Sysadmin spy left digital trail

Retired USAF sergeant surfed top secret Web

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

The FBI investigation that lead to last week's arrest of a former Air Force sergeant on espionage charges had more in common with a modern Internet hacker hunt than a John le Carre novel, court records show.

Brian P. Regan, 38, was arrested Thursday at Washington Dulles International Airport while boarding a Lufthansa flight to Zurich, Switzerland. He's charged with conspiracy to commit espionage for allegedly passing classified satellite photos and secret documents to an unnamed foreign government, called 'County A' in court filings, identified in a Washington Post report as Libya.

Regan had been posted at the super-secret National Reconnaissance Office (NRO) in Virginia, the Defense Department organization responsible for building and controlling the United States' network of orbiting reconnaissance satellites.

According to a 19-page FBI affidavit filed in the case last week, which relies much on unidentified "reliable source information", Regan began his abortive espionage career in August 2000, shortly after retiring from military service.

Regan allegedly introduced himself to 'Country A' by passing it a set of overhead satellite photos, as well as a CIA intelligence report, two pages from a classified CIA newsletter, and other documents.

At the same time, Regan, a former system administrator, gave his would-be handlers a number of encrypted messages, and a plaintext message written in English. "The initial, unencrypted message appears to be an introductory letter containing instructions to prevent detection of the messages by the US government," reads the affidavit.

While the court records don't indicate what encryption system Regan favored, it evidently didn't pose an insurmountable obstacle to the FBI. "The encrypted messages, which were decrypted by the US government, set forth contact instructions, establish bona fides, and offered to provide additional classified information," the affidavit reads.

Regan's alleged contact instructions had a decidedly information age twist.

Rather than arrange a rendezvous in a dark alley or a smoke-filled bar, Regan allegedly referred 'Country A' to a free Internet email account he established under the alias Steven Jacobs. When FBI agents obtained logs from the email provider, they found that the account had been used nine times, all of them from Internet terminals at public libraries near Regan's home or office. One of them, in Crofton, Maryland, was five miles from Regan's home.

"Physical surveillance of Regan during May through August 2001 indicated that Regan regularly utilized the public internet access located in the Crofton library," reads the affidavit.

While the free email provider's records incriminated Regan on one end, computer forensics and government network logs fingered him on the other.

Suspect surfed secret Web

According to the affidavit, most of the images and documents Regan is accused of passing came from Intelink, a classified global intranet that links the thirteen US intelligence agencies to each other, and to their 'customers' in the White House, Congress, the Pentagon and other government agencies.

Developed in the mid-90s, Intelink is estimated to have over 50,000 users with access to 'special compartmentalized information' housed on some 200 servers at over 100 physical sites. Another 265,000 users have access at the lower 'secret' level.

Intelink addresses take the form http://www.nro.ic.gov or http://www.cia.ic.gov. The resemblance to Internet URLs is not coincidental-- the classified network is isolated from public access, but uses the same protocols and software as the public Internet. Intelligence analysts and operatives surf its secrets with the ease of an Internet user shopping for books online. And like the Internet, Intelink has seen an explosion of growth in recent years -- albeit behind closed doors.

"Just as the Web as taken off in the real world, the Intelink web has taken off in the intelligence community," says Fredrick Thomas Martin, a former NSA official and author of Top Secret Intranet --- How US Intelligence Built INTELINK, The World's Largest, Most Secure Network. "Anything that is Web enabled and uses Web technology, the intelligence community has latched onto on Intelink," Martin says.

Martin, whose Web site includes an Intelink simulation, says that the network's unbridled expansion troubled some in the intelligence community, who were long accustomed to handling knowledge on a 'need to know' basis. "They finally realized that they have big security problem here... People might access things that they shouldn't have access to," Martin says. "They nearly shut it down."

Instead, Intelink restricts which Web sites legitimate users can browse. "You have to have a digital certificate to access certain things," says Martin. "You have to be cleared for whatever you see."

Those access control mechanisms may have played a critical role in the FBI's investigation of Regan.

According to the affidavit, when FBI agents scoured the hard drive of Regan's former office computer in April 2001 they found that "someone using Regan's password" had surfed to an Intelink URL for one of the overhead photos offered to 'Country A', and visited four URLs for other documents that were passed at the same time.

Server logs from Intelink web sites tied Regan's machine to three more documents, and "Intelink audit records indicate that the URL for the CIA intelligence report....was accessed from the computer in Regan's former office at 8:52 p.m." on the day that the copy passed to the 'Country A' was printed out.

A few months after retiring from the Air Force in August 2000, Regan went back to work at NRO as a employee of defense contractor TRW. His security clearance was reinstated in July, one month before his arrest.

Regan isn't the first accused spy with computer expertise. Computer logs provided damning evidence against FBI mole Robert Hanssen, who pleaded guilty last month to selling the United States' most precious counter-intelligence secrets to Russia.

Hanssen, an experienced computer programmer, passed information to his Russian handlers on encrypted floppy disks, kept reminders of his clandestine appointments in his Palm organizer, and routinely searched FBI computers for hints that his co-workers might be on to him.

© 2001 SecurityFocus.com, all rights reserved.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.