Spy catalog leak: How NSA hacks your PC, phone,router and hard disk 'at the speed of light'

Analysis A leaked NSA cyber-arms catalog has shed light on the
sorts of technologies US and UK spies use to infiltrate and
remotely control PCs, routers, firewalls, phones and software
from some of the biggest names in IT.

The exploits, often delivered via the web, provide clandestine
backdoor access across networks, allowing the intelligence
services to carry out man-in-the-middle attacks that
conventional security software has no chance of stopping.

And if that fails, agents can simply intercept your hardware
deliveries from Amazon to install hidden gadgets that rat you
out via radio communications.

The 50-page top-secret document, written by an NSA division
called ANT, is part of an information dump sent to German
magazine Der Spiegel, and expounded upon by journalist Jacob
Appelbaum in his keynote to the 30th Chaos Communication
Congress in Germany on Monday. You can watch a clearly furious
Appelbaum in the video below.

The dossier is a glorified shopping catalog of technology for
Uncle Sam's spies, and gives the clearest view yet of what the
NSA and allied intelligence agencies can do with your private
data, and how they manage it. Here's an easy-to-digest roundup
of what was discussed.

Satellite and optic-fiber communications stored

According to Appelbaum, the NSA is running a two-stage data
dragnet operation. The first stage is TURMOIL, which collects
data traffic passively via satellite and cable taps and stores
it – in some cases for up to 15 years – for future reference.
The NSA does not consider this surveillance because no human
operator is involved, just automatic systems.

Appelbaum gave the example of the SEA-ME-WE-4 underwater cable
system, which runs from Europe to North Africa, then on to the
Gulf states to Pakistan and India before terminating in the Far
East. The documents show that on February 13 this year a tap was
installed on the line by the NSA that gave layer-two access to
all internet traffic flowing through that busy route.

However, this passive capability is backed up by TURBINE, the
active intervention side of the NSA, run by its Tailored Access
Operations (TAO) hacking squad. By using a selection of hardware
and software tools, not to mention physical measures as we'll
see later on, the NSA promises that systems can be hacked "at
the speed of light," and the staffers in Maryland even took time
to build a LOLcat picture highlighting the capability:

http://regmedia.co.uk/2013/12/31/nsa_lolcat.jpg

"Tailored Access Operations is a unique national asset that is
on the front lines of enabling NSA to defend the nation and its
allies," the NSA said in a statement on the report, adding that
TAO's "work is centered on computer network exploitation in
support of foreign intelligence collection."

Windows crash reports boon for spies
On the subject of operating systems, Appelbaum said the
documents revealed subversion techniques against Windows, Linux,
and Solaris. In the case of Microsoft, the NSA is monitoring
Windows software crash reports to gain insight into
vulnerabilities on a target system and exploit them for its own
ends.

“Customers who choose to use error reports send limited
information about, for example, the process, application, or
device driver, that may have encountered a problem," a Microsoft
spokesperson told El Reg in a statement responding to Der
Spiegel's report.

"Reports are then reviewed and used to improve customer
experiences. Microsoft does not provide any government with
direct or unfettered access to our customer’s data. We would
have significant concerns if the allegations about government
actions are true."

NSA buys up security exploits to attack vulnerabilities
When it comes to active penetration, the TAO team has a system
dubbed QUANTUM THEORY, an arsenal of zero-day exploits that it
has either found itself or bought on the open market from
operators like VUPEN. Once inside a computer, software dubbed
SEASONEDMOTH is automatically secreted and used to harvest all
activity by the target in a 30-day period.

For computers and networks that have firewalls and other
security systems in place, the NSA uses QUANTUMNATION, a tool
that will scan defenses using software dubbed VALIDATOR to find
an exploitable hole, and then use it to seize control using code
dubbed COMMENDEER.

A system dubbed QUANTUMCOPPER also gives the NSA the ability to
interfere with TCP/IP connections and disrupt downloads to
inject malicious code or merely damage fetched files. Appelbaum
said such a system could be used to crash anonymizing systems
like Tor by forcing an endless series of resets – and makes the
designers of the Great Firewall of China look like amateurs.

The website you are visiting is really not the website you want
But it's a scheme dubbed QUANTUMINSERT that Appelbaum said was
particularly concerning. The documents show that if a target
tries to log onto Yahoo! servers, a subverted local router can
intercept the request before it hits Meyer & Co's data center
and redirect it to a NSA-hosted mirror site where all activity
can be recorded and the connection tampered.

