IT network professionals consulted came to the almost unanimous conclusion that this was not, based on the information available, a very sophisticated attack, immediately narrowing down the possibilities of authorship.
But what was unfolding as I talked and wrote about this was an unbelievable storm of controversy between the Government, GSOC, the Gardaí and the various Garda representative bodies.
Everyone seemed to be jumping to various conclusions that seemed to overlook the central question: who did the bugging, how and why?
But worse was to come which meant that even the central question might be in question.
Minister Shatter on Tuesday (February 11) in the Dáil said that the GSOC had informed him that “after an investigation, they concluded that no definitive evidence of unauthorised technical or electronic surveillance of their offices was found. Moreover, they have informed me that their databases have not been compromised. In other words, it has not been established that the offices of the Ombudsman Commission were subject to surveillance”.
The Minister went on to say of the security sweep that was performed by the UK security company, which employs ex-GCHQ operatives we are told, “identified what they refer to as two technical anomalies which raised a concern of a surveillance threat to GSOC. I should emphasise that my understanding is that what was at issue were potential threats or vulnerabilities, not evidence that surveillance had, in fact, taken place. A subsequent sweep identified a third potential issue. There was no suggestion that there was any risk of unauthorised access to the GSOC databases and the documentation on them”.
The plot thickened further when Kieran Fitzgerald, Garda Ombudsman Commissioner, went on Prime Time and spoke to Miriam O’Callaghan on the matter.
In response to the simple question, were you (GSOC) bugged Fitzgerald replied “it would be very, very good if we were able to say definitively yes, or definitively no”.
Once again, eh, what?
“Unfortunately,” continued Fitzgerald, “the reality of modern surveillance and intrusive surveillance mechanisms, is that it’s very often an inconclusive result. So what we got were credible threats to our own security, we hired consultants, experts, international experts, to consider those for us, examine those and test them. At the conclusion of their testing and their sweeps, their security sweeps, they were able to tell us that certain things did not look likely and other things, they could not be definitively sure.”
This reminds one of the kind of response one gets from someone used to dealing with authority, usually from the wrong side: could be, could be not — couldn’t rightly say.
When pressed on the nature of the credible threats, Fitzgerald again was non-committal.
“The credible threats were three-fold. One was a piece of equipment which was connecting to an external network, a Wi-Fi device. Now it should have been activated by a password, in actual fact it was activated, seemingly, without the need for a password and transmitting. It did not compromise our data, it did not connect with our internal security. But, having found it, we certainly needed to take it very, very seriously. That was one.
“The second was more worrying, it was a conference call telephone, a conference call facility that we use, not infrequently, and that was tested, and the test showed up what we called, in our first report, an anomaly, but it showed up something that gave them cause for concern, and their judgment was that the strange behaviour of this device, in response to their test, was such that it could have been coincidental, it could be accidental, it could be explained away, but they rated in their report, the possibility of it being coincidental, as close to zero.”
So now we are dealing with paranoia too: to a security investigator asked to investigate possible problems there are no coincidences.
The third anomaly sounds even more serious.
“The third one was a sophisticated piece of equipment that does sweeps of buildings, from an external, it doesn’t have to be in a building, just in the vicinity and that can, if you like, attack mobile phones and mobile devices.”
Now, this sounds very like a radio frequency scanner that can pick up radio transmission from the likes of the mobile devices listed, it could be a Wi-Fi sniffer, or combined with a GSM-type scanner. The GSOC office is located in 150 Upper Abbey Street, Dublin 1. Not far from where there are numerous shops where equipment of questionable nature can be bought for not very much. This in itself is hardly evidence of a targeted, sophisticated attack.
It has to be argued that, when combined, the various anomalies could indicate something suspicious, but one must agree with the overall assessment that there is no conclusive evidence that surveillance of GSOC was taking place.
Fitzgerald said himself “Well we cannot definitively, as the minister said and as I’m saying now, we cannot definitively say that we were bugged — certainly we cannot say that.”
Ignoring for a moment who knew what and when, and when that should have been reported and how, here is a statement of what we now know.
During a particularly delicate and sensitive case, GSOC had a heightened sense of its own security, based on what sounds like fears of leaks, as Fitzgerald intimated on Prime Time. This prompted GSOC to have a security investigation done, which included an electronic sweep. The sweep turned up the anomalies, and according to Fitzgerald, the report the security investigator implied that the chances of the anomalies being coincidence was close to zero.
GSOC then appears to have concluded on its own that with no direct evidence of surveillance that there was no need to escalate the matter, either for criminal investigation or to its political overlords.
This very entrenched stance of no evidence either way seems to be the interpretation that has led Fitzgerald to dismiss suggestions that his position is untenable.
So what conclusions can we draw from all of this?
From an IT and information security perspective, one has to say a most emphatic “Duh!”
Of course, any body that is tasked with investigating complaints about the very agency that is supposed to protect and serve the citizenry by investigating and prosecuting criminality should have the highest possible levels of security — physical, procedural, electronic and otherwise. The fact that it took suspicions of leaked information to have a security sweep done that revealed anomalies sounds lackadaisical. Any such body should have been set up with the highest levels of security and monitoring from the outset, and while spot-checks are to be commended, the kind of vulnerabilities that were revealed should not have shown up first in a spot check.
I would argue that what appears to have been the case is that the company invited in to do the spot check probably applied a higher degree of rigour than was previously the case and thus revealed what was either not found or not flagged previously.
The overall conclusion then, I would argue, is that while it is certainly good news that the GSOC was more than likely not bugged, what the entire fiasco has revealed is that this body needs to review its own security measures and procedures more closely to prevent the kind of reputational damage that this episode has brought.
When the reputation of the watchdog is critical to its ability to operate, to ensure the credibility of the Gardaí, this kind of episode does little for either organisation.