Thursday, 22 October 2015

FBI cyber experts deny Bourne-style biometric snooping exists, but it may one day

FBI cyber experts deny Bourne-style biometric snooping
Cyber spooks in films and TV shows like Bourne and 24 often have access to a sprawling, real-time surveillance system capable of watching and scanning the faces of the public anywhere in the world.
Yet technology experts with experience of the FBI have recently claimed this is far removed from the realities of how such as biometric systems can be used.
Jim Loudermilk, a senior level technologist at the FBI's science and technology branch, said the agency does not have access to real-time face-recognition biometrics on such a grand scale.
"Here in London you are all familiar with the vast numbers of cameras. But most of you probably don't realise that what you see in the science fiction movies is not true," he told a recent biometrics conference in London.
"My own assessment is that the use of pattern-matching technology for faces is about at the maturity level that pattern matching of fingerprints was in the late 1980s.
"We do not have highly reliable automated systems that can instantaneously ingest video and track people from camera to camera unaided by a human being."
Loudermilk explained that face recognition and biometric analysis is not yet able to provide the FBI with conclusive positive IDs, and that the lack of functionality comes down to budgets.
"If we were prepared to spend a few hundred million dollars and add several hundred people as skilled examiners we probably could do positive identification from faces in a decade, but I think it's unlikely we will choose to make that sort of investment."
Even if it did, the actually database of files with which to cross reference this sort of information is quite low in the era of big data: "We don't have very many mug shots on file. Only about 20 million at the moment," he added.
Another face in the crowd
The claim that face-recognition tools are not yet at the level of the movies is echoed by Leo Taddeo, a former FBI special agent in charge of the New York cyber division and now the CSO for Cryptzone, but he believes it will be possible one day.
"Today, it may not be possible to spot a known terrorist in a photo of a crowd at a sporting event, but someday that capability will exist," he told V3.
Taddeo also noted that the use of face recognition has evolved to the point where it can be used in "many investigative scenarios".
"Agents are now able to check the photo of a bank thief taken from a surveillance camera against a set of known convicts to find a potential suspect. The confirmation of identity is still done using multiple factors, but narrowing down the search is greatly aided by the new face-recognition technologies," he explained.
However there are obviously civil liberty and privacy concerns raised with the use of such technologies, and their future potential capabilities.
Dr Richard Tynan, technologist at Privacy International, warned of a need for clear definitions in biometric capabilities.
"I think you might have to ask what they mean by real time. Is it that they are unable to get the name and address information of every individual in a given scene of a CCTV camera?" he said.
"Even if that's what they are trying to do, it's incredibly worrying that they are trying to do real-time identification of individuals and not just when a crime happens, which is one of the stated purposes of CCTV."
Furthermore, Dr Tynan noted that the FBI staffers claims seems to be at odds with private firms already rolling out sophisticated face-recognition systems.
"Microsoft has recently rolled out face recognition on some of its latest laptops which will allow you to unlock the computer," he said.
"There are other types of face recognition such as Facebook deploying auto tagging in pictures, claiming to have sophisticated technology that can distinguish between identical twins.
"So the [1980s] comment seems weird to me given that we have seen so many claims made about this technology from the private sector."
Privacy International also provided V3 with documentation showing a range of ‘vision analytics' tools that offer sophisticated biometrics and location monitoring in real time (PDF).
Yet while FBI experts play down the scope of real-time surveillance systems, they openly admit that the use of biometrics in law enforcement is not a new phenomenon.
The FBI currently uses a vast amount of technology to take advantage of the unique indicators that accompany biometric information, such as fingerprints, iris patterns and palm and finger patterns.
"The use of fingerprints has been a fundamental investigative tool in the FBI's kit for almost its entire 100-year history," explained Taddeo.
"For most of the last century, the science of collecting, cataloguing and comparing fingerprints did not change very much. Advances in information technology have allowed us to make quantum leaps in fingerprint and other identification technologies.
"We can collect fingerprints as electronic images. As such, we can transmit and search for matches at record speed. This means police officers don't have to wait for a manual search. It also means we can search wider databases."
Loudermilk gave some insight into the scope of these databases, during his presentation in London last week.
"We have 69 million people currently on file and we have another 37 million on file in the civil repository and I expect that to grow significantly. Right now we have 106 million people, all separate identities," he said.
"We have a fairly substantial repository of people who have been arrested for criminal offences."
However, it is DNA matching that remains the 'gold standard' in biometrics and forensics.
Loudermilk said that the FBI holds 14 million known DNA subject profiles in a national database consisting of the Combined DNA Index System and the National DNA Index System.
Double-edged sword
Unquestionable law enforcement will continue to use biometric analysis to aid their operations, but it can be a double-edged sword, as Taddeo explained.
"For example, after the recent OPM breach, where millions of government employee fingerprints were reportedly stolen by the Chinese government, it will be much harder for a US agent to enter China without the Chinese knowing who they are and who they work for," he said.
"The same is true for fingerprints and facial recognition. Undercover agents will have a harder time getting past border controls in an undercover capacity."
Perhaps this is something Hollywood scriptwriters will have to consider for their future spy thrillers too.

