Monday, July 07, 2025

Ubiquitous Technical Surveillance & Countermeasures: Existential Threats & Mitigations

Ubiquitous Technical Surveillance (UTS) is the widespread collection and analysis of data from various sources—ranging from visual and electronic devices to financial and travel records—for the purpose of connecting individuals, events, and locations. 

This surveillance poses risks to government operations, business organizations, and individuals alike, threatening to compromise sensitive investigations, personal privacy, and organizational security. The surprising findings of a recent audit of FBI techniques to address UTS further heighten the need for awareness and response to the threats. 

As the sophistication and reach of surveillance technologies continue to grow, understanding the nature of UTS and implementing effective Technical Surveillance Countermeasures (TSCM) is essential for safeguarding sensitive information and ensuring operational integrity. This work explores UTS and TSCM and suggests mitigation strategies to combat the threats.

Overview

Ubiquitous Technical Surveillance (UTS) refers to the pervasive collection and analysis of data including visual, electronic, financial, travel, and online for the purpose of connecting individuals, events, and locations. The significance of the threats is outlined in a recently declassified but heavily redacted DOJ/OIG audit of the FBI's response to UTS (DOJ, 2025). Based on the number of redactions, particularly from the CIA's section of the report, it is reasonable to imagine that many incidents have occurred that have not been reported to the public.

Technical Surveillance Countermeasures (TSCM) refers to specialized procedures and techniques designed to detect, locate, and neutralize unauthorized surveillance devices and eavesdropping threats. TSCM is commonly known as a "bug sweep" or "electronic counter-surveillance" and is used to protect sensitive information from being intercepted by covert listening devices, hidden cameras, or other forms of technical surveillance (REI, 2025), (Conflict International Limited, 2025).

UTS Devices, Data Sources, & Risks

Technical surveillance data collection can occur through a variety of devices and data sources including the following:

UTS is recognized as a significant and growing threat to government, business organizations, and individuals, with the potential to compromise investigations, business operations, and personal safety. When the collected technical surveillance information is in the wrong hands and used for nefarious purposes, harm can result.

UTS Threats

What are the UTS threats?

  • Significance: Described as an “existential threat” by the Central Intelligence Agency (CIA) due to its ability to compromise sensitive operations and personal safety (DOJ, 2025, p.4).

Risks:

  • Compromise of investigations, personnel PII, and sources (DOJ, 2025)
  • Exposure of operational details
  • Threats to personal and organizational security
  • Corporate espionage (Pinkerton, 2022)

Real-World UTS Scenarios

The following incidents are a sample of situations involving UTS.

  • Cartel Tracking via Phones and Cameras: Criminals exploited mobile phone data and city surveillance cameras to track and intimidate law enforcement and informants (DOJ, 2025, p.18).
  • Organized Crime and Phone Records: Crime groups used call logs and online searches to identify informants (DOJ, 2025, p.18).
  • Financial Metadata De-Anonymization: Commercial entities re-identified individuals from anonymized transaction data. Though this data is anonymized, in 2015, researchers from the Massachusetts Institute of Technology found that with the data from just four transactions, they could positively identify the cardholder 90% of the time. (DOJ, 2025, p.17).
  • Travel Data Correlation: Adversaries used travel records to reveal covert meetings and operational activities (DOJ, 2025, p.1).
  • Online Activity Analysis: Aggregated web and social media data to build detailed personal profiles (DOJ, 2025, p.1).
  • Visual Surveillance: Use of CCTV and smart devices for real-time tracking and event reconstruction.
  • Electronic Device Tracking: Exploitation of device signals and unique identifiers for location tracking.
  • Combined Data Exploitation: Overlaying multiple data sources to establish “patterns of life.”
  • Commercial Data Brokers: Purchase of large datasets for profiling and targeting.
  • Compromised Communications: Poorly secured communications exposing sensitive activities.

UTS Response: Organizational Challenges - FBI

The FBI identified UTS as an issue impacting the Bureau. However, a recently unclassified audit of the FBI's approach to UTS by the Office of Inspector General (OIG) identified several challenges and areas for improvement in the FBI's approach (DOJ, 2025, p.4).

OIG Audit of the FBI's Efforts (DOJ, 2025)

  • Red Team Analysis: Initial FBI efforts were high-level and did not fully address known vulnerabilities.
  • FBI Strategic Planning: Ongoing development, but lacking clear authority and coordination.
  • Training Gaps: Basic UTS training is mandatory for FBI personnel, but advanced training is limited and optional.
  • Incident Response: FBI Data breaches revealed policy gaps and lack of coordinated response.
  • Recommendations: The FBI needs comprehensive vulnerability documentation, strategic planning, clear authority, and expanded training.

