Old Spy, New Tricks

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/politics/0,1283,41950,00.html

by Declan McCullagh
2:00 a.m. Feb. 22, 2001 PST

WASHINGTON -- Robert Philip Hanssen is not only an accused spy who
federal agents say is responsible for one of the most serious breaches
of national security in years.

He's also allegedly a geek.

In a 150KB affidavit, the FBI says that the 56-year-old
counterintelligence specialist used a Palm III, encryption and flash
memory cards to convey documents to his Russian handlers. Instead of
old-fashioned midnight meetings, the affidavit says, Hanssen suggested
in 1985 that communications take place through a computer bulletin
board system.

"Hanssen, using the code name 'Ramon,' engaged in espionage by
providing highly classified information to the KGB and its successor
agency ... using encrypted communications, dead drops, and other
clandestine techniques," FBI Director Louis Freeh said on Tuesday.

Court documents filed by the U.S. government provide not only a
tantalizing glimpse into the life of the 25-year veteran agent, but
also hint at the surveillance capabilities of the FBI and the National
Security Agency.

Hanssen has been charged with multiple felony counts, including
leaking national defense information and conspiracy to commit
espionage. An attorney for Hanssen said his client would likely plead
not guilty.

An affidavit written by FBI agent Stefan Pluta says that Hanssen
forwarded 26 diskettes -- some with data hidden on tracks not usually
read by a computer -- and 27 letters in exchange for over $600,000 in
cash in a series of clandestine trips to a local park in Virginia.

Among the information Hanssen allegedly turned over to the Russians:
details of a "new technique" used by the NSA, information about the
U.S. government's ability to conduct "technical surveillance" and
sensitive documents describing COINS-II.

At the time -- in 1987 -- COINS-II was the name for the Community
Online Intelligence System, a classified intranet used by the CIA,
NSA, the Defense Department and other intelligence agencies. Newer
versions of COINS that are aimed at authorized end users reportedly
provide a front end that can be used with a Web browser, complete with
XML and Java support.

The FBI also says Hanssen turned over secret and top-secret documents
revealing how effectively the NSA and other agencies can spy on
electronic communications and that he compromised "electronic
surveillance and monitoring techniques" and "specific communications
intelligence capabilities" and targets.

Translation: The eavesdroppers up at Fort Meade, Maryland are growing
really nervous right about now.

According to the affidavit, Hanssen was inventive, suggesting at one
point that he trade in his Palm III for a wireless Palm VII, which he
could use to send encrypted messages.

The FBI said it has found a message Hanssen wrote to the Russians,
which says: "It can allow the rapid transmission of encrypted
messages, which if used on an infrequent basis, could be quite
effective in preventing confusions if the existance [sic] of the
accounts could be appropriately hidden as well as the existance [sic]
of the devices themselves. Such a device might even serve for rapid
transmittal of substantial material in digital form. Your FAPSI could
review what would be needed, its advisability, etc., obviously --
particularly safe rules of use."

The FAPSI is Russia's federal agency of government communication and
information -- the rough equivalent of the NSA -- which specializes in
electronic intelligence-gathering and countermeasures.

Freeh, who once lobbied for a permanent ban on the distribution of
encryption software without a backdoor for his agency, could use this
case as justification for restrictions that Congress would have to
approve. In a statement, Freeh stressed that Hanssen used a "variety
of sophisticated means of communication (and) encryption."

But for all of the alleged spy's reported tech savviness, he didn't
appear to have realized one basic fact: Computers keep logs.

FBI logs say that Hanssen's account was used 35 times to search the
agency's Electronic Case File database -- which contains information
about ongoing investigations -- for his name and keywords such as
"DEAD DROP" and "GRU" in an attempt to detect whether he was under
investigation. GRU is a reference to Glavnoye Razvedyvateinoye
Upravlenie, Russia's military intelligence agency.

Other search terms, according to the agency, include "FISA AND CELL
PHONE." That's a reference to a secret federal court created by the
Foreign Intelligence Surveillance Act that approves surveillance and
search warrants in certain types of cases.

During the investigation, agents from the FBI and other agencies
conducted surveillance of Hanssen under the Foreign Intelligence
Surveillance Act. This week, agents seized computers from his Vienna,
Va. home.

The conservative news site World Net Daily on Wednesday reported that
Hanssen is a Linux user and used e-mail addresses including
hanssen () nova org and hanssen () orion clark net, both local Internet
service providers.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".