back to article 30 spies dead after Iran cracked CIA comms network with, er, Google search – new claim

Iran apparently infiltrated the communications network of CIA agents who allowed their secret websites, used to exchange messages with informants, to be crawled by Google. A report from Yahoo! News this week claims that a 2009 breach of the US spy bods' communications channels came after the Iranian government infiltrated a …

  1. Anonymous Coward
    Anonymous Coward

    Re: oxymoronic

    "But... robots.txt can be ignored and most likely is ignored by Google. Profits over privacy, etc."

    Check your web server logs to see rather than speculating maybe?

  2. Version 1.0 Silver badge

    Re: oxymoronic

    But robots.txt is actually a pointer to the placed to look.

  3. anonymous boring coward Silver badge

    Re: oxymoronic

    " given the large scale compromise of agents, why was it not shut down sooner?"

    Presumably they gathered intelligence for a long time without acting on it. That's what I would do in their shoes.

  4. Is It Me

    Re: oxymoronic

    Then you just leave it as disallow: /

    it blocks indexing the site at all, and leaves no pointers about where to look

    Either that or use so many levels that are blocked higher up that the pointer about where to look isn't helpful.

  5. Tree
    Pirate

    Re: oxymoronic

    Another proof that GURGLE is evil, but the Iranian regime is moreso. Similarly chant "Death to America."

  6. IceC0ld Bronze badge

    Needs an acronym here, maybe we could reuse TITSUP :o) seems to be popular to keep using well past the use by date :oP

    Total Inability To Secure Unlevel Playing fields ....................

  7. vtcodger Silver badge

    Can this work?

    The CIA can't secure it's communications. What do you think the chances are that merchants you give your credit card and other personal information to can/will keep the information secret?

    Maybe we need to rethink this eCommerce thing.

  8. rmason Silver badge

    Re: Can this work?

    As shown by this whole magecart thing, and all the issues of the past, the only thing granting any level of relative safety with online shopping is the sheer number of targets,

    *You* (we, me etc) have only not been "had" yet because we are hidden in the crowd. Security by obscurity etc.

    Someone at work recently had an account drained via lots of small (sub £30 mobile phone top up cards). Queue lots of guffawing and asking what they did online. The truth is probably just being unlucky that day, despite all the assumptions that they must have done something monumentally stupid on t'internet..

  9. ibmalone Silver badge

    Re: Can this work?

    Someone at work recently had an account drained via lots of small (sub £30 mobile phone top up cards)

    A friend with a company issued card told me about an intriguing problem they had a while back. Card was issued by the company, but they were expected to pay bills. At some point they noticed very small transactions, think we're talking cents here, going through. No choice but to pay this off, but reported to employer. My hazy recollection of the ensuing tale: Employer, "It's nothing to do with us." Credit card company, "Card belongs to employer, not you, they'd need to talk to us". Payments were to a phone company account, phone company of course refused to provide any details of the account being paid to and claimed they couldn't stop accepting the payments. Think the resolution was to go back to the employer and say either sort this out or I wont hold this card any more. Nice trick, seems nobody is willing to try to hunt down whoever is grabbing small sums every so often, but multiply it by the number of credit cards in a large company and it adds up.

  10. Sorry that handle is already taken. Silver badge

    the agency had become too reliant on the system, which was originally intended to only be a temporary communications channel

    There's nothing as permanent as a temporary fix.

  11. A.P. Veening

    Temporary

    "There's nothing as permanent as a temporary fix."

    Except for a temporary tax hike.

  12. localzuk

    Britain knows this one well... *looks at the 50 year old "temporary classroom" at his school*

  13. rmason Silver badge

    @Localzuk

    Hah! Spot on. My daughter now attends the same junior school I went to, complete with the "temporary" porta-cabins that went up in the late 80s/early 90's.

    Still there, still in use as classrooms. They were put up as a temporary measure while I attended, to allow the decoration/refit of another area.

  14. anonymous boring coward Silver badge

    "Still there, still in use as classrooms. They were put up as a temporary measure while I attended, to allow the decoration/refit of another area."

    Which is why I have so much confidence in the politicians. I'm sure Brexit will be a resounding success... If we can only push through the initial famine.