Countermeasures & Best Practices

Combating the threats from UTS is a daunting challenge. Several steps can be taken to mitigate the threats.

Scenario-Specific Steps

Suggested General Countermeasures

  • Regular training on digital hygiene and counter-surveillance
  • Encryption of sensitive data and communications
  • Physical security for sensitive locations and devices
  • Vigilance and behavioral adaptation to signs of surveillance
  • Technical Surveillance Countermeasures (REI, 2025), (Conflict International Ltd, 2025), (EyeSpySupply, 2023).

Training & Awareness (DOJ, 2025)

  • Basic UTS Awareness: Should be mandatory for all FBI personnel.
  • Advanced UTS Training: Recommended for high-risk FBI roles; should be expanded and resourced.
  • Continuous Learning: Stay updated on emerging threats and countermeasures.

Incident Response Recommendations from the OIG Audit of the FBI (DOJ, 2025)

  • FBI should establish clear lines of authority for UTS incidents.
  • FBI should develop and rehearse coordinated response plans.
  • FBI should regularly review and update internal controls and policies.

Summary

The growing sophistication and reach of surveillance technologies have made UTS a threat to government operations, business organizations, and individuals. Real-world incidents demonstrate how adversaries exploit mobile phone data, surveillance cameras, financial transactions, and travel records to compromise investigations, expose operational details, and threaten personal and organizational security.

The FBI, recognizing UTS as an existential threat, has faced challenges such as insufficient planning, limited training, and gaps in incident response.

Technical Surveillance Countermeasures (TSCM), including procedures like bug sweeps and electronic counter-surveillance, are tools for detecting and mitigating unauthorized surveillance devices. Best practices for mitigation include regular training, encryption, physical security, and continuous awareness of emerging threats.

Conclusion

The risks posed by UTS are immediate and evolving, with the potential to undermine investigations, compromise privacy, and threaten organizational integrity. Effective countermeasures require a combination of technical solutions, organizational policies, and training. The findings of the OIG audit of the FBI highlight the need for clear authority, coordinated response plans, and regular updates to internal controls. As surveillance technologies continue to advance, adopting a proactive and comprehensive approach to counter-surveillance is important for safeguarding information and maintaining operational security.

References

Conflict International Ltd. (2025, June). Bug Sweeps (TSCM): Protecting Against AirTag Stalking and Modern Surveillance. https://conflictinternational.com/news/bug-sweeps-tscm-protecting-against-airtag-stalking-and-modern-surveillance

DOJ. (2025, June). Audit of the Federal Bureau of Investigation's Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance. Department of Justice, Office of the Inspector General. https://oig.justice.gov/sites/default/files/reports/25-065.pdf

EyeSpySupply. (2023, December). The Importance of TSCM Equipment for Security. Blog. https://blog.eyespysupply.com/2023/12/29/the-importance-of-tscm-equipment-for-security/

Pinkerton. (2022, July). Technical Surveillance Countermeasures to Prevent Corporate Espionage. https://pinkerton.com/our-insights/blog/technical-surveillance-countermeasures-to-prevent-corporate-espionage

REI. (2025). Research Electronics Institute. TSCM Equipment and Training. https://reiusa.net/

Friday, June 27, 2025

Disturbing Revelations - Annual Assessment of the IRS’s Information Technology Program

The Treasury Inspector General for Tax Administration (TIGTA) released its annual assessment of the IRS’s Information Technology (IT) Program for 2024. This review, based on audit reports from TIGTA and the Government Accountability Office (GAO), paints a mixed picture: while progress has been made in some areas, significant vulnerabilities and management failures persist. These issues threaten the security of taxpayer data, the effectiveness of IRS operations, and public trust in the agency.

Summary of Findings

The IRS is a massive and complex organization, collecting $5.1 trillion in federal tax payments and processing 267 million tax returns and forms in FY 2024. Its reliance on computerized systems is absolute, making IT security and modernization paramount. Despite efforts to modernize and secure its systems, the IRS faces mounting challenges due to funding cuts, workforce reductions, and persistent weaknesses in cybersecurity, access controls, and IT asset management.

Audits revealed that while the IRS is making strides in areas like identity proofing for its Direct File pilot and blocking suspicious email websites, it falls short in critical cybersecurity functions, proper management of user access, timely vulnerability remediation, and oversight of cloud services. Insider threats, incomplete audit trails, and inadequate separation of duties further exacerbate the risks.

