Traffic Analysis for MI5 – If I were Putin, I would, wouldn’t you?
By Philip Ingram MBE
I am going to start this blog with a caveat, not good practice, but important as what I am saying in it is purely speculative, it is not based on anything more than the supposition of a rambling mind, but I do like to question things I observe. In addition, I wish to make it clear that I have no evidence, nor am I stating that RT is engaged in espionage in any way, I am merely using its geographical presence for illustrative purposes.
“Covert activity – using false identities – was blended with overt information through Russian media outlets like RT. Too often those in the West focused on one element of this activity – hacking or social media – but failed to see the full spread,” said the BBC Security Correspondent Gordon Corera in his new book Russians Amongst Us when he was talking about interference in elections in 2016.
In 2014 Russia Today launched a dedicated TV channel in the UK rebranded as RT. Again, according to Gordon Corera’s book he said, “Putin had said the aim of the network had been “to try to break the Anglo-Saxon monopoly on the global information streams.” I will come back to RT later.
One of the key activities during the Second World War that enabled the Top-Secret team at Bletchley Park to break the Enigma code was what is referred to as Traffic Analysis. That Traffic Analysis allowed a picture of what communications networks operated where and when and technical analysis of that traffic, i.e. operator fingerprinting, frequencies used, network discipline and more.
According to the US Manual TM 32-250-AFll 100-80, Fundamentals of Traffic Analysis (Radio Telegraph) published on 9 Jun 1948, it defined Traffic analysis as, that branch of signal intelligence (SIGINT) analysis which deals with the study of the external characteristics of signal communications and related materials for the purpose of obtaining information concerning the organisation and operation of a communication system.”
The modern equivalent of Traffic Analysis would be the identification of work and personal mobile phones associated with an organisation. However, would need a collection capability to be able to collect the information from phones as they first switch on and connect to a network and that rarely happens in one place, or does it?
Speaking to Matthias Wilson is a former SIGINT analyst with the German military and Germany’s foreign intelligence service he said, “What happens when a mobile phone first connects to the network? In order to understand this, we have to look at the unique identifiers each phone has. The first would be the serial number of the phone itself called IMEI, the International Mobile Equipment Identity. This 15-digit number contains information on the brand and model of the phone and number unique number allocated to one specific device.
Secondly, each mobile phone will have one (or more) SIM cards containing information provisioned by the provider. The SIM has the IMSI, or International Mobile Subscriber Identity, saved on it. In most cases the IMSI will also consist of 15 digits and is linked to one’s phone number. It is used to identify a user within the mobile network. From the IMSI, you can derive the country and provider the card has been issued through.
When a mobile phone is switched on, it immediately searches for a network to connect to. If a preferred network is found, the phone will send a request to the network and basically ask for a connection to this network. This request will contain the IMSI and in some cases the IMEI as well. If the IMSI is registered in the networks databases, an authentication process takes place between the phone and the network.” The critical data is contained in the initial network login.
He concluded, “data intercepted from mobile phones logging into a network will provide a rough location, the IMSI that can be linked to a phone number and thus an intelligence target, and in some cases even information on the type of device that is used through the IMEI. Collecting this initial logon is also crucial to following a target of the course of time, as apart from this first connection, a phone will be identified by the temporary IMSI in all further connections.”
OK, so the theory is there, what is next? This comes down to Location, Location, Location.
The RT Studios in London opened in 2014 occupy a couple of floors of the 118-meter-high Millbank Tower, the highest tower block in the area. Its roof is the natural place for mobile phone antenna from many networks, providing good coverage for this area of London. RT have a direct feed over a high capacity communications link to their main studios in Moscow via satellite with the uplink dishes also on the roof.
They have a legitimate reason to be on the roof of the building with specialise engineers and their own equipment, configured in any way they need.
When anyone goes into the MI5 or MI6 building, they are not allowed through reception without mobile phones being taken off them and locked away, in most cases people will switch them off before locking them away or putting them in special faraday bags, cutting their signal off from the networks.