  15. Anonymous Coward
    Anonymous Coward

    We can look at it as "30 Traitors Executed after Counter-Intelligence Operation". After all, Iran would regard these "assets" as traitors to their state. When Aldrich Ames, Robert Hansen and Edward Snowden are mentioned by their government they are called traitors. And is execution really worse than being kept in solitary confinement for the rest of your days? 23 hours in a cell and 1 hour "exercise" by yourself.

  16. _LC_
    Facepalm

    Now why would they do that???

    It's not like the USA (and the CIA in particular) ever did anything bad to Iran - or did they? ;-)

  17. Anonymous Coward
    Anonymous Coward

    Karma?

    Considering the CIA has had a hand in a lot of shit that has gone on around the world over the past 60 years or so and are indirectly responsible for the deaths of tens or even hundreds of thousands of people, I think they got off lightly.

  18. Spazturtle Silver badge

    Re: Karma?

    Do you tell your friends and family that you support ISIS and Al-Qaeda? Or do you just post stupid things on the internet to sound edgy?

    I'm sure it makes you feel good to know that some poor Iraqis who gave information regarding ISIS movements near their villages to America got killed.

  19. Alien8n Silver badge

    Re: Karma?

    Actually the CIA can be directly linked to plenty of deaths. As can the British Government.

    Look at the CIA led coup of Indonesia that led to Suharto gaining power. The CIA gave the names of Communist sympathisers in Indonesia to Suharto which led to one of the biggest mass murders on the last century. Estimates are 500,000 people were killed in the purge, and the CIA was directly responsible for every death as they provided the names of every single one of them to Suharto's government. The British government, along with the US, collaborated with Indonesia when they invaded East Timor in 1975, even providing navy escort ships to the Indonesian government for transporting prisoners to their deaths. 100,000 East Timorese died from starvation and disease as a direct result of Indonesia's invasion, fully supported by both the British and US governments.

  20. _LC_
    Thumb Down

    Re: Karma?

    Actually, it was the US giving weapons to Al-Qaeda in Syria:

    https://www.mondialisation.ca/syrian-al-qaeda-commander-us-forces-are-arming-us-in-syria-the-americans-are-on-our-side-us-state-dept-we-would-never-provide-nusra-with-assistance/5548552

    [Syrian Al-Qaeda Commander: US Forces Are Arming Us in Syria]

    There are really numerous sources on this. Initially the US argued that their weapons ended up in the hands of Al-Qaeda 'by mistake'. Then, those 'mistakes' kept repeating. By now, it's rather clear that they kept furnishing/furnish the worst of islamists with weapons - and so does Saudi Arabia, btw.

  21. Anonymous Coward
    Anonymous Coward

    Re: Karma?

    @Spazturtle - Posting something which can easily be backed up with even a rudimentary search of the Internet along with a perfectly valid opinion is not stupid.

    However, posting a dumb and crass response to it tinged with very poor sarcasm is.

  22. Spazturtle Silver badge

    Re: Karma?

    "Posting something which can easily be backed up with even a rudimentary search of the Internet along with a perfectly valid opinion is not stupid."

    What are you even on about? He was celebrating civilians getting killed and said that "they got off lightly." People explain how getting killed by ISIS for supplying the US with information is 'getting off lightly'.

    What the CIA has previously done is completely irrelevant to whether informants deserved to die or not. If you report a crime to the police do you deserve to get hurt because the police have done bad things in the past?

  23. _LC_
    Holmes

    Re: Karma?

    How about the present and the future?

  24. J J Carter Silver badge
    Big Brother

    Face facts

    Should have used crooked Hillary's email server, the CIA has stated that's impervious to any and all espionage attempts or she'd be in jail...

  25. Justthefacts

    Re: Face facts

    Is that a bit like crooked Trump’s iPhone?

    The one that he uses to tweet from, despite that the Security Services stating publically and privately that it is against federal law and telling him to please stop.

    The one that there are video clips on national TV showing him using, including Fox News.

    You can go to @realdonaldtrump to read his tweet denying that he uses an iPhone to tweet, which says at the bottom “iPhone app”.

    Is that the sort of thing that you have in mind?

  26. Mark 85 Silver badge

    Re: Face facts

    You can go to @realdonaldtrump to read his tweet denying that he uses an iPhone to tweet, which says at the bottom “iPhone app”.

    But the hype of the myth that "all Apple products are secure" still runs rampant. I guese his Trumpiness believes it.