Some Disturbing Revelations

  • The IRS’s cybersecurity program was rated “not fully effective,” failing in three of five core cybersecurity functions (Identify, Protect, Detect), including shortcomings in system inventories, vulnerability remediation, encryption, and multifactor authentication.
  • 279 former IRS users retained access to sensitive systems for up to 502 days after separation, exposing taxpayer data to unauthorized access and potential misuse.
  • The IRS failed to timely remediate tens of thousands of critical and high-risk vulnerabilities, including 2,048 critical and 13,558 high-risk vulnerabilities in a single security application environment.
  • Personally Identifiable Information (PII) for over 613,000 IRS user authentications was sent to unauthorized locations outside the U.S. due to a vendor’s flaw in the Login.gov system, placing sensitive data at risk.
  • The IRS was unable to locate all cloud services contracts or determine their value for nearly half of its cloud applications, undermining financial oversight and increasing the risk of waste or duplication.
  • 35% of IRS systems required to send audit trails for detecting unauthorized access to PII and Federal Tax Information failed to do so, severely limiting the ability to investigate or detect data breaches.
  • The IRS did not fully comply with federal mandates to block TikTok on government devices, leaving more than 2,800 mobile devices and 900 computers potentially exposed to foreign surveillance risks.
  • Inadequate separation of duties was found in 70% of reviewed cloud systems, with the same individuals controlling multiple key roles, heightening the risk of fraud or error going undetected.
  • The IRS’s data loss prevention controls could be circumvented, allowing users to intentionally exfiltrate sensitive taxpayer data despite existing monitoring tools.
  • Despite identifying 334 legacy systems needing updates or retirement, only 2 had specific decommissioning plans, leaving the IRS reliant on outdated, potentially insecure systems.

The findings underscore the need for the IRS to address IT security and management deficiencies. Without corrective action, the agency remains vulnerable to internal and external threats, risking taxpayer privacy, financial integrity, and the effective administration of the nation’s tax system.

Read the full report at this link: https://www.tigta.gov/sites/default/files/reports/2025-06/20252S0007fr.pdf

Friday, June 13, 2025

Recruiters Targeted by Fake Job Seekers in Malware Scam

Recruiters are facing a cyber threat as financially motivated hackers, notably the FIN6 group (also known as Skeleton Spider), shift tactics to social engineering campaigns. The attackers are posing as job seekers on popular platforms like LinkedIn and Indeed, luring unsuspecting recruiters into downloading malware via fake portfolio websites.

How the Scam Works

The scam starts when cybercriminals, pretending to be legitimate job applicants, reach out to recruiters through job-hunting platforms. After initial contact, they send a follow-up phishing email that directs the recruiter to a convincing online portfolio site. These sites, often hosted on Amazon Web Services (AWS), mimic authentic job seeker pages, sometimes using plausible names associated with the applicant.

To evade automated security systems, the phishing emails do not contain clickable hyperlinks. Instead, recruiters are prompted to manually type the provided web address into their browser, which helps the attackers bypass link-detection tools[1].

The Malware: More_eggs

Once on the fake portfolio site, the recruiter is asked to complete a CAPTCHA and other checks to prove they are human, further evading automated scanners. If they proceed, they are offered a ZIP file to download—purportedly a resume or work sample. Inside the ZIP is a Windows shortcut (.LNK) file that, when opened, executes a hidden JavaScript payload using wscript.exe. This payload connects to the attackers' command-and-control server and installs the More_eggs backdoor.

More_eggs is a modular, JavaScript-based malware-as-a-service tool that allows attackers to:

  • Remotely execute commands
  • Steal credentials
  • Deliver additional malicious payloads

Notably, More_eggs operates in the memory of the users device, making it harder for traditional antivirus solutions to detect.

Evasion Tactics

FIN6 leverages several techniques to avoid detection and takedown:

  • Anonymous Domain Registration: Domains are registered through GoDaddy with privacy services, obscuring the true identity of the registrants[1].
  • Cloud Hosting: Hosting malicious sites on AWS infrastructure provides legitimacy and resilience against quick takedowns[1].
  • Human Verification: CAPTCHAs and environmental checks ensure only real users (not automated scanners) reach the malware download stage[1].

Industry Response

AWS responded to the incident by reaffirming its commitment to enforcing its terms of service and collaborating with the security research community. The company encourages reporting of any suspected abuse through its dedicated channels for swift action.

