In Search of OPSEC Magic Sauce

Of Bomb Threats and Tor

Recently (December 16th, 2013) there was a bomb threat at Harvard University, during finals week. The threat was a hoax, and the FBI got their man that very night. The affidavit is here.

This post will look at the tools and techniques the operative used to attempt to hide his actions, why he failed, and what he should’ve done to improve his OPSEC. As a hint: I provided an outline of what he should’ve done 6 months ago in ignorance is strength.

Disclaimer: This post is to outline why OPSEC is so difficult to get right, even for people who go to Harvard. I am not encouraging any illegal behavior, but instead analyzing how OPSEC precautions can be so difficult to get right. Don’t send bomb threats.

Key Takeaways

  1. The phases of an operation
  2. Counterintelligence (“know your enemy”) as a factor in operational design
  3. Avoid reducing the set of suspects
    • If all students are suspects, all one needs to do is avoid narrowing the pool of potential suspects

Strategic Objectives: Avoid Final Exam

Strategically, the principal behind this operation (Eldo Kim) was attempting to avoid taking a Final Exam scheduled for the morning of December 16th. To accomplish his objectives he designed an operation that would cause an evacuation of the building where he was to take his final. Rather than recruit an agent and delegate the execution of the operation, the principal decided to do it himself.

This was not an enlightened decision.

The Structure of All Things (for values of Things = “Operations”)

All offensive operations share a similar core structure. This structure has been known for a long time in the military, but is rarely applied in other fields. Operations have distinct phases that they move through as they progress from vague idea, to concrete plan, through execution and, finally, onto the escape.

The outline framework for an operation, all of the phases, is the following:

  1. Target Selection
  2. Planning (and Surveillance)
  3. Deployment
  4. Execution
  5. Escape and Evasion

This framework is frequently used when dissecting a terrorist attack post mortem, allowing the security forces to identify the agents involved in each phase. Ideally, the security forces want to remove the people involved in the Target Selection and Planning stages. These people tend to be the principals, and are more valuable than the agents who actually perpetrate the attack.

For hacker groups, the operational phases are rarely acknowledged, and followed in an ad hoc manner. Primarily because few hackers are aware of them. It would be beneficial for hackers to understand the structure of preparing an operation thoroughly, but that is an issue we’ll address another day.

As an aside, it is worth noting that these operational phases apply to a consultancy making a sale, providing a service, dropping a deliverable, and then vanishing. ;)

College Kids are Inexperienced, News at 11.

All real criminals know that the most important part of an operation is the get away, the git (as it used to be called). Of course, real criminals don’t go to Harvard University (although there’s an argument to be made that some graduate from there), and so poor Eldo Kim had no one to teach him the criticality of the final stage of an operation: Escape and Evasion.

Operation “Doomed to Failure”

The operative used an ad hoc approach to his operational design, and as a result he made a fatal error. Here is his operational plan:

  • Obtain Tor Browser Bundle
  • Select target email addresses “randomly” [see para 11]
  • Compose email
  • For each target email address
    • Create new GuerillaMail “account”
    • Send email (using this)

For security, the operative chose to rely on a pseudonymous email tool and the Tor anonymity network. He used the Tor Browser Bundle on OSX rather than the TAILS distribution (see: para 11). Provided he closed the tab between each session, there should be no forensic evidence left on the laptop.

NOTE: When using Tor Browser Bundle close all the tabs and exit the application when you are done. The TBB will clean up thoroughly after itself, but only on exit! When you are done, shut it down. Runa’s paper explores this in detail.

Phase 1: Target Selection

The strategic target was the hall hosting the final exam. Tactically, the principal selected “email addresses at random” to receive a bomb threat intended to force an evacuation of the hall, along with a number of other cover locations.

Phase 2: Planning

This step appears to have been focused solely on the technical requirements of masking the origination of the threatening emails. However, insufficient resources were devoted to this phase, and therefore it was fundamentally flawed.

Here is the email he sent:

shrapnel bombs placed in: 

science center 
sever hall 
emerson hall 
thayer hall 

2/4. guess correctly. 

be quick for they will go off soon

Clearly he intended to provide cover locations, and he attempted to prolong the bomb search by suggesting that some locations where legitimately bomb free. It is standard operating procedure for bomb threats to be investigated thoroughly and in parallel.

Phase 3: Deployment

The operative chose to use GuerrillaMail to send the emails, and because GuerrillaMail reveals the source IP of the sender, he also chose Tor to mask his IP address. However, he used a monitored network to access Tor, which severely limits the anonymity provided by Tor. This error was to prove fatal.

Phase 4: Execution

Kim used the Harvard University wifi network. To gain access, he had to login with his username and password. The university monitors and logs all network activity. This was the fatal error. He authenticated to the network, his IP was used to access Tor, and this information was logged.

When the incident was investigated the FBI was able to pull the logs and determine not just whether anyone had accessed Tor, but exactly who had accessed Tor.

Phase 5: Escape and Evasion

There was nothing at all done for this phase. It is worth noting that there is little he could have done to prepare for an interview by seasoned professional FBI interrogators. As an amateur, he stood approximately zero chance of surviving.

Counterintelligence: Know your Adversary

A study of the investigation methods used by the law enforcement officials engaged to investigate bomb threats would have been beneficial for Mr Kim. He would have realized that they would target the likely suspects, attempt to narrow the suspect pool down to the minimum set, then start interviewing. The more strongly the evidence points to a set of suspects, the more aggressive the interviews will be. From “do you know anything about…” to “We have all the evidence we need, why don’t you make it easy for yourself?”

Initially the suspects for the case would have been any student scheduled to take an exam at one of the targeted halls. This is doubtless a large number, and without any specific information to go on, the chance of interviewing all of them is slim. If, however, the FBI did interview all of them, the questioning would be general and undirected, rather than specific and probing. An amateur, like Kim, who kept his cool and simply denied any knowledge of the hoax would have had a reasonable chance of evading suspicion.

Knowing the investigative techniques of his adversary would have allowed Kim to design an operation that provided for a reliable escape and evasion phase. He would have used an unmonitored network, in an unmonitored location near by the school, to send his threats. This would have left the suspect pool extremely large – “everyone”.

When planning an operation, know how the adversary will respond. This will allow you to factor that response into your planning. If you do not know how your adversary will respond, then their response will be a surprise. Do not allow the reactive force to surprise you.

There is no OPSEC magic sauce

The content and context of the threat make it clear that the originator of the emails was a student (or possibly a professor/TA trying to avoid grading exams). The important thing to hide is which student, not that it was a student. Therefore simply using a nearby cafe with free wifi should have been sufficient to mask the specific identity of the operative. Assuming:

  • there are cafes that do not know the operative by sight,
  • there are cafes that are not monitored by CCTV (wear a hat, don’t look up),
  • that he wore a simple disguise to reduce the recall of the witnesses (look generic), and
  • that a college kid in a cafe at 8am during Finals week is not unusual

Using Tor from the college campus was a fatal error. The pool of suspects was immediately reduced to “everyone that used Tor during the time the bomb threats were sent”. Since Silk Road v1 has been shut down, that is obviously going to be a small number.

Lets call it half a win

Strategically, the operation was successful. Eldo Kim will not have to take his final exam. Or, indeed, other final exams he might not be prepared for. However, it is hard to imagine this is the outcome he was hoping for.

Suggested Reading Runa’s analysis of the Harvard Bomb Hoax