  27. Spazturtle Silver badge

    Re: Face facts

    LOL stop making shit up, members of the US government are allowed to use personal devices to do personal things. What Trump is doing is the correct thing, using a personal device for personal communications and using a secure device for secure communications.

  28. anonymous boring coward Silver badge

    Re: Face facts

    "Should have used crooked Hillary's email server"

    Some kind of Ironic posting? Or do you sit stuck in front of Fox Propaganda all day?

  29. Justthefacts

    Re: Face facts

    Trump’s tweets have been the first notice he has given the world of Presidential policy. He has fired advisers over Twitter, in his capacity as president. It is not a personal account.

    You, along with him, are unable to differentiate *why* so much of what he does crosses the line between personal and official. He shouldn’t be employing his daughter and son-in-law as an adviser, for example.

    Considered as an actual security risk, Trump carries his phone on his person. Any attack vector which could compromise a device OTA (like for example, a Bluetooth buffer overrun attack) is immediately fatal. *When* rather than if his personal phone is security-compromised, it can be used as a spying microphone in his pocket. He is POTUS FFS. Not a middle-level official.

    Clinton’s risk was an *email server* running at home. Her attack surface was an email address. A physical attack would require someone to *enter her home*. The email server is not compromised even if she opened a dodgy email. Because it’s a server.

    If you were saying that her device used to *read* emails could be compromised over the internet, that’s a reason not to access email at home, wherever the email server is located. But that isn’t the allegation. Most managers read their email at home, over VPN, including most governmental officials, and nobody is saying that was against policy. Running an email server is not that risk.

    The server risk is someone entering her home could have stolen it and accessed the emails, breaking passwords with state-actor level methods.

    *But that didn’t actually happen. Did it.*

  30. David Nash Silver badge

    Re: Face facts

    I read it as ironic and imagined the quotes around "Crooked Hillary".

    Stating that the CIA describes it as resisting all attempts.... really?

    But the number of downvotes suggest a number of people here read it as straight.

  31. Tree

    Re: Face facts

    Yeah, she could have wiped it with a cloth.

  32. David Shaw

    More “hard” facts here

    https://www.schneier.com/blog/archives/2018/08/cia_network_exp.html

    Bruce quotes from

    https://foreignpolicy.com/2018/08/15/botched-cia-communications-system-helped-blow-cover-chinese-agents-intelligence/

    Though one counter-narrative opinion considered the possibility that naming “comms protocols” or “insecure websites” was a typical smoke & mirror diversion trick away from something/someone more interesting!

    Who knows, at least the story has legs now that a new version has appeared after three months, but for those looking for the elusive “hard” facts , remember to factor in this six year old story by Michael Hastings

    https://www.buzzfeednews.com/article/mhastings/congressmen-seek-to-lift-propaganda-ban

  33. Will Godfrey Silver badge
    FAIL

    I stand corrected

    There really is no limit to people.s stupidity.

    Why would a so-called security establishment go anywhere near the internet? ... Except to snoop on what other people were saying.

  34. vtcodger Silver badge

    Re: I stand corrected

    Why would a so-called security establishment go anywhere near the internet?

    You have a agent within the tightly guarded biological warfare research site in Whichwhatisstania would you communicate via:

    A) A shortwave radio tranceiver that emits a traceable signal and requires an external antenna?

    B) A cell phone?

    C) A letter drop behind a rock in a city park?

    D) A letter drop in a hollowed out pumpkin on a farm owned by another spy?

    E) Late night meetings with a controller on a bridge in downtown Whichwhatisstan City?

    F) The Internet?

  35. Jon 37

    Re: I stand corrected

    Because they need to communicate with their agents. That means either risky scheduled face-to-face meetings, slow and risky dead drops, radio transmitters that can be located with direction-finding equipment, or reusing some legitimate communications channel. Spies have used letters (can be intercepted), phones (can be tapped), newspapers (coded classified ads), and now the Internet.

    There are a lot of advantages to the Internet, if done right. It's fast, encrypted, high-bandwidth, and you can hide the covert communications amongst lots of innocent legitimate data. However, there are obvious risks, too.

  36. Anonymous Coward
    Anonymous Coward

    Re: I stand corrected

    @ron_37

    "...advantages to the Internet, if done right. It's fast, encrypted, high-bandwidth..."