Takeaways for Recruiters and Organizations

This campaign highlights the evolving landscape of cyber threats, where even those in hiring roles are now prime targets. Key steps for recruiters and organizations to protect themselves include:

  • Treat unsolicited portfolio links with suspicion, especially if they require manual entry into a browser.
  • Avoid downloading ZIP files or clicking on shortcut files from unknown or untrusted sources.
  • Ensure endpoint security solutions are updated and capable of detecting in-memory malware.
  • Report suspicious activity to IT or security teams immediately.

Recruiters and organization should be aware of the attacks and use caution with job applicants.

References




Thursday, June 12, 2025

Disturbing Spying Revelations: Meta/Facebook/Instagram & Yandex

Overview:

The web page https://localmess.github.io/ discloses a previously undocumented and highly invasive tracking technique used by Meta (Facebook/Instagram) and Yandex that affected billions of Android users. Researchers [4] discovered that this method covertly linked users' mobile web browsing sessions to their identities in native apps, bypassing standard privacy protections. 

The practice was active until early June 2025, when both Meta and Yandex, after being caught with their hands in the proverbial PII cookie-jar, ceased these behaviors following public disclosure [1][2][3].

Key Findings

1. Covert Web-to-App Tracking via Localhost on Android

·       Meta and Yandex embedded scripts (Meta Pixel and Yandex Metrica) on millions of websites.

·       When a user visited such a site in a mobile browser on Android, the script would communicate directly with native apps (like Facebook, Instagram, or Yandex Maps) installed on the same device.

·       This communication happened via localhost sockets—special network ports on the device that allow apps to talk to each other without user knowledge or consent [1][3].

2. How the Tracking Worked

·       Meta Pixel:

o   The Meta Pixel JavaScript sent the browser’s _fbp cookie (used for advertising and analytics) to Meta apps via WebRTC (using STUN/TURN protocols) on specific UDP ports (12580–12585).

o   Native Facebook and Instagram apps listened on these ports in the background, received the _fbp value, and linked it to the user’s app identity, effectively de-anonymizing web visits[1][3].

o   This bypassed protections like cookie clearing, incognito mode, and Android permission controls.

·       Yandex Metrica:

o   Yandex’s script sent HTTP/HTTPS requests with tracking data to localhost ports (29009, 29010, 30102, 30103), where Yandex apps listened.

o   The apps responded with device identifiers (e.g., Android Advertising ID), which the script then sent to Yandex servers, bridging web and app identities[1].

3. Privacy and Security Implications

·       This method allowed companies to:

o   Circumvent privacy mechanisms such as incognito mode, cookie deletion, and even Android’s app sandboxing.

o   Link browsing habits and cookies with persistent app/user identifiers, creating a cross-context profile of the user.

o   Potentially expose browsing history to any third-party app that listened on those ports, raising the risk of malicious exploitation[1][3].

4. Prevalence

·       Meta Pixel was found on over 5.8 million websites; Yandex Metrica on nearly 3 million.

·       In crawling studies, thousands of top-ranked sites were observed attempting localhost communications, often before users had given consent to tracking cookies[1].

5. Timeline and Disclosure

·       Yandex has used this technique since 2017; Meta adopted similar methods in late 2024.

·       Following responsible disclosure to browser vendors and public reporting in June 2025, both companies stopped the practice. Major browsers (Chrome, Firefox, DuckDuckGo, Brave) have since implemented or are developing mitigations to block such localhost abuse[1][3]

Technical Details

Aspect

Meta/Facebook Pixel

Yandex Metrica

Communication Method

WebRTC STUN/TURN to UDP ports (12580–12585)

HTTP/HTTPS requests to TCP ports (29009, etc.)

Data Shared

_fbp cookie, browser metadata, page URLs

Device IDs (AAID), browser metadata

Apps Involved

Facebook, Instagram

Yandex Maps, Browser, Navigator, etc.

User Awareness

None; bypassed consent and privacy controls

None; bypassed consent and privacy controls

Platform Affected

Android only (no evidence for iOS or desktop)

Android only (no evidence for iOS or desktop)

Risk of Abuse

High: enables de-anonymization, history leakage

High: enables de-anonymization, history leakage

Broader Implications

·       Bypassing Privacy Controls:
This method undermined the effectiveness of cookie controls, incognito/private browsing, and Android’s app isolation, showing that even sophisticated privacy tools can be circumvented by creative inter-app communications
[1][3].

