Of Bomb Threats and Tor
Recently (December 16th, 2013) there was a bomb threat at Harvard University, during finals week. The threat was a hoax, and the FBI got their man that very night. The affidavit is here.
This post will look at the tools and techniques the operative used to attempt
to hide his actions, why he failed, and what he should’ve done to improve his
OPSEC. As a hint: I provided an outline of what he should’ve done 6 months
ago in “ignorance is strength”.
Disclaimer: This post is to outline why OPSEC is so difficult to get right,
even for people who go to Harvard. I am not encouraging any illegal behavior,
but instead analyzing how OPSEC precautions can be so difficult to get right.
Don’t send bomb threats.
Key Takeaways
- The phases of an operation
- Counterintelligence (“know your enemy”) as a factor in operational design
- Avoid reducing the set of suspects
- If all students are suspects, all one needs to do is avoid narrowing the pool of potential suspects
Strategic Objectives: Avoid Final Exam
Strategically, the principal behind this operation (Eldo Kim) was attempting to avoid taking
a Final Exam scheduled for the morning of December 16th. To accomplish his objectives
he designed an operation that would cause an evacuation of the building where he
was to take his final. Rather than recruit an agent
and delegate the execution of the operation, the principal decided to do it himself.
This was not an enlightened decision.
The Structure of All Things (for values of Things = “Operations”)
All offensive operations share a similar core structure. This structure has been
known for a long time in the military, but is rarely applied in other fields.
Operations have distinct phases that they move through as they progress from vague
idea, to concrete plan, through execution and, finally, onto the escape.
The outline framework for an operation, all of the phases, is the following:
- Target Selection
- Planning (and Surveillance)
- Deployment
- Execution
- Escape and Evasion
This framework is frequently used when dissecting a terrorist attack post mortem,
allowing the security forces to identify the agents involved in each phase. Ideally,
the security forces want to remove the people involved in the Target Selection
and Planning stages. These people tend to be the principals, and are more
valuable than the agents who actually perpetrate the attack.
For hacker groups, the operational phases are rarely acknowledged, and followed
in an ad hoc manner. Primarily because few hackers are aware of them. It would be
beneficial for hackers to understand the structure of preparing an operation
thoroughly, but that is an issue we’ll address another day.
As an aside, it is worth noting that these operational phases apply to a
consultancy making a sale, providing a service, dropping a deliverable, and then
vanishing. ;)
College Kids are Inexperienced, News at 11.
All real criminals know that the most important part of an operation is the
get away, the git (as it used to be called). Of course, real criminals don’t
go to Harvard University (although there’s an argument to be made that some
graduate from there), and so poor Eldo Kim had no one to teach him the criticality
of the final stage of an operation: Escape and Evasion.
Operation “Doomed to Failure”
The operative used an ad hoc approach to his operational design, and as a result
he made a fatal error. Here is his operational plan:
- Obtain Tor Browser Bundle
- Select target email addresses “randomly” [see para 11]
- Compose email
- For each target email address
- Create new GuerillaMail “account”
- Send email (using this)
For security, the operative chose to rely on a pseudonymous email tool and the
Tor anonymity network. He used the Tor Browser Bundle on OSX rather
than the TAILS distribution (see: para 11). Provided he closed the tab between
each session, there should be no forensic evidence left on the laptop.
NOTE: When using Tor Browser Bundle close all the tabs and exit the
application when you are done. The TBB will clean up thoroughly after itself,
but only on exit! When you are done, shut it down. Runa’s paper explores this in
detail.
Phase 1: Target Selection
The strategic target was the hall hosting the final exam. Tactically, the
principal selected “email addresses at random” to receive a bomb threat intended
to force an evacuation of the hall, along with a number of other cover locations.
Phase 2: Planning
This step appears to have been focused solely on the technical requirements of
masking the origination of the threatening emails. However, insufficient resources
were devoted to this phase, and therefore it was fundamentally flawed.
Here is the email he sent:
shrapnel bombs placed in:
science center
sever hall
emerson hall
thayer hall
2/4. guess correctly.
be quick for they will go off soon
Clearly he intended to provide cover locations, and he attempted to prolong the
bomb search by suggesting that some locations where legitimately bomb free. It
is standard operating procedure for bomb threats to be investigated thoroughly
and in parallel.
Phase 3: Deployment
The operative chose to use GuerrillaMail to send the emails, and because
GuerrillaMail reveals the source IP of the sender, he also chose Tor to mask his
IP address. However, he used a monitored network to access Tor, which severely
limits the anonymity provided by Tor. This error was to prove fatal.
Phase 4: Execution
Kim used the Harvard University wifi network. To gain access, he had to login
with his username and password. The university monitors and logs all network
activity. This was the fatal error. He authenticated to the network, his IP was
used to access Tor, and this information was logged.
When the incident was investigated the FBI was able to pull the logs and determine
not just whether anyone had accessed Tor, but exactly who had accessed Tor.
Phase 5: Escape and Evasion
There was nothing at all done for this phase. It is worth noting that there is
little he could have done to prepare for an interview by seasoned professional
FBI interrogators. As an amateur, he stood approximately zero chance of surviving.
Counterintelligence: Know your Adversary
A study of the investigation methods used by the law enforcement officials
engaged to investigate bomb threats would have been beneficial for Mr Kim. He
would have realized that they would target the likely suspects, attempt to
narrow the suspect pool down to the minimum set, then start interviewing. The
more strongly the evidence points to a set of suspects, the more aggressive the
interviews will be. From “do you know anything about…” to “We have all the
evidence we need, why don’t you make it easy for yourself?”
Initially the suspects for the case would have been any student scheduled to
take an exam
at one of the targeted halls. This is doubtless a large number, and without any
specific information to go on, the chance of interviewing all of them is slim.
If, however, the FBI did interview all of them, the questioning would be general
and undirected, rather than specific and probing. An amateur, like Kim, who kept
his cool and simply denied any knowledge of the hoax would have had a reasonable
chance of evading suspicion.
Knowing the investigative techniques of his adversary would have allowed Kim to
design an operation that provided for a reliable escape and evasion phase. He
would have used an unmonitored network, in an unmonitored location near by the
school, to send his threats. This would have left the suspect pool extremely
large – “everyone”.
When planning an operation, know how the adversary will respond. This will allow
you to factor that response into your planning. If you do not know how your
adversary will respond, then their response will be a surprise. Do not allow
the reactive force to surprise you.
There is no OPSEC magic sauce
The content and context of the threat make it clear
that the originator of the emails was a student (or possibly a professor/TA trying
to avoid grading exams). The important thing to hide is which student, not
that it was a student. Therefore simply using a nearby cafe with free wifi should
have been sufficient to mask the specific identity of the operative. Assuming:
- there are cafes that do not know the operative by sight,
- there are cafes that are not monitored by CCTV (wear a hat, don’t look up),
- that he wore a simple disguise to reduce the recall of the witnesses (look generic), and
- that a college kid in a cafe at 8am during Finals week is not unusual
Using Tor from the college campus was a fatal error. The pool of suspects was
immediately reduced to “everyone that used Tor during the time the bomb threats
were sent”. Since Silk Road v1 has been shut down, that is obviously going to be
a small number.
Lets call it half a win
Strategically, the operation was successful. Eldo Kim will not have to take his
final exam. Or, indeed, other final exams he might not be prepared for. However,
it is hard to imagine this is the outcome he was hoping for.
Suggested Reading Runa’s analysis of the Harvard Bomb Hoax