AFIO - Association of Former Intelligence Officers

About AFIO | Chapters & Chapter Activities | Membership | Corporate
Weekly Intelligence Notes
| Event Schedule | Bulletin Board | Book Reviews
| AFIO Store | | Other Intel Sites | Home Page

Weekly Weekly Intelligence Notes
28 February 2000

WINs are produced by Roy Jonkers for AFIO members and subscribers. WINs are covered by copyright laws and may not be reproduced without permission. 

Warning Notice: Perishability of Links:  WINs, sent weekly to members, often contain numerous webpage links to fast-breaking news, documents or other items of interest; unfortunately, after four weeks many of these websites [especially newspaper and other media sites] remove items or shift them into fee-only archives.  This underscores the benefit of receiving the WINs as they are released.


L'AFFAIRE DEUTCH (cont'd) -- PROBE NOW FOCUSES ON O'NEIL. The Senate intelligence committee is focusing on the actions of former CIA general counsel Michael O'Neil who was identified in a CIA report as withholding information from investigators and the Justice Department about activities of his boss, former CIA chief John Deutch. O'Neil, who is unpopular among Republicans because of his extreme partisanship while serving on the House intelligence committee staff during the Reagan/Bush years, will testify before the Senate intelligence committee March 1. The CIA Inspector General Report on "Improper Handling of Classified Information by John M. Deutch" is now posted on the Website of the Federation of American Scientists. 

Experts told Joint Economic Committee that foreign
military and intelligence organizations represent a far greater cyber threat to America than hackers do. On Wednesday CIA said in testimony to Congress that there are increasing signs that such countries as Russia and China are developing tools that could attack commercial computer networks within the United States.
Computer crime is burgeoning and is outpacingthe capability of our cybercops. "Our resources are stretched paper thin," FBI Director Louis Freeh told a Senate subcommittee last week. He said officials have seen a 39% increase in computer crimes from 1998 to 1999. The nation has only several hundred high-caliber forensic computer experts. Many of them are lured by technology firms and private security outfits waving salary offers of $150,000 to $250,000, twice their government paychecks.,9955,2445792,00.html 
( Ron Levine Newsbits, ) (Jonkers)

ECONOMIC ESPIONAGE CHARGES. A former employee of Canada's security agency has charged that Canadian spies once managed to overhear the American Ambassador to Canada discussing a pending trade deal with China on a mobile telephone and used that information to undercut the Americans in landing a $2.5-billion Chinese grain sale. Mike Frost, a former CSE employee and author of Spyworld, which is about his career in Canada's secret service, claims that as far back as 1981 Canada was using its U.S.-produced spy technology to eavesdrop on the American ambassador to Ottawa.
The European Union has published a report stating that the world's five leading English-speaking nations have engaged in a joint project (allegedly "Echelon") that provided advantages to their domestic industries in international competitive bids. The EU parliament will open a major international debate on this topic.
Last spring's EU report on electronic spying said that U.S. intelligence agencies intercepted phone calls between Brazilian officials and the French firm Thomson-CSF in 1994 and used the information to swing a $1.3-billion radar contract to Raytheon.
In 1990 the German newsmagazine Der Spiegel claimed NSA intercepted
messages about a pending $200-million telecommunications deal between Indonesia and the Japanese satellite manufacturer NEC Corp. George Bush, then the U.S. president, is said to have intervened on the basis of the intelligence intercept and to have convinced the Indonesians to split the contract between NEC and U.S.-owned AT&T.
A French intelligence report recently accused U.S. secret agents of working with computer giant Microsoft to develop software allowing Washington to spy on computer users around the world. It claims that the National Security Agency helped install the secret programs on Microsoft software, currently in use on 90% of computers.
US authorities have consistently denied that the SIGINT system is tasked to support US firms. The British PM also took the same position in regards to UK industries. (Source: National Post Online, Canada,19Feb2000) (Macartney) 

DOD SEEKS FUNDS FOR INTELLIGENCE WIRETAPS. The Pentagon is seeking $120 million to reimburse telecommunications companies willing to modify equipment to enable electronic surveillance, matching the amount sought by the Justice Department for domestic wiretapping. (Def Info Electronic Report, Feb 18) (Macartney)

SATELLITE RECONNAISSANCE - The press reports that a swarm of miniature electronic reconnaissance "pico-satellites" were released from a "mothersat" earlier this month (February) , reversing a long trend towards building bigger and heavier satellites. The pico-satellites were said to have been developed by Aerospace Corp., Rockwell International and Stanford University. Despite their tiny size, alleged to be no larger than a deck of cards, they were said to be operational and exchanging"chirps" with a ground station. (Business Week, Feb 28, 2000, p.70) (Jonkers)

