The Sunday Times reports another peculiar "Chinese spying" story.
From The Sunday Times
July 20, 2008
Gordon Brown aide a victim of honeytrap operation by Chinese agents
David Leppard and Claire Newell
A top aide to Gordon Brown has been a suspected victim of a "honeytrap" operation by Chinese intelligence agents.
The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.
The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning.
The aide, whose identity is known to The Sunday Times, immediately reported the theft to the prime minister's Special Branch protection team and was informally reprimanded.
Why have details of this incident, which must have been know to only a very few people, been leaked to the Sunday Times right now ?
Who is spinning the media for power and influence in the Downing Street and Whitehall kremlins ?
A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence. The incident will raise fresh questions about the security of sensitive official information. It follows a spate of high-profile cases where data from government departments have been lost.
Are we meant to believe that an intelligence agency operation against a Downing Street insider resulted in the tipping off of the British officials , through an actual reported loss of a BlackBerry portable email device ?
Do Chinese, or other countries intelligence agencies, or even serious criminals, all of whom also operate in London, as well as in Shanghai, no longer use "honeypot" agents for sexual blackmail purposes any more?
Since British Labour party politicians and their apparatchiki seem to be able to weather News of the World revelations, Cash for Honours investigations, and endless Computer Data insecurity scandals etc., without ever resigning or being criminally prosecuted, then are such tactics less useful than in the past ?
If a foreign intelligence agency did get their hands on a Downing Street BlackBerry, why did they not simply clone all the data from it, or modify the software and or hardware to snoop on the user and his communications thereafter, and then replace it, before the hapless Downing Street insider ever noticed that it was missing ?
Since this loss of the device was supposedly reported within a few hours, there should have been little risk to the centralised email system, provided that the appropriate access codes and , if necessary, the cryptographic keys had been changed promptly.
BlackBerrys are used as mobile telephones and also store data and send and receive e-mails. Downing Street BlackBerrys are password-protected but security officials said most are not encrypted.
Whatever unencrypted data was on the BlackBerry device itself, would, of course be at risk, but is this should not, in theory, have included any Secret or Top Secret material.
Experts say that even if the aide's device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10's e-mail traffic and text messages.
Which experts would those be then ?
There were security alerts back in 2006, when it was discovered that BlackBerry servers (not the handheld mobile devices) were potentially vulnerable, not because of weaknesses in their strong encryption, but because they were stupidly storing user login data, unencrypted, in a Microsoft SQL server data base, which could be exploited through SQL injection via buffer overruns in attached .png and .tiff graphics file handling routines. e.g. see this discussion thread [2006-01-03] Security Hole Claimed for BlackBerrys. Within the last week, a similar sort of potential vulnerability was announced, affecting the BlackBerry Attachment Service PDF distiller.
BlackBerry servers can either be run by as a public internet service, or they can be dedicated to corporate or Government department use.
In theory any private corporate BlackBerry server connected to the Government Secure Intranet or GSi (Restricted) or the xGSi (Confidential) email networks, should never have been vulnerable to this sort of remote manipulation, because of the Security Accreditation procedure required, but how can we be sure ?
It is worth remembering that during the height of the Downing Street Cash for Honours investigations in January 2007, involving Downing Street email systems, they claimed that there were no BlackBerry devices being used by Downing Street staff, or that if there were, they were only being used for Labour party business, rather than official Government communications.
The incident highlights the growing threat of Chinese intelligence to Britain and the West. Last December Jonathan Evans, the director-general of MI5, warned that China was carrying out state-sponsored espionage against vital parts of Britain's economy, including the computer systems of big banks and financial services firms.
Sources said that the incident had occurred during Brown's two-day trip to China in January.
Downing Street sources ? Whitehall sources ? Chinese sources ?
The prime minister had been accompanied by about 20 Downing Street staff, including senior advisers on foreign policy, the environment and trade. There were also 25 business leaders on the trip, among them Sir Adrian Montague, the chairman of British Energy, Arun Sarin, then chief executive of Vodafone, and Sir Richard Branson, the Virgin boss.
The incident occurred in Shanghai on the second day of the tour. That evening, about a dozen members of the Downing Street staff went to a hotel disco where a lively party with several hundred young people was in full swing.
"It was apparently a lot of fun, there was quite a bit of dancing with lots of people ona big crowded dance floor," said one security official.
The group stayed at the disco for at least two hours. One senior aide was approached by an attractive Chinese woman. The couple danced and later disappeared together.
The security official said: "In these circumstances it was not wise. Nobody knows exactly what happened after they left. But the next morning he came forward and said: "My BlackBerry is missing." The prime minister's Special Branch protection team were alerted.
A British "security official" or a Chinese one ?
