How Hezbollah tracked down a CIA spy ring

A nice run down into how Hezbollah rolled up a CIA spy ring in Lebanon in late 2011.

The adversary, Hezbollah, used access to the telephone company logs they have those, and searched for atypical mobile phone usage patterns:

  1. phones that only receive a few calls / messages over long periods of time
  2. mobile phones that are never mobile
  3. weird / unusual messages PIZZA!!

That is, they were looking for phones that were kept at home, turned on occasionally, and only received calls/sms infrequently. The exact usage pattern one would expect for a mobile that is used exclusively for a handler to contact an agent.

This data gave Hezbollah a general location down to the apartment complex of where the agents were located. Next, the adversary correlated the location data with the home addresses of members who had access to secret information. They conducted surveillance on those members and discovered they were using a Pizza Hut to meet with their handlers.

via anonymity is hard – Hacker OPSEC.

Cookies are bad for you

Most web applications today use browser cookies to keep a user logged in while she is using the application. Cookies are a decades-old device and they do not stand up well to security threats that have emerged on the modern web. In particular, cookies are vulnerable to cross-site request forgery. Web applications can by made more secure by using OAuth for session authentication.

This post is based on a talk that I gave at Open Source Bridge this year. The slides for that talk are available here.