Spy catalog leak: How NSA hacks your PC, phone,router and hard disk 'at the speed of light'

Discussion in 'Cisco' started by cubi, Dec 31, 2013.

  1. cubi

    cubi Guest

    Analysis A leaked NSA cyber-arms catalog has shed light on the
    sorts of technologies US and UK spies use to infiltrate and
    remotely control PCs, routers, firewalls, phones and software
    from some of the biggest names in IT.

    The exploits, often delivered via the web, provide clandestine
    backdoor access across networks, allowing the intelligence
    services to carry out man-in-the-middle attacks that
    conventional security software has no chance of stopping.

    And if that fails, agents can simply intercept your hardware
    deliveries from Amazon to install hidden gadgets that rat you
    out via radio communications.

    The 50-page top-secret document, written by an NSA division
    called ANT, is part of an information dump sent to German
    magazine Der Spiegel, and expounded upon by journalist Jacob
    Appelbaum in his keynote to the 30th Chaos Communication
    Congress in Germany on Monday. You can watch a clearly furious
    Appelbaum in the video below.

    The dossier is a glorified shopping catalog of technology for
    Uncle Sam's spies, and gives the clearest view yet of what the
    NSA and allied intelligence agencies can do with your private
    data, and how they manage it. Here's an easy-to-digest roundup
    of what was discussed.

    Satellite and optic-fiber communications stored

    According to Appelbaum, the NSA is running a two-stage data
    dragnet operation. The first stage is TURMOIL, which collects
    data traffic passively via satellite and cable taps and stores
    it – in some cases for up to 15 years – for future reference.
    The NSA does not consider this surveillance because no human
    operator is involved, just automatic systems.

    Appelbaum gave the example of the SEA-ME-WE-4 underwater cable
    system, which runs from Europe to North Africa, then on to the
    Gulf states to Pakistan and India before terminating in the Far
    East. The documents show that on February 13 this year a tap was
    installed on the line by the NSA that gave layer-two access to
    all internet traffic flowing through that busy route.

    However, this passive capability is backed up by TURBINE, the
    active intervention side of the NSA, run by its Tailored Access
    Operations (TAO) hacking squad. By using a selection of hardware
    and software tools, not to mention physical measures as we'll
    see later on, the NSA promises that systems can be hacked "at
    the speed of light," and the staffers in Maryland even took time
    to build a LOLcat picture highlighting the capability:


    "Tailored Access Operations is a unique national asset that is
    on the front lines of enabling NSA to defend the nation and its
    allies," the NSA said in a statement on the report, adding that
    TAO's "work is centered on computer network exploitation in
    support of foreign intelligence collection."

    Windows crash reports boon for spies
    On the subject of operating systems, Appelbaum said the
    documents revealed subversion techniques against Windows, Linux,
    and Solaris. In the case of Microsoft, the NSA is monitoring
    Windows software crash reports to gain insight into
    vulnerabilities on a target system and exploit them for its own

    “Customers who choose to use error reports send limited
    information about, for example, the process, application, or
    device driver, that may have encountered a problem," a Microsoft
    spokesperson told El Reg in a statement responding to Der
    Spiegel's report.

    "Reports are then reviewed and used to improve customer
    experiences. Microsoft does not provide any government with
    direct or unfettered access to our customer’s data. We would
    have significant concerns if the allegations about government
    actions are true."

    NSA buys up security exploits to attack vulnerabilities
    When it comes to active penetration, the TAO team has a system
    dubbed QUANTUM THEORY, an arsenal of zero-day exploits that it
    has either found itself or bought on the open market from
    operators like VUPEN. Once inside a computer, software dubbed
    SEASONEDMOTH is automatically secreted and used to harvest all
    activity by the target in a 30-day period.

    For computers and networks that have firewalls and other
    security systems in place, the NSA uses QUANTUMNATION, a tool
    that will scan defenses using software dubbed VALIDATOR to find
    an exploitable hole, and then use it to seize control using code
    dubbed COMMENDEER.

    A system dubbed QUANTUMCOPPER also gives the NSA the ability to
    interfere with TCP/IP connections and disrupt downloads to
    inject malicious code or merely damage fetched files. Appelbaum
    said such a system could be used to crash anonymizing systems
    like Tor by forcing an endless series of resets – and makes the
    designers of the Great Firewall of China look like amateurs.

    The website you are visiting is really not the website you want
    But it's a scheme dubbed QUANTUMINSERT that Appelbaum said was
    particularly concerning. The documents show that if a target
    tries to log onto Yahoo! servers, a subverted local router can
    intercept the request before it hits Meyer & Co's data center
    and redirect it to a NSA-hosted mirror site where all activity
    can be recorded and the connection tampered.