It's not just Yahoo! in the firing line: QUANTUMINSERT can be
set up to automatically attack any computer trying to access
certain websites. The code predominantly injects malware into
religious or terrorism websites to seize control of vulnerable
web browsers and their PCs.

But the technology has also been spotted monitoring visits to
sites such as LinkedIn and CNN.com, and will work with most
major manufacturer's routers to pull off its software injection.
(If you think using HTTPS will highlight any of these man-in-the-
middle attacks, bear in mind it's believed that the NSA and GCHQ
have penetrated the security certificate system underpinning
SSL/TLS to allow the agencies' computers to masquerade as legit
web servers.)

According to the catalog, Cisco hardware firewalls, such as the
PIX and ASA series, and Juniper Netscreen and ISG 1000 products,
can have backdoors installed in their firmware to monitor
traffic flowing in and out of small businesses and corporate
data centers. A boot ROM nasty exists for the Huawei Eudemon
firewalls, we're told; Huawei being the gigantic Chinese telcoms
electronics maker. Other BIOS-level malware is available for
Juniper and and Hauawei routers, according to the dossier.

"At this time, we do not know of any new product
vulnerabilities, and will continue to pursue all avenues to
determine if we need to address any new issues. If we learn of a
security weakness in any of our products, we will immediately
address it," said Cisco in a blog post.

"As we have stated prior, and communicated to Der Spiegel, we do
not work with any government to weaken our products for
exploitation, nor to implement any so-called security ‘back
doors’ in our products."

The cellphone network you are connected to is not the network
you want
Mobile communications are also wide open, it seems. The NSA
catalog offers a mobile base station called the Typhon HX
(priced at $175,800) that will mimic a network provider's
infrastructure and collect mobile signals to decode and study;
it effectively taps cellphones.

Appelbaum said this type of hacking was spotted in action by the
Ecuadorian embassy shortly after Julian Assange arrived as a
house guest. The embassy's staff started getting welcome
messages from Uganda Telecom on their mobile because the British
intelligence services hadn't reconfigured their data slurping
base-station correctly from a previous operation, apparently.

Mobile phone SIM cards can also be easily hacked, the documents
claim, using a tool dubbed MONKEYCALANDER. This exploits a flaw,
only recently spotted by security researchers but used by the
NSA since 2007, that allows code to be installed on a SIM card
that will track and monitor an individual user's calls and
location.

The catalogue also details an exploit called DROPOUTJEEP which
claims it can gain complete control of an Apple iPhone via a
backdoor, at least back in 2007 when the cyberweapon catalog was
drawn up. The NSA says the DROPOUTJEEP exploit has a 100 per
cent success rate, leading Applebaum to speculate that Cupertino
may have helped the NSA out with the software. The first version
of DROPOUTJEEP needed an agent to get his or her hands on the
device, but remotely launched versions were promised.

Also listed is flash ROM malware for compromising satellite
phones, in case you felt like using that, plus exploits to
remotely control Windows Mobile handsets.

Speaking of Windows, NIGHTSTAND is a handy little box that can,
with a range of 8 miles, potentially own a Redmond-powered PC by
transmitting carefully crafted Wi-Fi traffic to exploit a
security hole in the OS and Internet Explorer.

Your hard disk is not the device you thought it was
Hard drives are also easy meat for the NSA, according to the
documents. Software called IRATEMONK can be installed on the
firmware in disks from Western Digital, Seagate, Maxtor, and
Samsung to allow full access to the target's data and operating
system. And because it's flashed onto the chips, via other
remotely installed malware, the customized firmware is almost
impossible to detect. This allows spies to hide and execute
anything they like on the connected computer.

An example target of IRATEMONK is a cyber-cafe of PCs.

"Western Digital has no knowledge of, nor has it participated in
the development of technology by government entities that create
‘implants’ on Western Digital hard drives, as Der Spiegel
described," a WD spokesperson told El Reg in a statement.

The parcels from Amazon are not the parcels you want
On the hardware front, the TAO hacking team also has specialists
in "close access operations" or "Off Net" projects where
physical access is required to a target's system. This can
involve intercepting laptops ordered online from Amazon and
others, adding tracking hardware, and then delivering them as
normal in the correct packaging, as well as breaking into
private property for hardware installation.

The catalog offers a number of hardware tools that can be
installed by a g-man. $200,000, for example, will buy you 50 USB
cables that have a secondary radio communications system called
COTTONMOUTH that allows the agency to send and collect data
directly through the ether. A VGA monitor cable called
RAGEMASTER intercepts video signals and beams them to a nearby
government snoop by radio wave.

