Terrorism Informatics: “The application of advanced methodologies and information fusion and analysis techniques to acquire, integrate, process, analyze, and manage the diversity of terrorism-related information for national/international and homeland security-related applications” Source: iacr.org
By now, we all should know what a Department of Homeland Security Fusion Center is. What you may not know is how they work, and as they say, the devil’s in the details.
Fusion Center FAQ: Fusion Center Guidelines for Law Enforcement (original location)
General Dynamics Wins $876 Million Contract to Move Homeland Security Headquarters
The task order has a ceiling value of $876 million and duration of seven years if all options are exercised.As part of the relocation, General Dynamics will provide full enterprise support to the new Department of Homeland Security (DHS) headquarters on the St. Elizabeth’s Hospital campus, including the design, development and installation of an entirely new IT infrastructure. Once installed, the company will test, manage and maintain the IT enterprise to ensure continuous operations.
So what is in the “Mothership” of the DHS fusion center beehive?
Phase 1AUS Coast Guard HeadquartersPhase 1BUS Coast Guard Headquarters Shared-Use SpacesPhase 2A
Phase 2BFederal Emergency Management Agency Headquarters (FEMA)Phase 3
- Department of Homeland Security Headquarters
- National Operations Center (NOC)
- Transportation Security Administration Headquarters (TSA)
- Customs and Border Protection Headquarters (CBP)
- Immigration and Customs Enforcement Headquarters (ICE)
Phase 1 is scheduled to deliver in 2013, Phase 2 in 2014, and Phase 3 in 2016.
Sounds like a party! DHS, FEMA, TSA, CBP, ICE, and USCG all under one roof, that’s in entirely too many acronyms for me. Let’s get back to General Dynamics. What kinds of software/hardware are they installing?
Customer Testimonial – General Dynamics
This gentlemen is talking about NetOptics.
Phantom Virtual Tap for Total Visibility Across Your Virtual Network
They must be able to isolate suspicious voice, video, or
data streams for an interception, based on IP address, MAC address or other parameters. The device must also be able to carry out filtering at wire speed. Requirements for supporting Lawful Interception activities include:
• The ability to intercept all applicable communications of a certain target without gaps in coverage, including dropped packets, where missing encrypted characters may render a message unreadable or incomplete
• Total visibility into network traffic at any point in the communication stream
• Adequate processing speed to match network bandwidth
• Undetectability, unobtrusiveness, and lack of performance degradation (a red flag to criminals and terrorists on alert for signs that they have been intercepted)
• Real-time monitoring capabilities, because time is of the essence in preventing a crime or attack and in gathering evidence
• The ability to provide intercepted information to the authorities in the agreed-upon handoff format
• Load sharing and balancing of traffic that is handed to the LI (lawful interception) system
Test access ports, or Taps, are devices used by carriers and others to meet the capability requirements of CALEA legislation. Net Optics is a global leader in the range and capabilities of its Taps, which provide permanent, passive access points to the physical stream.
Let’s recap. General Dynamics is building the DHS headquarters, and they use NetOptics. Are we to believe that General Dynamics’ obligations stop at building infrastructure and designing a Big Brother supercomputer network?
EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency’s social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy.
In the FOIA you will notice many requests for information reguarding HBGary, a cyber defense contractor. Why is this important? Last year the hacker collective Anonymous breached HBGary’s databases, leaking all of their internal emails to the internet. Disclosures abound, the largest being Hunton and Williams, Palantir, Berico
Technologies, and HBGary were hired by the government to track down Wikileaks supporters and discredit them. See for yourself:
As interesting as that disclosure may have been, I found this file in the emails which is more on topic:
General Dynamics has selected HBGary Inc to provide this proposal for development of a software application targeting the Windows XP Operating System that, when executed, loads and enables a covert kernel-mode implant that will exfiltrate a file from disk (or other remotely called commands) over a connected serial port to a remote device. The enabling kernel mode implant will cater to a command and control element via the serial port. The demonstration will utilize an exploit in Outlook as the delivery mechanism for said software application. The subsequently loaded implant will be stable and will not crash the demonstration system. A usermode component will be included as part of the exploitation package that exercises the kernel mode implant for demonstration purposes. The loaded implant will use the connected serial port to remotely enable functions which can be visible on the collection computer connected on the other end of the serial line. The purpose of the demonstration setup is to verify the functionality for the customer and validate that all work has been completed
Development of a kernel-mode implant that is clearly able to exfiltrate an on-disk file, opening of the CD tray, blinking of the keyboard lights, opening and deleting a file, and a memory buffer exfiltration over a connected serial line to a collection station. For demonstration, a null modem cable will be used to connect the collection station
• The use of a standard Outlook Exploit as a delivery mechanism for the implant, with the intention being that any suitable exploit could be used for the same.
• As part of the exploit delivery package, a usermode trojan will assist in the loading of the implant, which will clearly demonstrate the full capability of the implant.
• Test set (which will consist of two computers networked together via a null modem cable using HyperTerminal) that can reliably and repeatedly demonstrate the exploit and subsequent implant capability of the system.
HBGary will begin development of a kernel-mode implant with the ability to exfiltrate an on-disk file, open the CD tray, blink the keyboard lights, open and delete a file, and execute a memory buffer exfiltration over a modem line to a collection station. The enabling kernel mode implant will cater to a command and control element via the serial port, and the rudimentary ICD/API in order to C2 the kernel implant will be developed by HBGary and documented appropriately for GDAIS use. As there are currently no requirements for stealth operation, this implant will be visible on the system if someone with technical knowledge were to investigate. Stability requirements are that this driver is loaded and unloaded without system crash, or blue screen.
General Dynamics, a defense contractor, is charged to monitor American citizen’s social media posts and aggregate the data into reports that look like this:
Serious Congressional oversight and review of the Posse Comitatus Act are in order. The lines between military and law enforcement have become so blurred that new guarantees are needed to protect our civil liberty. Lest we forget, Terrorism is just a word of recent invention.