Security researchers face wrath of spy agencies

Researchers tasked with revealing attacks by intelligence agencies are being harassed, locked out of tenders, and in some cases deported, Kaspersky researcher Juan Andrés Guerrero-Saade says.
Retaliation by the unnamed agencies is in direct response to news of prominent advanced-persistent threat campaigns that have coloured information security reporting over recent years.
Those reports are forcing researchers to reveal malware attacks by government spy agencies.
Specific details on the harassment is tightly-held, although some may occur in Eastern Europe and Asian nations.
Guerrero-Saade told Vulture South researchers have spoken about their ordeals in private information security circles. Other stories circulate as industry rumour.
"In many places intelligence services tend to be more civilised than in others -- you would be lucky to deal with them in the US versus wherever else, Latin America, Asia, or Eastern Europe where they take very different tactics, " Guerrero-Saade says.
"You can definitely see these threats to livelihood[s] where it can be as simple as patriotic notions … all the way to 'you have already made it clear where you stand and it's going to be next to impossible for you to get a security clearance' and to work in a large sector of countries where a large amount of anti-malware work is being done.
"I think it is easier to imagine situations where blackmail, compromise, and threat of livelihood is an issue, and it has been an issue for certain researchers for obvious reasons aren't going to speak up."
Other researchers speaking to this reporter have heard similar stories. Others haven't but aren't surprised their colleagues find security clearances revoked. China is cited as a nation some opt to avoid.
Guerrero-Saade spoke on the back of his paper The ethics and perils of APT research: An unexpected transition into intelligence brokerage [pdf] which he says is a "meditation" that covers the perils faced by threat intelligence companies and researchers as the ultimately altruistic academics aggravate diplomatic and national interests.
The paper notes researchers are targeted through blackmail which is regarded as a cheap way for agencies to "own" an individual by digging up their secrets, debt, and "shameful proclivities and mis-steps".
"This type of compromise is in some cases related to the threat to livelihood as private information security companies have displayed a more or less strict moralism in their hiring practices, often preferring practitioners untainted by publicly known blackhat tendencies," Guerrero-Saade writes.
Security researchers who live in the country of the aggrieved intelligence agency face the harshest treatment. Here agencies target threats to living conditions including the revocation of non-citizens' resident status, "in some cases separating families or forcing a return to dreadful conditions".
Natives are described as unpatriotic, and are barred from government work and holding security clearances.
“In certain countries, citizenship is only a protection from overt and legal repercussions but processes without oversight are the main playing field of security services. Vague threats carry weight in this space.”
That is leading to an industry Balkanisation which is "well underway at this time".
Intelligence firms too are being harassed. Guerrero-Saade says unnamed agencies serve threats to "operational viability, revenues, ongoing and potential contracts, strategic partnerships, PR value, as well as regulation-based financial repercussions".
Such harassment merits "any effective measures available" when threat research stands in direct opposition to national diplomatic, financial, or political viability.
Such work may cause heightened diplomatic tensions to flare, or jeopardise the reputation of an intelligence agency or those to which it serves. Here's a fragment of his talk:
"Companies with government contracts will see these contracts dangled and unrelated vital strategic partnerships may suddenly become unstable or entirely unavailable. When international companies are involved, unsubstantiated but well-placed insinuations may suffice in closing off entire crucial market sectors and, if not, threats of loosely applied embargoes can destroy the most meticulously built business. "
He further details the perils of the burgeoning threat intelligence industry in the absence of kinds of rules of engagement whereby many researchers - rightly-so - treat all malware as abusive regardless of source, and the motivations and actors behind attacks are often glossed over.
The nine-page report notes the publication of intelligence materials by private sector firms as 'regular grievances' that are "unthinkable to their intelligence agency counterparts". Another extract:
"Provocation occurs in two scenarios: first, where the (threat intelligence) company’s research causes political, diplomatic, or military tensions to flare between nations in an already escalated posture. Secondly, when the company’s public disclosure -- or private offering provided directly to sensitive targets -- endangers the reputation of the intelligence agency itself or worse yet comes close to revealing or endangering the requesting customer. The former scenario is undesirable; the latter scenario is unacceptable."
Not all research weighs the same. Guerrero-Saade says a recent report examining Chinese threat actors overstepped the boundaries of usefulness when it revealed the personal information of attackers including their daily activities, photos, and family members.
The future is unclear, the researcher says. Intelligence agencies may be pushed to develop highly-capable malware designed to slip past researchers, while even most-capable researchers dabbling in the unmasking of intelligence agencies will need to undergo "drastic preparations" to not only excel but survive.