Security official denies ISF asked for passwords

From: The Daily Star

By Van Meguerditchian, Annie Slemrod, The Daily Star, Beirut, Lebanon McClatchy-Tribune Information Services

BEIRUT — A day after the telecoms minister claimed that the Internal Security Forces had asked for access to passwords for email and social media sites as well as text messages, a senior security official denied Tuesday that the ISF had asked for the passwords at all.

Reports that the ISF’ Information Branch was seeking this information prompted unease about privacy, but some Internet security experts are casting doubt on whether the ministry would be able to collect this Internet data or would have the capacity to analyze it.

The senior official, who spoke on condition of anonymity, confirmed that the ISF requested the content of all text messages sent in and around Beirut for two months prior to and one day after Oct. 19 to facilitate its investigation into the assassination of Brig. Gen. Wissam al-Hasan, who was killed in a car bomb that day. He denied that the ISF had asked for any internet-based information.

Unlike past flare-ups of the data controversy — intelligence bodies and the Telecoms Ministry sporadically spar about data access — the official said the ISF had not asked for records about phone conversations because “we are now sure criminals are now calling each other on cellphones to prepare and execute assassinations in the country.”

For his part, Telecommunications Minister Nicholas Sehnaoui has said he opposes the request — whose existence the security official denied — for passwords to email and other social media sites.

Experts were divided on the extent to which such Internet data could really be accessed by the Telecommunications Ministry, and whether security bodies had the resources to analyze it for intelligence purposes.

Imad ElHajj, an associate professor of electrical and computer engineering at the American University of Beirut, cast doubt on the extent to which the Telecommunications Ministry would be able to provide such data.

Email services such as Gmail and Hotmail, he said, are theoretically secure and thus it is “not feasible” for the government to gain such a wide breadth of information.

“If somebody really wants to break in there might be ways in, but this would take much effort and resources, and would have to be done on an individual basis,” he said, adding that he suspects “most of the popular sites are secure, so with Twitter or Facebook, anything where the [web] address starts with https, you can be relatively confident it is secure.”

But security varies with the service used, and some email providers hosted within the country may be vulnerable, he added.

ElHajj also noted that investigators could easily watch and track the websites an individual visits and when.

But Nadim Kobeissi, the creator of the encrypted chat program Cryptocat, said if a security body wanted to access login information for secure https sites, “it is possible to install equipment that can mass [monitor] … every single internet connection in Lebanon.”

This would be done using what is known as a mass “HTTPS man-in-the-middle” hack that would intercept login attempts to various websites.

Kobeissi said it is unknown whether individual Internet service providers in Lebanon already use these types of methods, but foreign Internet service providers have been caught doing this. Some countries are said to use large-scale attacks that monitor all connections.

Riad Bahsoun, an independent technology consultant with experience in the telecoms sector, said that although it might be difficult, “in theory if someone wants to get the information they can do so.”

On the question of text messages, the experts agree. Bahsoun, ElHajj, and Kobeissi all said the content is on hand as it is stored on the servers of the state-owned companies Alfa and touch, formerly MTC.

The security source said that the Telecommunications Ministry provided security bodies with telecoms data for six months after the Cabinet’s formation in the summer of 2011, but this is the first time the ISF has asked for text messages.

But Bahsoun cast doubt on whether the ISF truly has the capacity to sift through the vast quantity of text messages or emails they could amass from the request.

While he called the prospect of such access “scary” and said there is a possibility that it will “create a big disturbance in people’s minds,” he said it was unlikely that the Lebanese authorities could realistically sift through so much information.

“I really don’t think they know what they have asked for.”