When people leave the building again, they naturally switch their phones on, and they register with the nearest and strongest network. I have noticed this on the many occasions I have walked past both MI5 and MI6 HQs and observed people leaving. That network, in proximity to the buildings is likely to be via the antenna on the roof of the Millbank Tower, where RT have sophisticated data uploading capabilities, transmitting their TV data from Russian state-controlled assets, back to Moscow.
Over time simple pattern of life analysis combined with the Traffic Analysis would enable a picture to be built up of the movement of every phone that registered if that could be identified. Whose phones do the most registering through these masts on a regular basis, who is switching on and off more than normal?
Matthias Wilson continued, “Given the close proximity to the target, I could do this with my own passive collection device and a small stub antenna.” “There are so many more opportunities,” he added, “as Bluetooth tracking and collection would be easy as well.” Another SIGINT specialist who asked not to be named said, you’d probably forget about the cellular side of things and tap into the backlink,” referring to the signal from the antenna going back to the network.
As I said at the start of this blog, this is pure speculation based on observation from the ground, a vivid but partially informed imagination and I am sure the security teams in MI5 and MI6 will have examined this particular threat scenario carefully. However, If I were Putin, I would, wouldn’t you?
This blog was written by Philip Ingram MBE, a former senior military intelligence officer with the overt help from Matthias Wilson and covert advice from a number of others for which he is very grateful. Philip is available for comment if necessary.
The issue in tracking the spread of the SARS-CoV-2 virus throughout the population is that the two tests being suggested are, an untested antibody test, providing best results 21-28 days after showing symptoms of the COVID-19 disease, or a manpower, technology, reagent and skills intensive PCR test looking for active virus a period of time post infection.
A percentage of the population remains asymptomatic as they carry the virus but can transmit it.
The PCR tests are and will always be resource limited. Those infected with the SARS-CoV-2 virus may be infective for a period before the PCR tests will identify active infection. The test is only accurate at the moment of time the swab was taken and there is nothing to stop someone not infected at the time of test being subsequently infected at any time after the test. The reagents needed for the test are in a short supply across the globe and testing facilities are becoming overwhelmed.
Current “mass” screening capability used in several countries uses thermal cameras looking for people with elevated temperatures. However, it will not identify asymptomatic carriers and only detects one symptomatic indicator.
What is needed are a series of complimentary tests able to identify an infection and immune system activation as early as possible so that infected persons can isolate as early as possible to reduce cross infection risk, once isolated then individuals can be tested for specific viruses such as SAR-CoV-2 and then for antibodies.
Tests should be simple and cost effective enough to allow individuals to be tested as often as is deemed necessary. For example, healthcare staff on arrival at work and on leaving work each day. There is currently insufficient PCR capability to do this and it is unlikely there ever will be. PCR tests are relatively expensive.
Research post the original SARS epidemic believed to have emerged in 2002 identified the utility of a viral infection marker produced by the body as part of a stimulated immune response. The marker is called Neopterin. There are numerous scientific papers outlining the utility of this chemical marker including:
The immune system being activated and releasing Neopterin is not specific to SARS-CoV-2, however it is an early warning system that something is going on; currently there is no test that does this.
Professor Colin Self, an Emeritus professor with Newcastle University and recognised leading testing scientist as developed a simple revolutionary test that could be used for that early warning capability utilising the detection of Neopterin in saliva.
The base technology used for the test has been developed over many years of research under Framework 7 and Horizon 2020 funded research projects. It can be used to detect any small molecule where a specific antibody for that molecule can be found. It is simple positive read out test, that gives results in less than 2 minutes.
As an antibody is specific to a particular chemical structure, this methodology is extremely accurate. Professor Self has a very pure cell line producing antibodies to Neopterin. The use of saliva, the positive read out if neopterin is present and the speed of testing allows self-testing and self-reading of the result. Each test if produced in volume batches, only costs a few pounds.
Imagine everyone being able to test themselves several times a day and if positive the more expensive PCR tests can be used in a targeted way to track SARS-CoV-2, if negative you know you do not have an immune stimulating infection.