RUSSIA BATTLES TERRORISM -- After receiving a tip that warned of possible terrorist attackS, Russia's Organized Crime Fighting Unit searched various sites in Moscow and the surrounding areas Feb. 16, and seized an arsenal of weapons. The
searches led to 30 arrests of individuals. The tip reportedly stated that an organized crime group was planning a number of terrorist attacks in Moscow and various other locations in
Central Russia. Among the confiscated weapons were three flame-throwers, four grenade
launchers, 25 grenades, nine submachine guns, eight pistols with silencers, one sawed-off shotgun, 1,190 rounds of ammunition and various explosive devices.
In a related story, the Organized Crime Fighting Unit of Gudermes, Chechnya, seized 200 kilograms of explosives Feb. 16, following a similar seizure of 250 kilograms only days before. (SOURCES, ) (Jonkers)


US CHEMICAL WARFARE IN COLUMBIA -- For the past 10 years the U.S. government has sponsored a program to fumigate illicit drug crops in Columbia, hoping to force growers into bankruptcy. Crop yields, however, continue to grow to a record high. New reports put cultivation up by 20 to 30 percent over last year and indicate that total yield has doubled since 1995. Columbia currently supplies about 80 percent of the world's cocaine
Chemical fumigation -- shades of Vietnam defoliation -- has a detrimental impact on the surrounding rainforest, but apparently has not had a lasting effect on the habits of coca and opium poppy growers. Instead of quitting, the growers either move their crops elsewhere or wait until the soil has recovered. One police official estimated that 40 to 50 percent of all sprayed crops are replanted.
The fragile balance of the rainforests cannot handle the chemical impact of the fumigation. Furthermore, growers whose land has been sprayed often move deeper into the Amazon rainforest, clear-cutting the forest to re-establish their fields.
The effort to curb production has grown increasingly violent. One major counternarcotics base was raided by rebels in 1998 and spray planes were hit with gunfire 35 times in 1999. The U.S. government has now proposed a greatly increased counternarcotics package with incentives to lure local Columbians away from growing plants. The same package also includes 15 additional spray planes, and 30 helicopters equipped with miniguns. (SOURCES, ) (Jonkers)

BIN LADEN's NETWORK -- US officials have sensitive intelligence information that connects a bomb plot foiled just before New Year's Day to Saudi fugitive Osama bin Laden's terrorist network. The officials base their conclusion on information from confidential informants with direct knowledge of the bomb plot and bin Laden's organization, data shared by foreign police and intelligence officials, monitoring of domestic telephones and other forms of electronic eavesdropping.
Major law enforcement and intelligence agencies including the FBI, the CIA and the NSA have been analyzing vast amounts of data collected since Ahmed Ressam, a 32-year-old Algerian, was arrested attempting to enter the United States from Canada in mid-December in a rental car filled with bomb-making materials and timing devices.
The US government has distributed hundreds of matchboxes offering a reward for the capture of Osama bin Laden - who is charged with planning the bombings of two U-S embassies in Kenya and Tanzania in 1998. VOA, Feb 17; 

An investigation under the Official Secrets Act has been ordered by the British Home Office into the leaking of a top MI6 report describing a plot to assassinate Colonel Gadaffi, the Libyan leader. The Metropolitan police is investigating how the four-page MI6 document, designated UK Eyes Alpha, was published on a California website. The intelligence services and the Foreign Office, which refused to say whether the document was genuine, are also under pressure to answer questions about who knew what, and when. (Macartney) 

ESPIONAGE - Navy Seaman Michael Lance Walker, recruited by his father, the notorious John Walker, at the age of 22 to steal US naval codebooks and communications materials, served 15 years of his 25 year sentence and was released on probation for the duration of his sentence. John Walker, a retired Navy Chief who spied for the Soviet Union during his career as a communications officer, recruited his son Michael, his brother Arthur, a retired Navy Lieutenant commander, and his friend, Jerry Whitworth, a Navy Chief Petty Officer, to continue his spying operations after his retirement. They were convicted in 1985 and 1986. By some quirk of the system, John and Arthur, principal culprits, were both sentenced to 30 years in prison, Whitworth to 365 years. (Fairfax Journal, Feb17,2000, p. A5) (Jonkers)


AIR AMERICA ON TV -- Monday evening be sure to watch: "BIRDS OF A FEATHER: Air America" the story of American Air Commandos around the globe, 7:00 PM to 8:00 PM central time, on: Discovery Wings Channel (check your TV listings) (Tony Newcomb)

: Codebreaking and American Diplomacy 1930-1945, by David Alvarez, U Press of Kansas, 2000. Alvarez, who teaches at St Mary's College in Calif, is a former NSA historian. The book focues on the history of American diplomatic (as opposed to military) codebreaking and its influence on American foreign policy from 1930 to 1945. It covers in detail cryptanalytic operations against friends, foes and neutrals during WWII (with a chapter on work against Russian traffic). It contains a lot on the origin and evolution of Anglo American SIGINT collaboration. (Ralph Erskine)