    It's not just Yahoo! in the firing line: QUANTUMINSERT can be
    set up to automatically attack any computer trying to access
    certain websites. The code predominantly injects malware into
    religious or terrorism websites to seize control of vulnerable
    web browsers and their PCs.

    But the technology has also been spotted monitoring visits to
    sites such as LinkedIn and CNN.com, and will work with most
    major manufacturer's routers to pull off its software injection.
    (If you think using HTTPS will highlight any of these man-in-the-
    middle attacks, bear in mind it's believed that the NSA and GCHQ
    have penetrated the security certificate system underpinning
    SSL/TLS to allow the agencies' computers to masquerade as legit
    web servers.)

    According to the catalog, Cisco hardware firewalls, such as the
    PIX and ASA series, and Juniper Netscreen and ISG 1000 products,
    can have backdoors installed in their firmware to monitor
    traffic flowing in and out of small businesses and corporate
    data centers. A boot ROM nasty exists for the Huawei Eudemon
    firewalls, we're told; Huawei being the gigantic Chinese telcoms
    electronics maker. Other BIOS-level malware is available for
    Juniper and and Hauawei routers, according to the dossier.

    "At this time, we do not know of any new product
    vulnerabilities, and will continue to pursue all avenues to
    determine if we need to address any new issues. If we learn of a
    security weakness in any of our products, we will immediately
    address it," said Cisco in a blog post.

    "As we have stated prior, and communicated to Der Spiegel, we do
    not work with any government to weaken our products for
    exploitation, nor to implement any so-called security ‘back
    doors’ in our products."

    The cellphone network you are connected to is not the network
    you want
    Mobile communications are also wide open, it seems. The NSA
    catalog offers a mobile base station called the Typhon HX
    (priced at $175,800) that will mimic a network provider's
    infrastructure and collect mobile signals to decode and study;
    it effectively taps cellphones.

    Appelbaum said this type of hacking was spotted in action by the
    Ecuadorian embassy shortly after Julian Assange arrived as a
    house guest. The embassy's staff started getting welcome
    messages from Uganda Telecom on their mobile because the British
    intelligence services hadn't reconfigured their data slurping
    base-station correctly from a previous operation, apparently.

    Mobile phone SIM cards can also be easily hacked, the documents
    claim, using a tool dubbed MONKEYCALANDER. This exploits a flaw,
    only recently spotted by security researchers but used by the
    NSA since 2007, that allows code to be installed on a SIM card
    that will track and monitor an individual user's calls and

    The catalogue also details an exploit called DROPOUTJEEP which
    claims it can gain complete control of an Apple iPhone via a
    backdoor, at least back in 2007 when the cyberweapon catalog was
    drawn up. The NSA says the DROPOUTJEEP exploit has a 100 per
    cent success rate, leading Applebaum to speculate that Cupertino
    may have helped the NSA out with the software. The first version
    of DROPOUTJEEP needed an agent to get his or her hands on the
    device, but remotely launched versions were promised.

    Also listed is flash ROM malware for compromising satellite
    phones, in case you felt like using that, plus exploits to
    remotely control Windows Mobile handsets.

    Speaking of Windows, NIGHTSTAND is a handy little box that can,
    with a range of 8 miles, potentially own a Redmond-powered PC by
    transmitting carefully crafted Wi-Fi traffic to exploit a
    security hole in the OS and Internet Explorer.

    Your hard disk is not the device you thought it was
    Hard drives are also easy meat for the NSA, according to the
    documents. Software called IRATEMONK can be installed on the
    firmware in disks from Western Digital, Seagate, Maxtor, and
    Samsung to allow full access to the target's data and operating
    system. And because it's flashed onto the chips, via other
    remotely installed malware, the customized firmware is almost
    impossible to detect. This allows spies to hide and execute
    anything they like on the connected computer.

    An example target of IRATEMONK is a cyber-cafe of PCs.

    "Western Digital has no knowledge of, nor has it participated in
    the development of technology by government entities that create
    ‘implants’ on Western Digital hard drives, as Der Spiegel
    described," a WD spokesperson told El Reg in a statement.

    The parcels from Amazon are not the parcels you want
    On the hardware front, the TAO hacking team also has specialists
    in "close access operations" or "Off Net" projects where
    physical access is required to a target's system. This can
    involve intercepting laptops ordered online from Amazon and
    others, adding tracking hardware, and then delivering them as
    normal in the correct packaging, as well as breaking into
    private property for hardware installation.

    The catalog offers a number of hardware tools that can be
    installed by a g-man. $200,000, for example, will buy you 50 USB
    cables that have a secondary radio communications system called
    COTTONMOUTH that allows the agency to send and collect data
    directly through the ether. A VGA monitor cable called
    RAGEMASTER intercepts video signals and beams them to a nearby
    government snoop by radio wave.

    That video cable was built by the NSA's ANT team, which also has
    a fondness for attacking and infiltrating the firmware on your
    PC: this is the low-level software that's not without its bugs,
    first to run, and boots your operating system. If this is
    compromised and reprogrammed using the ANT crew's SWAP program,
    then it's pretty much game over for the target as the whole
    system above the firmware can be remotely controlled and
    monitored as required. Another tool called WISTFULTOLL leaps
    upon Windows Management Instrumentation to access data on


    The NSA has also developed a set of tiny surveillance
    electronics dubbed HOWLERMONKEY that hides within computer
    hardware, such as an ordinary Ethernet port, Appelbaum said. The
    one pictured above, dubbed FIREWALK, looks no different to a
    standard RJ45 socket, but can inject data into and slurp any
    bytes from packets coming through the physical connection
    automatically, and relay the information back to base via a
    radio link.

    Wireless communications can also be subverted by installing a
    separate Wi-Fi card dubbed BULLDOZER. Even if the user has
    wireless switched off by default, a PCI-connected BULLDOZER can
    be used to link into a nearly subverted router and collect
    metadata and content from targeted systems.

    HP's server products were also mentioned as an easily subverted
    system. Hardware dubbed GODSURGE can be installed in its
    PowerEdge machines to provide full access, and the catalog says
    such monitoring uses common off-the-shelf components that can't
    be directly attributed to the NSA. IRONCHEF, we're told, is a
    BIOS-level nasty designed to target HP ProLiant kit.

    Where to find all the leaked information
    The full document set has now been uploaded to whistleblowing
    website Cryptome for public perusal. Appelbaum and the Der
    Spiegel team have been careful to exclude the published names of
    NSA staff who carry out these attacks, and the names of the
    people and organizations the agency has targeted. An interactive
    infographic summarizing the leaks can be found here.


    El Reg has contacted all of the companies named by Appelbaum in
    his presentation, but had limited response given that it’s the
    Christmas holidays. But if the dossier is to be believed, then
    there are going to be angry words between the NSA, manufacturers
    and hardware customers – the latter likely to be searching for
    more secure products.

    Appelbaum said that he'd tried to talk to US legislators about
    the situation but was continually rebuffed. Part of the problem,
    he said, was that politicians don't understand the technology
    behind such systems, and in many cases the lawmakers don’t want
    to acknowledge there's a problem until a political solution has
    been worked out.

    The leaked catalog is roughly six years old, but new
    technologies developed in the mean time by the NSA (estimated
    annual budget: $10bn) is anyone's guess, or worst nightmare.

    Readers may find some cheer, or not, from the suggestion that
    most of these techniques are used against highly targeted
    individuals rather than everyone en mass: NSA analysts need the
    help of the FBI and CIA to install the hidden hardware snoopers,
    for example, either by intercepting shipments or by carrying out
    a so-called black bag job.

    The intelligence agencies argue they are combatting terrorism, a
    claim that is now being fought over in the US courts. The
    question remains as to who exactly is scrutinizing these
    operations and to what level – and who else has their hands on
    these grave security vulnerabilities that the NSA exploits.

    "The real problem is who is in charge here," Jon Callas,
    cofounder of the Silent Circle encrypted communications system,
    told The Register.

    Referring to the secretive FISA court that supposedly oversees
    the NSA, Callas continued: "For us who are Americans we have the
    belief that we are ultimately in charge. Now it seems we have
    secret courts, with secret laws, so how do you run a free
    society under those kind of conditions? We have a societal
    belief that some things are not acceptable and while Jake can be
    hyperbolic, I cheer him on – sunlight is the best disinfectant."

    With the exception of SEASONEDMOTH, there's no mention of any of
    these exploits having a time-limited kill switch. Presumably the
    NSA has means of deactivating online taps, but one wonders how
    much kit is out there on eBay and with dealers that still
    contains examples of ANT's intrusive craft.

    Applebaum suggests that those interested (which should include
    pretty much everyone in the security industry as well as IT
    departments purchasing on the grey market) should look for
    samples that use the RC6 block cipher and which emit encrypted
    UDP traffic.

    cubi, Dec 31, 2013
    1. Advertisements

  2. cubi

    Anonymous Guest

    And who are the people selling this shit to them?
    Anonymous, Dec 31, 2013
    1. Advertisements

  3. cubi

    Nomen Nescio Guest

    We are!
    Nomen Nescio, Jan 1, 2014
  4. cubi

    Anonymous Guest

    You're capitalist assholes who would sell your own mothers.
    Anonymous, Jan 1, 2014
  5. cubi

    Anonymous Guest

    Anonymous, Jan 1, 2014
  6. cubi

    Nomen Nescio Guest

    Nomen Nescio, Jan 5, 2014
  7. cubi

    Jorge Guest

    Jorge, Jan 5, 2014
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.