Professor Self has told me that whilst his test is in storage as his research grants have finished, he has identified a qualified team with availability, facilities to produce a production standard test in approximately 6 weeks and then the manufacturing process to produce 10’s of thousands of test strips per day or potentially significantly more would be easily achievable. His tests don’t need special reagents, he can grow volumes of the relevant antibodies quickly, large numbers of test strips can be manufactured easily.
A video of the test being used in real time is below:
The presence of small molecular weight analyte (Neopterin) gives rise to a positive line appearing out of a clear white background. Intuitively, the more line is seen the more Neopterin is present.
The cassette dipstick on the left receives neopterin-free buffer, whereas the cassette dipstick on the right receives buffer containing the small molecular weight analyte.
During the, real-time run, both cassette dipsticks display a positive control line towards the top of the window to show the devices have been used correctly. Only the cassette receiving a positive sample shows a positive test line, towards the bottom of the window.
This occurs very quickly. The fact that the positive sample is indeed positive can be seen by eye within a matter of seconds, allowing immediate action to be taken if necessary. Further development of the sticks over two minutes, allows the control line to stabilise and a quantitative determination of the concentration of the analyte.
All Professor Self needs is help taking this ground-breaking test to production. It could enable better control of pandemic conditions.
A war which is unrestricted in terms of the weapons used, the territory or combatants involved, or the objectives pursued, especially one in which the accepted rules of war are disregarded is the definition of ‘Total War’ in the Oxford Dictionary. The global fight against the invading army of microscopic virus particles is without doubt a total war. The fight against SARS-CoV-2 can be defined in no other way than World War 3.
The enemy front line in this conflict are those directly affected by it, those wilding the weapon of mass destruction that is the virus, it is the people, all the people of planet earth as anyone could be carrying it, anyone could spread it, anyone could catch it, anyone can die from it.
The SARS-CoV-2 weapon is the COVID-19 disease it causes, and the effectiveness of that weapon is enhanced by the ability of the virus to move silently, undetected through the population, killing only a very few, but generating fear in many and disrupting if not destroying what was normality.
The deep battle fighting the viral enemy has two distinct elements, firstly the political battle, bringing in restrictions to ensure social distancing, allocating resources to ensure those fighting the close battle have what they need and the second element is scientific research, trying to find a better testing regime for the virus and a vaccine for the disease. The tacticians and planners are our chief scientists, chief medical staffs and financial planners. They are preparing the ground for those fighting the close battle.
The close battle is being fought by our doctors, nurses and paramedics; in military terms they are the F echelon, the fighting echelon. Of course, they need support and that support is provided by the laboratory staff, the other health care staff including porters, cleaners, volunteers, military personnel and more; they are the B echelon, the vital element keeping the f-echelon able to focus on the task in hand, fighting the disease, COVID-19 caused by the virus, the global enemy.
Corona viruses have caused conflict before this century, three coronaviruses have crossed the species barrier to cause deadly pneumonia in humans: severe acute respiratory syndrome coronavirus (SARS-CoV), Middle East respiratory syndrome coronavirus (MERS-CoV), and SARS-CoV-2. However, SARS-CoV and MERS-CoV only caused limited wars unlike the new deadly SARS-CoV-2 that has plunged the world into the new total war, that is our third World War.
The potential for a global conflict against a viral attacker is nothing new. Bill Gates said at the 2017 Munich Security Conference, “We ignore the link between health security and international security at our peril.” He concluded his talk by saying “When the next pandemic strikes, it could be another catastrophe in the annals of the human race. Or it could be something else altogether. An extraordinary triumph of human will. A moment when we prove yet again that, together, we are capable of taking on the world’s biggest challenges to create a safer, healthier, more stable world.”
We are seeing national and international industries change their focus and deliver vital war equipment; Dyson, JCB and Mercedes F1 delivering ventilators, airline staff delivering medical support, people from all walks of life helping supermarkets, delivery companies, charities and so many other initiatives. Our industry is on a total war footing.
We are seeing in a limited way at the moment but have no doubt it has the potential to increase, the use of deception, fake news and propaganda. This is where our responsible national media have moved to a total war footing, fact checking, broadcasting public information broadcasts and more.
