Leaks and Leakers ⇥ zetter-zeroday.com
There have been a few stories recently involving the investigation of leaks by U.S. government employees and contractors, and the naked aggression shown toward leakers, and I thought it would be useful to round them up.
First, the U.S. Department of the Treasury, in a press release announcing the cancellation of contracts with Booz Allen Hamilton:
Most notably, between 2018 and 2020, Charles Edward Littlejohn — an employee of Booz Allen Hamilton — stole and leaked the confidential tax returns and return information of hundreds of thousands of taxpayers. To date, the IRS determined that the data breach affected approximately 406,000 taxpayers. Littlejohn has pled guilty to felony charges for disclosing confidential tax information without authorization.
Littlejohn was prosecuted under the Biden administration, and is being sued by the current president. The stories produced from the information he revealed, however, thankfully remain available. The New York Times and ProPublica each have stories revealing how little income tax is paid by the wealthiest Americans. It is not just a pittance relative to their net worth; in some cases, it is absolutely nothing.
Kim Zetter, Zero Day:
In February 2018, he was back in a position with access to IRS taxpayer data but didn’t immediately steal records. Prosecutors say he developed a “sophisticated” scheme to download the documents nine months later. This included not searching directly for documents related to the government official, which might have triggered a system alert, but querying the database “using more generalized parameters.” Prosecutors don’t specify the search terms Littlejohn used, but they note that the search parameters he used would have produced not only the tax records of the government official he sought to expose, but also those of other taxpayers he wasn’t targeting. By November 2018, he had extracted 15 years worth of tax records for President Trump, prosecutors say.
Because IRS protocols can detect and prevent “large downloads or uploads from IRS systems and devices,” according to prosecutors, Littlejohn avoided copying the records to removable media such as a USB stick — as Edward Snowden had done when he took documents from NSA servers. Instead Littlejohn “exploited a loophole in those controls” by transmitting the stolen tax records to a private website that he controlled, which was not accessible to the public.
Despite these careful steps, Littlejohn was ultimately caught, though I am not sure how. I read through relevant docket entries and, unless I missed something, I am not sure the government has explained its investigation, particularly since Littlejohn pleaded guilty.
A different case — Richard Luscombe and Jeremy Barr, reporting the Guardian, last month:
The FBI raided the home of a Washington Post reporter early on Wednesday in what the newspaper called a “highly unusual and aggressive” move by law enforcement, and press freedom groups condemned as a “tremendous intrusion” by the Trump administration.
Agents descended on the Virginia home of Hannah Natanson as part of an investigation into a government contractor accused of illegally retaining classified government materials.
Nikita Mazurov, the Intercept:
Federal prosecutors on January 9 charged Aurelio Luis Perez-Lugones, an IT specialist for an unnamed government contractor, with “the offense of unlawful retention of national defense information,” according to an FBI affidavit. The case attracted national attention after federal agents investigating Perez-Lugones searched the home of a Washington Post reporter. But overlooked so far in the media coverage is the fact that a surprising surveillance tool pointed investigators toward Perez-Lugones: an office printer with a photographic memory.
It is particularly rich for the Intercept to be pointing to the printer as a reason this individual was allegedly outed. Secret documents published by the site in 2017 included printer stenography that, while not directly implicated (PDF) in revealing the leaker’s identity, was insufficiently protective of their source.
In the case of Perez-Lugones, investigators were apparently able retrace his footsteps, as described in paragraphs 16 through 29 of the affidavit (PDF). It does not sound like he took particularly careful steps to avoid leaving a history of the documents he accessed and then printed. I have no illusions that my audience is full of people with top secret clearance and an urge to leak documents to the press, but anyone who is should consider reading — on their personal device in private browsing mode — the guidance provided by Freedom of the Press Foundation and NiemanLab.
Joseph Cox, 404 Media:
The FBI has been unable to access a Washington Post reporter’s seized iPhone because it was in Lockdown Mode, a sometimes overlooked feature that makes iPhones broadly more secure, according to recently filed court records.
Some general-audience publications, like the HuffPost, are promoting the use of Lockdown Mode as a “useful and simple built-in tool you should turn on ASAP” for anyone who “feels targeted by cybersecurity threats”. But we are all targeted, to some extent or another, by cybersecurity threats. Most people should not use Lockdown Mode. It is an enormously disruptive option that is only a reasonable trade-off for anyone who has good reason to believe they would be uniquely targeted.
Cox:
The FBI was still able to access another of Natanson’s devices, namely a second silver Macbook Pro. “Once opened, the laptop asked for a Touch Id or a Password,” the court record says. Natanson said she does not use biometrics for her devices, but after investigators told her to try, “when she applied her index finger to the fingerprint reader, the laptop unlocked.” The court record says the FBI has not yet obtained a full physical image of the device, which provides an essentially complete picture of what was stored on it. But the agents did take photos and audio recordings of conversations stored in the laptop’s Signal application, the court record says.
Warrants for seizing electronic devices have, for several years now, sometimes contained a clause reading something like “law enforcement personnel are authorized to […] press or swipe the fingers (including thumbs) of (the warrant subject) to the fingerprint scanner of the device(s) [and] hold the device(s) in front of the face of (the warrant subject to activate the facial recognition feature”.
One thing every iPhone owner should know is that they can temporarily disable biometric features by pressing and holding the power button (on the right-hand side of the device) and either volume button for a few seconds, until the “slide to power off” option appears. To reactivate biometric features, you will need to enter your passcode. You can press these buttons while your phone is in your pocket. You should do this any time you are anticipating an interaction with law enforcement or those working on their behalf.
However, I cannot find a similar capability for a MacBook with a Touch ID sensor. If you are the kind of person who feels like Lockdown Mode might apply to you, you should consider turning off Touch ID, too, and sticking with a strong and memorable passphrase.