·       Need for Platform-Level Fixes:
Browser and OS vendors are now patching this specific exploit, but the underlying issue—unrestricted localhost socket access—remains a systemic risk on Android. The researchers call for stricter platform policies and user-facing controls for localhost access
[1].

·       User and Developer Awareness:
Most website owners were unaware their sites enabled this tracking. End-users had no indication or control over the process. The lack of transparency and documentation from Meta and Yandex is highlighted as a major concern
[1].

Conclusion

The research revealed a disturbing tracking vector that allowed Meta and Yandex to link users’ web and app identities on Android at a massive scale, defeating standard privacy safeguards. The disclosure led to rapid mitigation, but the incident underscores the need for deeper systemic changes in how browsers and mobile platforms handle inter-app communications and tracking[1][2][3]. “This tracking method defeats Android's inter-process isolation and tracking protections based on partitioning, sandboxing, or clearing client-side state.”[1]

1.      https://localmess.github.io

2.      https://www.grc.com/sn/sn-1029-notes.pdf

3.      https://gigazine.net/gsc_news/en/20250604-meta-yandex-tracking/

4.      Researchers & Authors of the localmess github page: Aniketh Girish (PhD student),  Gunes Acar (Assistant Professor),  Narseo Vallina-Rodriguez (Associate Professor), Nipuna Weerasekara (PhD student), Tim Vlummens (PhD student).

Note: Perplexity.AI was used to assist in preparing this report.

Thursday, May 22, 2025

Google's AI Glasses and Implications for Law Enforcement

Google announced a series of partnerships with eyewear companies to develop glasses that incorporate artificial intelligence (AI), marking a significant step in the evolution of wearable technology and its integration into daily life and professional sectors, including law enforcement.

Google's AI Glasses Partnerships

Google has committed up to $150 million to work with Warby Parker on development and sale of AI-powered smart glasses, leveraging the Android XR platform and Gemini AI model[1][2][10]. The initiative extends to partnerships with other eyewear brands, such as Gentle Monster and Kering, and includes a broader collaboration with Samsung to build both the hardware and software foundation for future AR glasses[6][8][10]. The glasses will feature cameras, microphones, and speakers, providing hands-free access to information, live translation, and integration with users’ smartphones[3][10]. Google states that their approach emphasizes making these devices both functional and suitable for all-day wear, with plans to involve developers in building applications for the platform later this year[6][10].

Implications for Law Enforcement

The integration of AI into smart glasses has implications for law enforcement operations:

  • Real-Time Data Access and Situational Awareness: AI-enabled glasses can provide officers with immediate access to critical information, such as suspect identification, navigation, and threat assessments, directly within their field of view[4][9][11]. This can streamline investigations, support enforcement actions, and enhance officer safety.
  • Facial Recognition and Surveillance: Smart glasses equipped with AI-driven facial recognition can rapidly compare faces in real time against law enforcement databases, aiding in the identification of suspects and missing persons[4][7][11]. Such systems have already been deployed in various jurisdictions, including China, Dubai, and New York, where they have improved the speed and accuracy of suspect recognition[4][7][11].
  • Evidence Collection and Communication: The ability to record and transmit evidence in real time, as well as translate languages or communicate with dispatch and other officers, can improve operational efficiency and support community engagement[4][11].
  • Privacy and Ethical Concerns: The widespread use of AI-powered smart glasses raises privacy issues. Real-time surveillance and facial recognition capabilities may lead to concerns about data security, potential misidentification, and the erosion of privacy in public spaces[4][5][9]. Research and pilot programs have emphasized the need for ethical frameworks, clear protocols, and legislation to govern the use of such technologies in law enforcement, aiming to balance operational benefits with the protection of civil liberties[4][9][11].

Challenges and Considerations

  • Public Trust and Acceptance: The deployment of AI smart glasses by law enforcement requires transparency and public engagement to address concerns about surveillance and misuse[4][9][11].
  • Technical and Operational Readiness: Successful integration depends on reliable hardware, effective AI algorithms, and compatibility with existing law enforcement databases and workflows[4][11].
  • Legislation and Policy: Policymakers should consider establishing clear guidelines for the appropriate use of smart glasses, including data handling, retention, and oversight mechanisms[4][9].

Conclusion

Google’s partnerships to develop AI-powered smart glasses signal a shift toward more immersive and context-aware wearable technology. For law enforcement, these advancements offer new tools for real-time information access, surveillance, and communication. However, adoption should be accompanied by consideration of privacy, and ethics to ensure lawful use.

Citations: