Dutch Cooperated with Sergei Mikhailov (FSB)

This is a follow-up diary to today’s earlier publication …

○ Social Engineering in the Digital Cyber Age

Much less is known about the practice of tapping by law enforcement, like for example the FBI and police forces. Now, a case from the Netherlands provides some interesting insights in how Dutch police intercepts internet communications – in a way that comes remarkably close to the bulk collection by intelligence agencies.

Dutch and Cybercrime: Meetings CIA, FBI, Mossad and Russian FSB

On Saturday, May 27, the Dutch newspaper De Volkskrant came with a surprising story about the cooperation between the Team High Tech Crime (THTC) of the Dutch police and officials from the Russian federal security service FSB, which is the main successor to the notorious KGB.

Since 2009, regular meetings are held in the Netherlands, in which also officials from the FBI participate. The aim is to cooperate in tracking down and eventually arresting cyber criminals. The Volkskrant’s front page report is accompanied by an extensive background story, which contains some more worrying details, but is only available in Dutch.

See story “Tracking down Russian hacker Evgeniy Bogachev” – Chasing the Phantom

The cooperation with the Russians dates back to September 2007, when the head of THTC attended a conference in the Russian city of Khabarovsk, at which CIA, FBI, Mossad, BND and other agencies were present. The head of THTC was able to create a connection to the FSB and their deputy head of the Center for Information Security (TsIB) , Sergei Mikhailov, became the liaison for the Dutch police and would regularly visit the Netherlands.

○ Devin Nunes Shouldn’t Be Outing Russian Sources | BooMan |
…
DPI filtering

To acquire these ICQ communications, the police had decided to intercept all ICQ traffic from Russia that went through the Leaseweb servers. For that purpose they bought equipment for deep-packet inspection (DPI) worth 600.000,- euro.

DPI devices are able to examine the packets that make up internet traffic and filter them according to predefined criteria, usually to prevent viruses and spam, but in this case for intercepting communications.

High-end DPI equipment, from manufacturers like Narus (now part of Symantec) and Verint, can also recreate (“sessionize”) the communication sessions in order to filter complete files and messages out – which is also one of the main features of NSA’s XKEYSCORE system.

Intercepting hosting providers

With the TIIT protocol, the police doesn’t get access to the copy of an ISP’s entire traffic: it’s the ISP that controls the sniffer machine that filters out the communications that belong to a particular suspect. But at Leaseweb it was apparently the police that controlled the sniffer (in the form of DPI equipment) where all the traffic passed through.

The most likely reason for this is that Leaseweb is a hosting provider and it’s considered that such companies don’t have to comply with the Dutch Telecommunications Law that says that public communication networks or services have to be interceptable. Therefore, hosting providers were not required to install the tapping facilities like the telephone and internet access companies have.

But the hosting companies can of course cooperate voluntarily when the police presents them a warrant. However, when the new Secret Services Act comes into force, such non-public communication providers do have to tolerate interception on behalf of AIVD and MIVD, but they don’t need to have pre-installed tapping equipment.

This means that in both cases, even for targeted interception, the government will control the sniffer equipment for filtering up to a company’s entire traffic – something that digital rights groups like the ACLU already consider to be unlawful “bulk surveillance.”