Tag Archives: NSA

CERT Releases Threat Advisory On Firewalls

Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.

Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.

What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks.  And probably government networks too.  The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.

The problem here is one that people have been talking about since US Cybercom was created.  That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with.  When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.

The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also.  And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.

The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.

So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.

The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.

The alert makes a couple of very useful suggestions:

  1. Segregate your network.  What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door.  It provides suggestions on how to do that.
  2. Limit “lateral” communications.  What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
  3. Harden network devices.  This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
  4. Secure access to firewalls and switches.
  5. Perform out of band management.  This would stop an attacker from being able to get to certain resources.
  6. Validate the integrity of the hardware and software.

The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.


The CERT advisory can be found here.

A Wired article on the issue can be found here.



NSA Hack Appears Real – Sort Of

Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web.  The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.

If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.

The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.

Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese).  The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly.   The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” .  Certainly if all of this true, they could wreak some havoc.

Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it.  That seems a whole lot more plausible than hacking the NSA itself.  Still, the tools would be very interesting.

Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.

This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.

The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA.  That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.

A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” .  Guess what – that string appears in the released code of one tool called SECONDDATE.  Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.

If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations.  Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.

This could mean that the sellers may have used them and, possibly, some of the holes may have been  coincidentally patched making the tools less useful (since not everyone applies patches).

Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor.  Believe it or not, this is definitely possible, no question about it.  In fact, some known attacks have used this technique.  Again according to documents, this tool was used to spy on Pakistan and Lebanon.  According to this manual, agents had to use the string above to avoid reinfection of target systems.  That string appears 14 times in the files that Shadow Broker released.

The Intercept article goes into detail on a number of other tools that were released.

What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten.  We know that they are years old and date to the time of the Snowden leaks.  We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.

If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business.  I guess that is good news/bad news.  Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed.  Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.

This story just gets wilder.

Information for this post came from Network World, The Intercept and Network World again.

NSA Wants To Monitor Your Pacemaker

No, you don’t have to check your calendar, it is not April Fools Day and Yes, they really do want to do that.  Along with the rest of your medical devices.

Some of you may remember that when Dick Cheney was Veep, they modified his pacemaker so that the bad guys couldn’t take him out by manipulating it.

Pacemakers and other medical devices are really just a specialized version of Internet of Things (IoT) devices and, like them, their manufacturers are more concerned about FDA approval (or sales) than hackers.

Richard Ledgett, the NSA’s Deputy Director and chief operating officer spoke at the Defense One Tech Summit last month in Washington.  He said that they are looking at it from a theoretical point of view right now.  I think that means that they have not figured out how to exploit them yet.  He said that it would not be one of their core intelligence tools; rather it would be a niche kind of thing.

As I said, a pacemaker is just a specific instance of an IoT device and Ledgett said that they are looking at information from any Internet connected device.

James Clapper, the Director of National Intelligence,  said in a Senate hearing in February that devices connected to the Internet could be useful “for identification, surveillance, monitoring, location tracking and targeting for recruitment, or to gain access to networks or user credentials.”

That seems like a pretty good list of uses to me.  They are going to need to figure out exactly how to exploit them, but it sounds like they are already working on the problem.

To be clear, that is their job and as long as they don’t break the law, it certainly is a legitimate way to gain intelligence.

As long as IoT device manufacturers don’t improve the security of their devices, it may not be a very difficult task to hack them.

Unfortunately, that means, not only the NSA, but the Chinese and North Koreans can hack them, not to mention commercial hackers who might, as they did in Ukraine last December, when they took over the electric delivery system and turned off the power and heat in the middle of the Ukraine winter. Those hackers were only interested in damaging the infrastructure.  What if, instead, they decided turn off the electricity or water in a city until a ransom is paid or some other demand is met?  While I am less concerned about the NSA doing that – at least in the US – I am less confident that the North Koreans or other commercial hackers will play by the rules, whatever the rules are these days.

Information for this post came from The Verge.

The Future Of Cryptography

Sorry, this post may be a little geeky.

I have said that the world of SSL is terminally broken.  Now I have some agreement.  And the guys saying it are not “some guys in a diner”.   They won the best paper award at the 22nd ACM Conference on Computer and Communications Security.  And they are saying that what is broken is much more than SSL.