That video cable was built by the NSA's ANT team, which also has
a fondness for attacking and infiltrating the firmware on your
PC: this is the low-level software that's not without its bugs,
first to run, and boots your operating system. If this is
compromised and reprogrammed using the ANT crew's SWAP program,
then it's pretty much game over for the target as the whole
system above the firmware can be remotely controlled and
monitored as required. Another tool called WISTFULTOLL leaps
upon Windows Management Instrumentation to access data on
systems.

http://regmedia.co.uk/2013/12/31/howlermonkey.jpg

The NSA has also developed a set of tiny surveillance
electronics dubbed HOWLERMONKEY that hides within computer
hardware, such as an ordinary Ethernet port, Appelbaum said. The
one pictured above, dubbed FIREWALK, looks no different to a
standard RJ45 socket, but can inject data into and slurp any
bytes from packets coming through the physical connection
automatically, and relay the information back to base via a
radio link.

Wireless communications can also be subverted by installing a
separate Wi-Fi card dubbed BULLDOZER. Even if the user has
wireless switched off by default, a PCI-connected BULLDOZER can
be used to link into a nearly subverted router and collect
metadata and content from targeted systems.

HP's server products were also mentioned as an easily subverted
system. Hardware dubbed GODSURGE can be installed in its
PowerEdge machines to provide full access, and the catalog says
such monitoring uses common off-the-shelf components that can't
be directly attributed to the NSA. IRONCHEF, we're told, is a
BIOS-level nasty designed to target HP ProLiant kit.

Where to find all the leaked information
The full document set has now been uploaded to whistleblowing
website Cryptome for public perusal. Appelbaum and the Der
Spiegel team have been careful to exclude the published names of
NSA staff who carry out these attacks, and the names of the
people and organizations the agency has targeted. An interactive
infographic summarizing the leaks can be found here.

http://www.spiegel.de/international/world/a-941262.html

El Reg has contacted all of the companies named by Appelbaum in
his presentation, but had limited response given that it’s the
Christmas holidays. But if the dossier is to be believed, then
there are going to be angry words between the NSA, manufacturers
and hardware customers – the latter likely to be searching for
more secure products.

Appelbaum said that he'd tried to talk to US legislators about
the situation but was continually rebuffed. Part of the problem,
he said, was that politicians don't understand the technology
behind such systems, and in many cases the lawmakers don’t want
to acknowledge there's a problem until a political solution has
been worked out.

The leaked catalog is roughly six years old, but new
technologies developed in the mean time by the NSA (estimated
annual budget: $10bn) is anyone's guess, or worst nightmare.

Readers may find some cheer, or not, from the suggestion that
most of these techniques are used against highly targeted
individuals rather than everyone en mass: NSA analysts need the
help of the FBI and CIA to install the hidden hardware snoopers,
for example, either by intercepting shipments or by carrying out
a so-called black bag job.

The intelligence agencies argue they are combatting terrorism, a
claim that is now being fought over in the US courts. The
question remains as to who exactly is scrutinizing these
operations and to what level – and who else has their hands on
these grave security vulnerabilities that the NSA exploits.

"The real problem is who is in charge here," Jon Callas,
cofounder of the Silent Circle encrypted communications system,
told The Register.

Referring to the secretive FISA court that supposedly oversees
the NSA, Callas continued: "For us who are Americans we have the
belief that we are ultimately in charge. Now it seems we have
secret courts, with secret laws, so how do you run a free
society under those kind of conditions? We have a societal
belief that some things are not acceptable and while Jake can be
hyperbolic, I cheer him on – sunlight is the best disinfectant."
®

Bootnote
With the exception of SEASONEDMOTH, there's no mention of any of
these exploits having a time-limited kill switch. Presumably the
NSA has means of deactivating online taps, but one wonders how
much kit is out there on eBay and with dealers that still
contains examples of ANT's intrusive craft.

Applebaum suggests that those interested (which should include
pretty much everyone in the security industry as well as IT
departments purchasing on the grey market) should look for
samples that use the RC6 block cipher and which emit encrypted
UDP traffic.

http://www.theregister.co.uk/2013/12/31/nsa_weapons_catalogue_pr
omises_pwnage_at_the_speed_of_light/

 

And who are the people selling this shit to them?

 

We are!

 

You're capitalist assholes who would sell your own mothers.