    Mmmmmm......."encrypted". There seems to be concern in some quarters about the security of encryption standards. The concern is that the encryption might be readable by -- who knows who? But of course, sensible "bad guys" would probably use their own encryption on top of the publicly available sort. Maybe even sensible "good guys" (if there are any!) should do the same. What do you think?

    72447393AE5B98D1B58E34BA12075D2690D16A92

    6ACB72C6231BF5C364BA398543DEB473B723D388

    62C344630B235F1627F14D6ED5D9F616DFE13705

    1065C64C485F0004A49D07FA16B7793AA2B09278

    2C01E62C1F02F483A70A70B8B24D03

  37. Anonymous Coward
    Anonymous Coward

    Your encryption is good enough

    to get your agent killed. Obviously there is a hidden message. This alone would trigger an investigation.

    How to successfully crack your encryption: https://xkcd.com/538/

  38. Anonymous Coward
    Anonymous Coward

    Re: Your encryption is good enough

    @AC

    Assumptions....what password? What encrypted laptop? None of the above!

    Everything on my laptop is in plain text.....move on....nothing to see here. The cipher text was downloaded from a widely used public web site (say, like The Register -- see above). I wonder who posted the cipher text? I wonder which of the hundreds or thousands of web hits represents the intended recipient(s)? I wonder how long it will take to figure this out.....never mind figure out the book cipher which was used (if indeed it was a book cipher)?

    The encryption only needs to be good enough for the answers to these questions to take a longish time. The people using this mechanism (whoever they are) are in the mean time communicating in real time.

    ......but I DID like the cartoon!

  39. John Smith 19 Gold badge
    Unhappy

    ""It was never meant to be used long term for people to talk to sources," "

    And yet it was.

    "temporary" infrastructure used long after it should have been replaced. No PHB has ever done that before.

    BTW the STUXNET malware was first discovered in 2010.

    According to Wikipedia it was though to have been in development (and deployment?) from 2005.

    So yes if the Iranians started noticing stuff earlier they would have been quite angry.

    It seems actions have consequences, even in malware. Who knew?

  40. charlie-charlie-tango-alpha

    "The CIA did not respond to a request for comment."

    And you are surprised?

  41. Uffish
    Black Helicopters

    Re: "The CIA did not respond..."

    That is what you are supposed to think.

  42. ElReg!comments!Pierre

    Perhaps they did respond,

    On one of their secret sites. Someone fire up the Google !

  43. Paul Hovnanian Silver badge

    It's a tradeoff

    Between providing good encryption/anonymity for everyone (allowing our spies to blend into the crowd) and law enforcement's need to monitor sites and users for various violations.

    We may have lost some valuable overseas operatives. But Mickey Mouse is still safe.

  44. Anonymous Coward
    Anonymous Coward

    @Paul H - Re: It's a tradeoff

    Encryption is getting better with time while anonymity is the opposite. Even when your message is strongly encrypted, a couple of determined henchmen will have no problem extracting plain text from you and your unfortunate partner.

  45. Insane Reindeer
    Unhappy

    What about the double agent?

    Surely the biggest "mistake" the CIA made in this whole thing was not identifying the double agent *before* he told the Iranians about the website. Right? Obviously the Iranians would be on the look out for moles/agents within their country. But. At no point does the report say that they were actively using Google to search for these websites before the double agent put them onto it.

  46. FlamingDeath Bronze badge
    Holmes

    'intelligence services'

    Oxymoranic

  47. ecofeco Silver badge

    The world is run by morons.

    The old CIA would have never let something like this happen in the first place.

  48. nice spam database '); drop table users; --

    Sept.11 Intelligence failure?

    The whole world knows, and the (real) free world dares to voice it: Sept. 11 was a false flag operation to make invading Afghanistan more psychologically bearable for the US population. News sites shouldn't help perpetuate the fairy tale of terrorist attacks, especially this website, which is supposed to look at things from a technical/scientific angle.

  49. _LC_
    Alert

    Drug money

    There's even more to it. The whole world can see that Afghanistan has been turned into the world's biggest opium factory. You can see the fields from above; it's no secret.

    Now, there's a certain 'organization', which has been caught dealing drugs repeatedly. I wonder who's cashing in on Afghanistan's opium... Could it be? No, wait – it can't be! They can't be doing it again, they've already been caught before!?! :-P

  50. Flywheel Silver badge
    Joke

    The CIA did not respond to a request for comment

    It's okay, we'll just ask the Iranians what they said ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018