Diffie Hellman Key Exchange (DHKE), the basis of a lot of SSL, VPN and SSH traffic, they say, is broken.  Diffie Hellman is based on prime numbers.  Very large prime numbers.  Unfortunately, as these prime numbers get large, it is very difficult to find the next week.  There is a program called GIMPS that uses massively distributed computing and has only found 15 new primes since 1996.  Of course, those numbers have 22 million digits each.

Anyway, given that these primes are known, you can do precomputing to compromise DHKE, at least in some cases, right now.  Many people think that the NSA is doing just that.  While complaining that the Internet is going dark.

The NSA’s plan was to replace the traditional DHKE with elliptic curve, but then, suddenly, they did a 180 about face (more about that in a future post) and told everyone they were  just kidding.  NSA’s Suite B, which is used to encrypt data up to the top secret level was all about elliptic curve.  Until the standard was unceremoniously yanked and replaced with a new standard that doesn’t use the words elliptic curve.

Why?  They mumbled something about Quantum computing, but what is much more likely is that they have figured out a way to compromise the fundamental math in elliptic curve.

What is clear here is that we have a problem and we don’t have a solution.  What is worse is that there are some people who like it that way, some people who don’t understand the problem and a few people would would like to fix it.

But, give the current standards process, even if we invented a solution tomorrow, which is not likely, it would not be approved as a standard for years and would take more years to roll out.

Which means, for the foreseeable future, we are kind of in trouble.


U.S. Discloses Zero-Day Exploitation Practices

The U.S. government acknowledged that it uses zero-day bugs not only for espionage and intelligence gathering, but also for law enforcement.  What else it uses them for is still unknown.

Last November, the government released a document titled Vulnerabilities Equities Process.  This policy describes the policy, dating back to 2010, that allows agencies to decide whether to tell vendors about bugs they know about or use them as they see fit.

The document was redacted as the government claimed that confirming what everyone already knows – that they don’t always report bugs that they know about – would damage national security.  Not sure how that could possibly be, but that is what they claimed.

The government has removed some of those redactions and thereby confirmed what everyone already knew – that the government uses zero-day exploits so that the FBI and other agencies can hack into U.S. citizen’s computers, hopefully with appropriate oversight – although the oversight process, if it exists, is still unknown.

The document says that there is a group within the government that reviews zero-days and decides how they will be handled and to whom they will be distributed.  The NSA, not surprisingly, is in charge of this group.

Before we beat up the U.S. government too much, likely every other government on the planet does the same thing – likely with similar rules of engagement.

Still, this release of information does eliminate the question about whether “We’re from the government, we’re here to help you.”

Not always.

How The NSA Broke Trillions Of Encrypted Connections

Encryption can be very secure.  Or Not.  It depends on how it is implemented.  Apparently, at least according to some sources, most of the Internet has gotten it wrong.  That’s not very comforting.

The rules of who people are protecting themselves from has changed from just a few years ago.  Now we are talking about nation states and extremely well funded hackers.

Here is the flaw.  The most common form of encryption is what is behind HTTPS,  VPNs and SSH.  Part of that protocol is to exchange keys between the sender and the recipient and is called Diffie Hellman or DH.   Those keys secure the communications used in eCommerce (such as Amazon) or your bank (such as Chase or Citi).

Apparently, most common DH implementations use one of two 1,024 bit prime numbers as part of the process.

Cracking one of these numbers would allow the NSA to decrypt two thirds of the VPN connections and one quarter of the SSH sessions around the world.

Cracking the second of these numbers would give the NSA access to 20% of the top 1 million web site.

According to the article, it would likely have taken the NSA a year and a few hundred million dollars.  Given the payback, this is a no brainer.

Obviously, the NSA is not confirming this, but this is what researchers think.

The solution is either to increase the size of the numbers that the web site is using (from 1,024 bits to either 2,048 bits or 4,096 bits), which makes the computation required to crack the keys out of reach of the NSA or at least change the software to not use one of these standard primes.

Some web sites (I just checked Google and Facebook) have already upgraded to more secure solutions.  Hopefully, they are not using “standard” numbers, but that leaves tens of millions of web sites and VPNs still susceptible.  Hopefully, many of these are in the Mideast!

VPN and SSH administrators can control their key size, making the encryption much more difficult to crack – but they must do that;  the users usually cannot do that themselves.  For users of web sites, the web site has to make the change.  All the user can do is complain and hope they fix it.

Which is why security IMPLEMENTERs have to be so careful.

Information for this post came from Reddit and The Hacker News.