What we have to realise is we can’t target the enemy directly this way like Sun Tsu espoused in the 6th century when he said, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” However, those comments could fit perfectly with the need for social distancing. But the lesson from this is we shouldn’t open a second front, exploitable by the virus by fighting amongst ourselves. This is a time for all to come together to fight a common enemy and put human differences to one side.
The US surgeon general, Jerome Adams told Chuck Todd on NBC’s “Meet the Press.”, “the next week is going to be our Pearl Harbor moment.”
Her Majesty the Queen continued the wartime analogy when she said in her rousing speech watched across the globe: “I am speaking to you at what I know is an increasingly challenging time.
“A time of disruption in the life of our country: a disruption that has brought grief to some, financial difficulties to many, and enormous changes to the daily lives of us all.”
“It reminds me of the very first broadcast I made, in 1940, helped by my sister. We, as children, spoke from here at Windsor to children who had been evacuated from their homes and sent away for their own safety.”
“Today, once again, many will feel a painful sense of separation from their loved ones.”
“But now, as then, we know, deep down, that it is the right thing to do.”
“While we have faced challenges before, this one is different.”
“This time we join with all nations across the globe in a common endeavour, using the great advances of science and our instinctive compassion to heal.”
“We will succeed – and that success will belong to every one of us.”
“We should take comfort that while we may have more still to endure, better days will return: we will be with our friends again; we will be with our families again; we will meet again.”
Invoking the emotion generated by our last global conflict. Her Majesty has clearly made the link to the current global conflict, World War 3, battling a virus, SARS-Cov-2. Ma’am, we will meet again.
Some see a perceived lack of testing as the latest stick to beat the government up with the current COVID-19 crisis. The perception that is being left with the general public and with healthcare workers is that testing will provide some magic solution to the crisis. The reality is, being blunt, it won’t; being more accurate, each test has its strengths and weaknesses and no one test is the complete answer, they will only help our understanding of the spread of the infection and help keep us safer.
The current test, which is the one being scaled up, is an ‘antigen’ test. Antigens are molecules capable of stimulating an immune response in the body and that immune response is the start of the production of antibodies.
The antigen test requires a swab to be taken, usually from the back of the throat. That swab then needs to be sent to a laboratory where the antigen is scientifically amplified and compared with a reference to see if it is what they are looking for. This test, called the Polymerase Chain Reaction (PCR), often referred to as real-time PCR (rt-PCR), or the quantitative PCR (qPCR) test, requires trained laboratory technicians, specialist equipment and time for each test, as well as an administrative burden matching tests to results and informing individuals of results.
The current PCR test is an excellent technology but leaves a window as it misses some early cases, at times not detecting infection until a period post symptoms, even though the person can be highly infectious during that time. The test is also manpower and equipment limited, needing people to take samples, technicians and scientists to process and interpret the tests and staff to deliver the results.
Of course, a negative test one day does not mean the individual could not become infected the next day, and this is why it is essential the complimentary Antibody test is further developed and rolled out to identify who has had the infection.
This is a much simpler test using a sample of blood taken from a finger pin prick and it is then put into a device like a pregnancy test kit, but the chemistry on the test stick is designed to look for antibody. Antibodies (sometimes called immunoglobins (IgM and IgG)) are proteins produced by the body over the course of a week or two in response to an infection and are there to fight the infection. Each antibody is designed to recognise a specific part of the cause of the infection (the antigen), lock onto it and stop it replicating thereby fighting the infection.
With the antibody test, a solution is added, and the blood sample moves up the test paper stick, interacting with the chemistry on the stick and giving an indicator that the antibody is present. This will tell someone that they have had the COVID-19 disease in some form and only takes a few minutes to carry out. It does not indicate early infection or necessarily that an individual currently has the infection.
There are other tests currently being offered to the fight against COVID-19 that will complement the PCR antigen and the antibody test. This test is similar in its physical form to the antibody test, but the chemistry is very different. It detects a key very early marker of the activation of the immune system in the body produced from the very early stages of the infection. This happens as the infection enters the body and is active as the body produces certain ‘help’ molecules. A marker that has been identified, following a great deal of research activity into HIV and earlier SARS infections is called neopterin.