Downing Street yesterday confirmed that a member of the prime minister's office had lost a BlackBerry during an evening event on the January visit to China. However, it played down the affair, stating that an investigation had established that there was "no compromise to security
Given the institutional incompetence displayed by the Government, with even the most basic security procedures for the handling of classified material having been ignored by senior staff, and by Ministers, who should all have been setting a good example to their subordinates, it is entirely legitimate to ask for actual independent proof that such elementary post security incident measures have actually been done properly.
Lack of detailed practical travel advice from the FCO
Where is the Foreign and Commonwealth Office advice about the risks to their electronic data systems, i.e. what to take, what to leave at home, what particular precautions are necessary to take in China ?
Where is the specific advice about laptop computers, PDAs, mobile phones, USB memory, iPods, MP£ players, GPS stat nav, or other electronic devices etc., and how not to fall foul of the border control and customs checks, or the local censors or snoopers etc. when visiting China, or indeed any foreign country, on business or as a tourist ?
If your laptop computer or PDA or mobile phone is inspected at the Chinese border, will you be forced to hand over your passwords and encryption keys ?
Will digital copies be taken of your hard disk, or the phonebook on your mobile phone or SIM card be copied ?
Are you allowed to take 2 factor authentication cryptographic tokens into China, for use with your own personal or corporate secure online communications or financial transactions ?
Are you allowed to import, possess or actually use strong encryption based software like
- PGP encryption
- TrueCrypt encryption
- Tor anonymity
- Skype Voice over IP
- Cisco VPN Client Virtual Private Network
in China ?
There is simply no such practical advice on the general FCO Travel Advice pages on their website, nor on their specific Beijing Olympics advice pages.
Given the clampdown on dissent by the communist Chinese government, in the run up to the Olympic Games, and the Olympic Games bureaucracy's attempts impose restrictions on the public, through its monopoly deals with media broadcasters and advertising sponsors, where is the specific FCO advice about digital camera, video recorders, laptop computers and communications devices and intellectual property infringement ?
It is bad enough filming or recording in public streets in Britain, without being harassed illegally by British Police constables, PCSOs and private security guards - where is the detailed advice about the situation in China ?
We fear that similar restrictions on photography and digital video recording will be imposed during the London 2012 Olympic Games as well, for "security" and for "commercial monopoly" reasons.
Lack of detailed practical travel advice from SISBO
Incredibly, there is not even any such practical advice on the inapproriately named joint venture with the Confederation of British Industry, the Security Information Service for Businesses Overseas website:
SISBO is a not-for-profit partnership arrangement facilitated by the Confederation of British Industry (CBI) and the Foreign and Commonwealth Office (FCO). SISBO is based in FCO premises, and there is a designated SISBO Co-ordinator in almost every UK Embassy and High Commission overseas. SISBO also works closely with UK Trade & Investment (UKTI), and has links to a number of private-sector business associations.
So there is no chance of any "designated SISBO Co-ordinator" being mistaken for a Secret Intelligence Service (SIS) MI6 intelligence officer workng under diplomatic cover, then, is there ?
Their Business Security Information for CHINA - Commercial Espionage pages are practically useless:
Housing compounds and lifts are also under continuous overt surveillance, and all landline and mobile phone lines have the potential to be monitored; it is fair to assume that emails and faxes are similarly vulnerable. ISPs co-operate with the Chinese Government to monitor emails and browsing.
How much CCTV surveillance is there in the United Kingdom ?
How many Telcos and ISPs in the UK do not cooperate with UK authorities to conduct such surveillance ?
The Chinese regulations cannot be any more all encompassing and catch all than the UK ones under the Regulation of Investigatory Powers Act 2000.
SISBO's Frequently Asked Questions page is also rather strange and contradictory:
9. Will SISBO give travel advice, as the FCO already does? No. SISBO may amplify the FCO's official Travel Advice with information designed to meet the needs of the overseas business sector, but the FCO remains the 'gold standard'. It is inconceivable that SISBO's understanding of the nature or severity of a threat to UK interests overseas would differ from the FCO's Travel Advice.
Inconceivable that it would differ from the FCO's Travel Advice ?? That is very worrying.
How can the FCO travel advice be the 'gold standard' when it omits any general or country specific practical advice to business travellers and tourists about their electronic devices ?
14. Is SISBO mainly about terrorism? No. We interpret the word "security" broadly; terrorism is a relatively minor part. We consider political stability, economic performance, infrastructure (e.g. transport, telecoms), corruption, business continuity planning, crime, civil disorder, intellectual property theft - in fact, anything that might threaten the ability of UK businesses to operate effectively abroad.
So why is there no detailed practical advice available to the British public and to small or medium businesses ?
Is such detailed practical advice actually even available to the companies who pay a £ 3000 annual subscription to the SISBO Plus service ? Please let us know if this is the case, or not, of you have access to this.