Weekly Intelligence Notes #33-03
22 August 2003

WIN 33-03, dtd 22 August 2003

Weekly Intelligence Notes (WINs) are produced and edited by Roy Jonkers for non-profit educational uses by AFIO members and WIN subscribers. RADM (ret) Don Harvey contributes articles to selected WINs  


[HTML version recipients - Click title to jump to story or section, Click Article Title to return to Contents] [This feature does not work for Plaintext Edition recipients. If you wish to change to HTML format, let us know at afio@afio.com. If you use AOL, you would need AOL version 6.0 or higher to receive HTML messages, and have that feature turned on. The feature also does not work for those who access their mail using webmail.]


          Congressional 9/11 Report Criticized


          Justice Department Report on FBI Traitor Hanssen

          Bio-Technology Threat


          Microsoft Denies Software Back Doors for CIA

          SoBIG Virus Infection Spreading

          IT Security Management

          Fake Drug Games

          Citibank Warns Customers of Phishing Scam

          Defense Prototype ID-Checking Test


          Terrorism, Afghanistan, and America's New Way of War

          Secretary for Homeland Security Tom Ridge on Information-Sharing

          Senate Report on Federal-State Information-Sharing


          AFIO National Intelligence Symposium 2003


          Tom Writes on MSBLASTER Variant


CONGRESSIONAL 9/11 REPORT CRITICIZED -- In its 900-page report, the joint panel of the House and Senate intelligence committees criticized the pre-Sept. 11 counter-terrorism analysis done by the FBI and CIA. The report suggests there were several missed opportunities to foil the attacks, and that alleged intelligence failures were especially obvious in San Diego, where two hijackers were known to a longtime FBI informant. But the former head of the FBI's San Diego office countered that the congressional report is rife with inaccuracies and greatly exaggerates the possibility the terrorist acts could have been prevented. Former Special Agent in Charge Bill Gore asserted there was no evidence the FBI missed opportunities to catch two of the hijackers who for months lived in San Diego. There also was no evidence that anyone, including Saudi officials, knowingly assisted the terrorists. "I believe the joint intelligence committee jumped to conclusions not supported by the facts of the FBI investigation," Gore said. "I was convinced by the time I left the FBI [in] January (2003) that there was no Al Qaeda support network in San Diego prior to or after 9/11, and that no group of people wittingly helped the hijackers in furtherance of the 9/11 attacks."

          Committee members also have raised the possibility that the hijackers received financial assistance from a number of individuals across the United States, including two San Diego men with connections to the Saudi government. But Bill Gore dismissed that possibility of financial assistance as pure conjecture, insisting he has never seen evidence the hijackers needed financial or logistical help beyond what already was provided by Al Qaeda. "There was no support network here for the hijackers, they didn't need it," Gore said. "And I think that is why they succeeded."  Gore also said there also was no proof or indication that (future) hijackers Almihdhar and Alhazmi lived in San Diego for any reason other than its Islamic community and the opportunity to take flying lessons in a region with great year-round weather.  Gore acknowledged that the two future hijackers did come into contact with a trusted FBI informant, but said there was no reason for the informant to bring that fact to the attention of his FBI handler because Almihdhar and Alhazmi did nothing publicly that would suggest they were violent extremists.

          Gore similarly dismissed the committee's suggestion that the hijackers may have received help from two Saudi men well-known in the San Diego community, Omar al-Bayoumi and Osama Bassnan. Some federal officials allegedly believe one or both men may have been Saudi agents or informants, a link that would suggest the Saudi government had suspicions about the future hijackers, or could have been assisting them.  But Bill Gore said he believed that Al Bayoumi's initial meeting with the hijackers was just coincidence. He said the FBI investigation found no evidence Bassnan even met Alhazmi or Almihdhar. Gore also disputed the committee's suggestion that Al Bayoumi and Bassnan were receiving money from Saudi officials or rich Saudis, and then funneling the money to Alhazmi and Almihdhar.

          A senior Justice Department official agreed last week with Bill Gore that an exhaustive investigation has turned up no proof the hijackers received financial assistance from the Saudi government. Likewise, the department official agreed that, given the intelligence and the anti-terrorism resources in place before Sept. 11, there was no way to assert that the attacks could have been prevented. One might add, there was no way, given not only resources or systemic imperfections, but because of our collective mindset -- it was strategic surprise, a bolt out the blue. (Jonkers) (LA Times/ the Nation/ 21 Aug03 //H.G. Reza and G. Krikorian) (stories on this topic search Archives at www.latimes.com/archives)


JUSTICE DEPARTMENT REPORT ON FBI TRAITOR HANSSEN -- The Office of the Inspector General (OIG) of the Department of Justice (DOJ) on 14 August released an unclassified report entitled "A Review of the FBI's Performance in Deterring, Detecting, and Investigating the Espionage Activities of Robert Philip Hanssen." It examines the performance of the FBI in deterring, detecting, and investigating the espionage of Robert Philip Hanssen, a former FBI Supervisory Special Agent. Hanssen's espionage began in November 1979 - three years after he joined the FBI -- and continued intermittently in three phases for over 20 years until his arrest in February 2001, just two months before his mandatory retirement date. The FBI is the lead agency for detecting and investigating espionage committed in the United States. The report paints a painful picture of our Cold War FBI counter-espionage posture.

          The OIG report comes in three versions. The full 674-page report is classified at the Top Secret/Codeword level because it contains extremely sensitive classified information regarding sources involved in the Hanssen case and FBI counterintelligence activities. There also is a 383-page report, classified at the Secret level, which does not contain the detailed information on the sensitive sources that is included in the Top Secret/Codeword version. In addition, a 31-page unclassified executive summary was prepared to provide a public summary of the main findings in the more extensive classified reports. The Inspector General previously provided a copy of all three versions of the report to the FBI for its comments on their factual accuracy and classification, and made changes where appropriate.

          Selected excerpts from the OIG report follow. "The FBI's penetration efforts in the late 1970s and 1980s suffered from a lack of cooperation with the CIA and from inattention on the part of senior management. In 1985 and 1986, the CIA and FBI lost nearly every significant human asset then operating against the Soviet Union. These losses were unprecedented in scope, quantity, significance, and timing, yet the FBI undertook no sustained effort to determine their cause. Senior management was almost entirely unaware of the scope and significance of these losses, and throughout the 1980s the FBI failed to work cooperatively with the CIA to resolve the cause of these losses or to thoroughly investigate whether an FBI mole could be responsible for these setbacks. We now know that Hanssen compromised many of the assets and operations lost during the mid-1980s.

          The early 1990s saw significant improvement in FBI/CIA cooperation, with the two agencies undertaking a joint investigation concerning the cause of the 1985-86 asset losses. The FBI drastically increased the number of squads and personnel devoted to espionage investigations, and the FBI's senior management took a much more active role in supervising penetration investigations. The energized penetration efforts led to successful espionage prosecutions of CIA officers Aldrich Ames and Harold Nicholson, FBI Special Agent Earl Pitts, and NSA detailee David Boone. While the FBI worked closely with the CIA's Special Investigations Unit (SIU) on most of these cases, the SIU was not an equal partner. The FBI's failure to keep the CIA apprised of information concerning non-CIA espionage investigations -- such as the case involving FBI agent Earl Pitts -- undermined the effort to identify Hanssen.

          In attempting to identify the mole who turned out to be Hanssen, the FBI intensively pursued a CIA suspect. This investigation culminated in the submission of a report to the Justice Department that appeared to seek the prosecution of that CIA suspect, despite the fact that some senior FBI managers had serious reservations about the conclusions of the report and doubted whether the officer -- who has since been exonerated by the FBI -- was the correct target.

          Although the FBI pursued penetration leads in the 1990s that we now know related to Hanssen, he received no investigative scrutiny until late 2000. Indeed, the FBI never opened even a preliminary inquiry on any FBI employee in connection with the search for the mole ultimately identified as Hanssen. This was true even though the FBI had access to information suggesting that the mole might be an FBI employee, and believed that the mole had compromised certain FBI assets and operations.

          Longstanding systemic problems in the FBI's counterintelligence program played an important role in the FBI's failure to uncover Hanssen. Most importantly, the FBI demonstrated a reluctance to consider itself as a possible source for a penetration in the absence of leads identifying a specific FBI target. Thus, the FBI maintained a focus on the CIA as the mole's employer despite information indicating that the mole might be an FBI employee.

          Ineffective oversight by FBI management and poor coordination with the Justice Department also contributed to the length of the FBI's investigation of the wrong suspect and the failure to pursue alternative avenues. The FBI managers with supervisory authority over the investigation often deferred to line personnel -- even when the managers harbored serious doubts about the progress of the investigation -- resulting in a tacit endorsement of erroneous analysis and conclusions. This problem was compounded by the FBI's poor coordination with the Justice Department components responsible for overseeing intelligence investigations -- the Office of Intelligence Policy and Review (OIPR) and the Criminal Division's Internal Security Section (ISS). Because the FBI did not provide the Justice Department with complete information about its investigation -- omitting crucial information about weaknesses in proof and investigative setbacks -- the Justice Department could not properly evaluate the strength of the FBI's case against the CIA suspect.

          Although Hanssen escaped detection for more than 20 years, this was not because he was a "master spy." While Hanssen took some important steps to maintain his security -- such as refusing to reveal his identity to his Russian handlers -- and used his knowledge of the FBI's counterintelligence practices and poor internal security to his advantage, much of Hanssen's conduct when committing espionage was reckless. For example, Hanssen (1) set up an FBI camera on a drop site he used for exchanges with the GRU during his first period of espionage; (2) used an FBI telephone line and answering machine for communications with the KGB in 1986; (3) deposited much of the KGB's cash directly into a passbook savings account in his name in the late 1980s; (4) suggested to his Russian handlers in 1991 that they attempt to recruit Jack Hoschouer, his best friend; (5) directly approached a GRU officer in 1993 and revealed that he was an FBI agent who had previously committed espionage for the KGB -- an approach that led to a diplomatic protest from the Russians and an FBI investigation that could have identified Hanssen as a mole; and (6) searched the FBI's computer system, during his last period of espionage, for references to his own name, address, and drop and signal sites -- conduct that would have been difficult to explain if the FBI had utilized the computer system's audit feature. In sum, Hanssen escaped detection not because he was extraordinarily clever and crafty, but because of longstanding systemic problems in the FBI's counterintelligence program and a deeply flawed FBI internal security program."

          The report of this long-running espionage and treason-from-within is disturbing reading.  It confirms my own suspicion, based on career observations, of the security (or systemic insecurity) of some HUMINT assets, even if never imagined in this proportion and magnitude. The report shows the damage from leadership feuds and bureaucratic turf protection, such as between the Justice Department and the FBI, which possibly colors this DoJ/OIG report on the FBI to some extent. It highlights systemic shortcomings. The 21 OIG recommendations (omitted from this article), many of which can be viewed from the outside as useful, are hopefully already accepted and put into place. Ultimately we must and can rely on the integrity of our government personnel and on our constitutional system of checks and balances, and that confidence can be restored (if needed, as in this case) and reinforced by constructive critique and correction. One may remember that anyone can be made to look bad with perfect hindsight. The betrayal by Hanssen was counter-intuitive to his personal profile and uncharacteristic of the general FBI agent profile or departmental esprit. The FBI (and other departments and corporations) internal CI system must adapt to this insight, without going overboard. This is an interesting report, worth reading in full. (Jonkers) (Department of Justice, Office of the Inspector General, 14 August 2003 //Glenn A. Fine, Inspector General, & 9-member investigative team). (HTML version: http://www.usdoj.gov/oig/special/03-08/index.htm) (PDF version:  http://www.usdoj.gov/oig/special/03-08/final.pdf)

BIO-TECHNOLOGY THREAT -- The speed of biotechnology development is outpacing the ability of nations to legislate on it, and leaves the door open to accidents, mis-judgments, and exploitation by terrorists, leaving individual safety at risk.  The biotechnology industry is said to be well aware of the potential threats. It has made many recent contributions (for good or ill) in the areas of public health, the food industry, and agriculture and the environment, but it is becoming a borderless global industry, and risks abound. (Jonkers) (CNS ChemBio-WMD Terrorism News, Business Wwire 14 Aug 03



MICROSOFT DENIES SOFTWARE BACK DOORS FOR CIA -- Australia has signed on to participate in Microsoft's Government Security Program (GSP), a "shared source" initiative begun after several governments refused to use Microsoft software due to security concerns. Australia is the 12th nation to join the GSP, which was launched in January. Australia's participation will be managed through the Defence Signals Directorate and give officials access to the Windows source code for various operating systems -- including the ability to test and verify the code -- along with Microsoft security documentation and access to Microsoft developers. The project was immediately accused of providing the US access to secrets through 'back doors.'

          Microsoft has scoffed at suggestions its software contains back doors for use by United States intelligence services. Creating back doors for the CIA would be a "stupid decision" as the feature would certainly be discovered, said Microsoft's chief security strategist Scott Charney. "Let us assume we put a back door in, do you think it wouldn't be discovered? Look how many people are probing and testing our products.  If it was discovered, what do you think our long-term business survivability would be? I think it would be zero." (Jonkers) (Adam Turner 15 August 03)


SoBIG VIRUS INFECTION SPREADING -- One of the fastest-spreading e-mail viruses ever is threatening to discombobulate computers around the world. SoBig -- presumably named for the effect it was designed to have on computer networks -- is triggered when a user tries to open an attachment, allowing the program to write itself into the start-up sequence of a machine running one of many editions of Microsoft Corp.'s Windows operating system.  Be careful about opening attachments!!

          The attack arrived as companies were struggling to contain the effects of earlier viruses and worms. One of those affected, railroad giant CSX Corp. said the Blaster worm infected its signaling and dispatching systems early Wednesday morning. All of CSX's rail service was halted for two hours, and morning commuter service in Washington was canceled.  The biggest losers were small businesses and consumers whose e-mail backed up so much that some incoming messages were lost. A modest-sized L.A. law firm was effectively shut down after its network was clogged by a SoBig infection Tuesday, before word of the dangerous messages spread.  Government computers are also said to be infected.

          Computer experts are debating what the SoBig author's next instructions are likely to be. Unlike its predecessors, SoBig has become more sophisticated in successive versions since its discovery in January. It is one of the first to install a "back door" to allow additional manipulation by hackers. "Traditionally, viruses only propagated copies of themselves," said John R. Levine, author of "The Internet for Dummies." "It's a fairly recent development -- over the past few months -- that we're seeing viruses that leave a trap door so bad guys can come in later and install more hostile software."

          Late Wednesday, Microsoft warned of three more "critical" security holes in Windows and its Internet Explorer browser. The software giant is urging consumers to set their PCs to receive security patches automatically. (Jonkers) (LA Times 22 Aug 03 //J. Menn & D. Streitfeld)

IT SECURITY MANAGEMENT -- Many companies have deployed host and network-based intrusion-detection systems (IDS), firewalls and anti-virus tools on their networks. Nevertheless, they may have a hard time dealing with the deluge of data pouring in from its various security systems. Not only was the incoming data voluminous and highly unreliable, but the IT staff also had to collect it from each system and then manually correlate it. The answer may be to install a security event management suite. (Levine 08/18/03) (http://computerworld.com/securitytopics/security/story/0,10801,83978,00.html)

FAKE DRUG GAMES -- Drug companies are turning to spy novel gizmos --  invisible inks, tiny radio-frequency antennas and the like -- to help stop counterfeiters from faking or adulterating prescription drugs. Counterfeits represent a fraction of the $192 billion U.S. drug market. But, investigators in recent months have seized a variety of fakes. They include Lipitor pills that contained only small amounts of the ingredient needed to lower cholesterol and vials of an expensive cancer drug filled with only bacteria-laden salt water. (Levine 08/18/03) 

CITIBANK WARNS CUSTOMERS OF PHISHING SCAM -- Citibank on Monday warned customers not to fall for an e-mail scam that threatened to shut down their checking accounts if they failed to provide their Social Security numbers. (Levine 08/18/03) http://www.washingtonpost.com/wp-dyn/articles/A9991-2003Aug18.html

DEFENSE PROTOTYPE ID-CHECKING TEST -- The Defense Department in October will begin testing a prototype credential-checking system. The pilot will help DOD’s Directorate of Information Assurance and Defense Manpower Data Center develop a system that can validate the identities of people trying to gain access to military installations and contractor facilities where Defense work is performed. The DOD center, which oversees the Defense databases storing identity information, will work with Northrop Grumman Corp. on the test. The directorate, within the Office of the Assistant Secretary of Defense for Networks and Information Integration, is paying $500,000 for the test, which will run through March. (Levine 08/19/03) http://www.gcn.com/vol1_no1/daily-updates/23188-1.html


TERRORISM, AFGHANISTAN, AND AMERICA'S NEW WAY OF WAR: by Norman Friedman, Naval Institute Press, Annapolis, Md., July 2003, ISBN 1-59114-290-3, with Notes, Bibliography, Index. After setting the stage, Dr. Friedman, a noted naval strategist and author, takes a chapter to sketch the beginning -- the Russian war in Afghanistan. It tore up the country's political system, in which tribal chiefs and religious men ruled, and social cohesion was ensured by precedence. The chiefs met in the loya dirga to determine national policy. In wartime, however, leadership devolved on capability in battle, which fed tribal ambitions and made it difficult to agree on a national government. Moreover, the Soviets discovered that many of the Afghan leaders could be rented, though not bought (as both the Taliban and the US did later).

          The Taliban were seen in the US at the time as conservative but honest. Americans might not find their social customs appealing, but they were seen as adapted to a conservative Muslim country. The Taliban badly needed reliable troops. Al Qaeda offered a solution. Osama's Arabs could be counted on to fight, not only the Russians, but Ahmed Shah Mahsood. They formed the 055 brigade, which became the only effective force in the Taliban army, and the only one capable of night fighting. In the end, with all neighboring countries and others (US, Saudi Arabia etc.) intruding on the war, the Soviets lost, but Afghanistan's infrastructure was destroyed. Grazing country was ruined by landmines. Only the poppy remained as a cash crop, and the country became a major source of heroin for Europe (Later the Taliban received a large subsidy from the US to block poppy cultivation; today, poppy's have regained their importance and exports are in full swing).  Aside from military support, bin Laden provided the Taliban with much of the cash it needed, and thus Afghanistan became the center of bin-Laden's pan-Islamic movement.

          Dr Friedman's book is a rich source on the complex interplay of history, policy and technology. While bin Laden was forming his terror international, the US military was engaged in developing a new kind of war fighting, described as the "Revolution in Military Affairs" or 'Network-Centric Warfare'. Friedman examines its impact in Afghanistan to destroy the terrorist home base. He posits that the 9/11 attacks were intended to inspire a wider movement in the Muslim world that would lead to a pan-Muslim empire, and argues that it failed because of determined US action. This is a wide-ranging, broadly argued, informative book -- with the only regret that it was completed before the recent US invasion of Iraq in 2003. It would have made a good fit. (Jonkers)