THE CIA'S BLACK OPS: Covert Action, Foreign Policy, and Democracy, by John Jacob Nuttter, Ph.D., Prometheus Books, Amherst, NY, 2000, ISBN 1-57392-742-2 (cloth) . This is a critical examination of black operations and foreign policy by a former university professor. Nutter explains a number of types of covert action -- e.g. subsidies, graymail, propaganda, psychological operations, economic warfare, military support, paramilitary operations, coups d'etat and assassinations -- and seeks to examine the issues raised for a democracy by these activities. He finds that the US has become enamored with covert action, that black operations sometimes have substituted for foreign policy, and that, in fact, a foreign policy elite has subverted covert operations for its own purposes. After a caveat to the effect that his findings are not a call for the abolition of the CIA, he concludes by stating that "The existence of these organizations inherently diminishes democracy, thereby producing a government of men, not of laws. Because of its overpowering appeal, however, covert action will indeed continue, serving the same masters if always has: expedience and power." Nutter is clearly expressing an a priori point of view that may or may not affect the credibility of the analysis. I am awaiting a thorough review of the book by one of our members. (Jonkers)

ECHELON RESEARCH INFO - With all the recent interest in the ECHELON global surveillance system, some of you may appreciate a few more Web references on the topic.
NOTE: This is speculative reporting published on the INTERNET about this topic, true or not, unconfirmed, and certainly not official Government information. ECHELON is said to be operated jointly by five intelligence organizations under the umbrella of the 1948 UKUSA signals intelligence (SIGNET) agreement. The five agencies are said to be the NSA in America, Canada's Communications Security Establishment (CSE), the UK's Government Communications Headquarters (GCHQ), Australia's Defense Signals Directorate (DSD) and New Zealand's Government Communications Security Bureau (GCSB).
The NSA is the senior member and is said to call virtually all the shots. Further references: 
(M. Sedano Reynolds )

DISTRIBUTED DENIAL OF SERVICE ATTACK (DDSA )INFORMATION -- Distributed Denial of Service attacks, which recently crippled some major Internet service providers, are not Trojan horses. A Trojan horse is a hostile program that replaces a normal program; it usually performs the same function as the normal program, so that the victim does not realize he or she has triggered some hostile code. These attacks are also not viruses. A virus is hostile code that replicates itself into other programs when a user runs an infected program. DDSA uses four tools. They are the Tribal Flood Network (TFN), Trinoo, Stacheldraht (German for "barbed wire"), and TFN2K. All of these tools are available to the public on several hacking and computer security web sites, such as PacketStorm These tools first surfaced in late December of 1999; at that time, security professionals tracked the distribution and testing of these various tool kits.
These attacks have two software components: a master and a handler. There is one master to many handlers. When the master targets a system, it send the address of the victim to all the handlers. The handlers, then, simultaneously execute their programmed Denial of Service attacks against the victim. Any one of these denial of service attacks may be sufficient to hamper normal operations on a site, but tens or hundreds of them at the same time can be devestating.
An attack occurs in three steps: targeting, distribution, and activation. In the targeting stage, the attacker scans hundreds or thousands of networks for machines on which he can install the handler. These machines must be vulnerable to some attack that results in superuser privilege for the attacker. Note that appropriately protected machines, up to date with the latest security patches, and running integrity checking tools, will be highly resistant to these attackers. These attacks are successful because many sites do not maintain adequate levels of system security.
Once the attacker identifies the intermediate machines, he must compromise those systems and install the handler. There are a number of popular techniques for accomplishing this. We have seen scans for vulnerable mail handlers (IMAP), configuration utilities (linuxconf), services (portmap/sunrpc), and name services (DNS), all of which contain known security vulnerabilities. Note that patches are available for all of these known problems; again, the attacks succeed because individuals, companies, or organizations do not maintain their security. After the attacker compromises the machine and installs the handler, he will move on to the next intermediate system. The attacker will eventually have enough intermediate sites compromised.
At that time, he can run the master program that communicates with all the handlers, select a victim, and let the handlers take the victim off the Net. Some of these tools use spoofed IP addresses, which means that the packets that arrive at the victim site do not contain enough correct information to figure out where the attack originated.
There are a number of defenses against these attacks.
A. Sites should maintain adequate security on their perimeter systems.
This keeps the attacker from installing the handler.
B. Sites should configure their external routers to use egress filtering, which prevents the actual attack from getting to the Internet, if one of their machines happens to be running a handler.
C. Sites should run the detection software from the National Infrastructure Protection Center (NIPC) to determine if their machines are running the handler code. The tool is available from the FBI web site or the SANS web site, amongst others. A number of commercial tools will also detect the handlers, according to the vendors.

Unfortunately, there are few effective responses once the attack has been targeted on your network. Additional information is available from
The NIPC - 
Bugtraq - 
Packetstorm - 
(Philip R. Moyer, CISSP,


Back to Top

Back to Top

About AFIO | Chapters & Chapter Activities | Membership | Corporate | Weekly Intelligence Notes | Event Schedule | Bulletin Board | Book Reviews | Search | AFIO Store | | Other Intel Sites | Home Page

AFIO Central Office
6723 Whittier Avenue, Suite 303A
McLean, Virginia 22101-4533
Telephone: 703 790 0320 | Facsimile: 703 991 1278