The neopterin test does not specifically identify that an infection is COVID-19, but it does detect that someone is suffering from an activation of their immune system and, as such can detect infection at a much earlier stage in the disease than any of the other tests. It is a very simple to use and understand lateral flow test (as a pregnancy test) and can be used and interpreted by health workers and the general public, requiring no specialist support. It is projected to be non-invasive by using only a small sample of saliva, with the test results showing a positive result with a red line in a few minutes only if the individual is suffering a current viral infection.
This new test is not yet part of the governments offering but would complement the other two allowing the resource and time-consuming PCR test to be used only on those who have a positive indication of a viral infection and, critically, detecting those that are too early in the course of infection to be detected by the PCR or antibody test. It could also be used much more frequently as part of a wider screening programme as it can be self-administered, self-interpreted and produces rapid results and allow more informed self isolation, thereby reducing cross infection, potentially dramatically.
What is important is that the strengths and limitations of each type of test are known and understood and that a range of complimentary tests are available to maximise the collection of results that will rapidly let the health system and public understand the risks.
This article was written by Philip Ingram MBE with the some help from Professor Colin Self BSc, MB, BChir, PhD, DSc, FRSC, FRCPath who has developed the Neopterin test. Please use the contact us page if you want further details.
Travel is being restricted, people are being told to work from home, meeting cancelled, companies are desperately trying to take business online and remote, events are cancelled or postponed. The great British wartime spirit is being displayed by most as the few riot over toilet rolls, panic buy on a first come first served basis, forget our elderly, our sick, it’s me first; but one thing will be at the back of everyone’s mind; “what next?” This brings out the best in many if not most and the worst in some; a sad reflection on elements of our community. Businesses must be asking “how do I maintain my business proactivity?”
For businesses, many that can afford to are looking for ways to provide support to front line services. Only yesterday I was contacted by the investigation’s software company Altia-ABM asking for introductions to front line services who may benefit from their capabilities for free. We are seeing reports of major manufacturers like JCB and Dyson changing their production lines to make medical ventilators, we are hearing of distilleries switching to the production of alcohol-based hand gel (and not for internal use).
One thing is clear, the current COVID-19 pandemic is changing and will change the business landscape for some time to come if not make a permanent change. However, the first thing to recognise is that capabilities will still be needed, help provided, services delivered. The world is not stopping completely, so businesses that take a proactive approach are more likely to come out the other side of this crisis better than those that don’t. That is just simple logic.
So, what do I mean by a proactive approach in an environment with no meetings, increasingly restricted travel and no events? It is all about communicating, about informing, about contributing. It’s all about keeping a sense of perspective and as much of a sense of normality as possible. The crisis will pass, and a newer version of ‘normality’ will return so it is important that businesses don’t just disengage completely.
So how do you engage, what should you be doing?
First and foremost, inform, inform, inform. Keep your staff and customers up to date with what is happening. Ensure you have clear statements and contact details on the front of your websites if appropriate and in your telephone answering system. You know who your main customers are, make sure you or your team are talking to them throughout this crisis.
Secondly, secure, secure, secure. Threats to your data, your IP are not going to go away and will likely increase over the crisis period. GDPR fines will not be waived for careless data breaches so ensure your working practices for remote working are as secure as your practices in the office. Those that were a threat before COVID-19 hit are still a threat and will see this as an opportunity. Be on the lookout for phishing, malware, ransomware and people exploiting online social engineering opportunities.
Thirdly, engage, engage, engage. Don’t fall into the trap of isolating yourself, your business, your services. There are lots of ways to remain engaged. Talk to your suppliers and customers, keep them reassured. Publish articles, blogs, thought pieces, updates on your website and use email and social media to distribute them widely. Engage on social media, a perfect way to keep your followers confident that all is as normal as it can be. Finally look for different opportunities to communicate. I am doing PODCASTS and will likely start restart VLOGS as well. Webinars have long been an excellent way of delivering informed content and good debate. The key to getting and maintaining your audience is to provide good informative content.