SECRETARY FOR HOMELAND SECURITY TOM RIDGE ON INFORMATION-SHARING -- Secretary Tom Ridge of the Department of Homeland Security, speaking at a meeting of the National Governor's Association noted the remarkable fact that all governors have now signed non-disclosure agreements. "You now have access to information.  We'll be sharing more and more information with you. Just about all of your Homeland Security Advisors have received security clearances." (Text of 18 August remarks at http://www.dhs.gov/dhspublic/display?content=1200)

SENATE REPORT ON FEDERAL-STATE INFORMATION-SHARING -- Information sharing between the federal government and state and local officials regarding homeland security matters is entirely unsatisfactory, according to a new report from the Democratic staff of the Senate Governmental Affairs Committee. See "State and Local Officials: Still Kept in the Dark About Homeland Security," (Senate Governmental Affairs Committee minority staff, August 13) (http://www.fas.org/irp/congress/2003_rpt/gac-info.pdf) (Secrecy News 08/19/03)


AFIO NATIONAL INTELLIGENCE SYMPOSIUM 2003:  The Changing Face of Intelligence will include a rich agenda and a variety of activities. Saturday will be a full day of presentations centered on intelligence issues, followed by an Open Bar Reception and a new format Spies in Black Ties™ National Awards Banquet.

Sunday will be run on two tracks. Track One involves a special, private (public not admitted) visit to the International Spy Museum in Washington DC, followed by the Stewart Alsop National Media Award presentation at the Spy Museum's Zola Restaurant (limited to 120), followed by two bus tours (one in Virginia by the CI Centre with former FBI S/A Dave Major) and one in DC by the Cold War Museum (Gary Powers Jr, each limited to 50).

Track II will consist of a program with authors and intelligence literature, and other different features.

Monday at the NRO will focus on changes in defense intelligence, space intelligence, sensing and products, and advanced intelligence and anti-terrorist technology and systems.

Tuesday at CIA will provide National perspectives on intelligence changes by the DCI, FBI, Congress, and other agencies and departments.

You will get the draft agenda and registration package by email next week (Jonkers).



Tom writes on MSBLASTER variant -- I have been trying to remove an msblast-related worm and have not been able to remove it, or to find the particular symptoms associated with this variation by internet searching. I am therefore reporting as a new variation and to request any additional information on removing it. According to information found while internet searching, a worm named Troj/Litmus-108 exhibits similar behavior in that it creates an entry in the same registry key but names it syscfg.exe and also creates the false key CurentVersion.

          The reason I am sending this to AFIO is because I am struck by the fact this all started on 8/11 and also by how many governmental and military computers are being affected.  The initial media coverage indicated it was an unsophisticated amateurish attempt and then further media described what were alleged to be copycat attempts.  However, some reports are starting to indicate something more sinister.  See- http://www.prnewswire.com/cgi-bin/stories.plACCT=104&STORY=/www/story/08-21-2003/0002004739&EDATE=

          I wonder if there is really a sophisticated entity behind this, capable of placing a trojan within a trojan, perhaps within a trojan (to who knows what number of permutations)?  If you can use this information to further probe this situation, please do, and if you can share anything of what you learn with me, or with AFIO via your newletters, please do so.  Experts may get details on phenomena by contacting the Tom B., a seasoned computer veteran, through the AFIO office afio@afio.com (RJ)

WINs are protected by copyright laws and intellectual property laws, and may not be reproduced or re-sent without specific permission from the Producer. Opinions expressed in the WINs are solely those of the editor(s) or author(s) listed with each article. AFIO Members Support the AFIO Mission - sponsor new members! CHECK THE AFIO WEBSITE at www.afio.com for back issues of the WINs, information about AFIO, conference agenda and registrations materials, and membership applications and much more! (c) 2003, AFIO, 6723 Whittier Ave, Suite 303A, McLean, VA 22101. afio@afio.com; Voice: 703 790-0320; Fax: 703 790-0264