With all of the social media enabled communications means almost enabling the building of a virtual world, this is a perfect opportunity to stand out from the rest and show how progressive you can be making the transition back to proper normality that much easier. So, don’t sit and wat for something to happen, take the initiative and be proactive that is the key to standing out in this crisis.
Note:: Grey Hare Media provides focused content – drop us a line or gave a call for a chat to see if we can help. It costs nothing to chat and could save or better your market position.
COVID and the criticality of informed trusted communication.
by Philip Ingram MBE
One thing is becoming apparent, the last true global crisis on the scale of the developing COVID-19 pandemic, was the Second World War. In any crisis it is only natural that people hunt for as much information as they can get to try and get a sense of security for themselves, their loved ones and if appropriate their businesses.
Information itself is of little help unless it can be used to accurately ‘paint’ a realistic picture of what is going on and the implications of various decisions. During the Second World War people got their information from 4 sources, the newspapers, the radio, newsreels in the cinemas and local gossip. For three of those sources the accuracy of the information could be at the very least influenced by the government for the common good.
The local gossip networks were also influenced heavily through campaigns around careless talk with posters like “Are you a Megaphone Mouth? Don’t Spread Rumours,” making talking out of turn socially unacceptable, as this was also linked to wider consequences for security with posters such as “Lose lips sink ships.”
Those providing the news, whether journalist for print or, as there was only one source of Radio, the BBC, and news reels from Pathé News, trusted commentators were recognised, and this brought with it a degree of confidence for those who consumed the information. The potential for misinformation or disinformation that was not formally planned, was low. The limited information was pushed to the population, was easy to absorb and on the whole accepted by the general public.
However, today this type of control and social conditioning is impossible outside dictatorial regimes. With social media enabling anyone to publish an opinion or comment about anything and possibly reach a huge audience for very little effort, the potential for misinformation and disinformation is extremely high. The volume of information that exists means individuals need to pull what they believe is relevant form a variety of sources.
That wouldn’t be an issue if there remained trusted sources of information that operated outwit the sensationalist click bait approaches shown not only by some celebrities, but also by politicians who seek opportunities for political point scoring on every issue. For example, Piers Morgan at the weekend said, “The government seems to be avoiding draconian ‘shutdown’ action now because we will all get too bored with it,” accurate? Helpful? Or flippant clickbait?
Individuals tend to pull information from sources they like and too often it is from known celebrities or from politicians of their own political persuasion. The number of sources ‘trusted’ by individuals is massive, that doesn’t mean that their information should be ‘trusted.’ That trust is not necessarily based on the accuracy of the information, it is too often based on the popularity or agenda of the individual.
The ability of those individuals to unduly influence rather than inform needs to be recognised by those who listen to them and the motivation behind what is being said must be questioned alongside the accuracy of what they are saying. The point is rapidly approaching if it hasn’t been reached already, where unreliable sources of information or individuals who are sensationalising for their own position, must be called out.
We are facing a threat at the level that is almost stimulating the need for a total war footing, we are seeing industry being asked to switch manufacturing from their normal goods to essential medical products and capabilities. We are seeing government initiating daily ministerial and expert briefings, we are seeing controls being imposed across the globe that six months ago would have been described as impossible. We need common sense to start to prevail in the information and communication sphere.
For those who fall into the category where they could say, “Could be. I’m a pretty dangerous dude when I’m cornered.” (Not a Nigel Farage quote)
Remember the next line was,
“Yeah,” said the voice from under the table, “you go to pieces so fast people get hit by the shrapnel.” ― Douglas Adams, The Restaurant at the End of the Universe
Don’t let the Nigel Farage’s, or Piers Morgan’s who stir up clickbait type comments kill you with their shrapnel as their opinions go to pieces. For once, it is probably time to trust government sources once again. To trust press outlets like the BBC or Sky or ITN and remember in ratio terms 2 ears and one mouth means that listening should be done more than speaking. By all means question what is being said but learn to accept informed assessment from proper sources you can trust.