Tag Archives: Snowden

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

Facebooktwitterredditlinkedinmailby feather

NSA Hack Appears Real – Sort Of

Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web.  The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.

If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.

The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.

Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese).  The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly.   The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” .  Certainly if all of this true, they could wreak some havoc.

Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it.  That seems a whole lot more plausible than hacking the NSA itself.  Still, the tools would be very interesting.

Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.

This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.

The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA.  That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.

A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” .  Guess what – that string appears in the released code of one tool called SECONDDATE.  Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.

If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations.  Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.

This could mean that the sellers may have used them and, possibly, some of the holes may have been  coincidentally patched making the tools less useful (since not everyone applies patches).

Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor.  Believe it or not, this is definitely possible, no question about it.  In fact, some known attacks have used this technique.  Again according to documents, this tool was used to spy on Pakistan and Lebanon.  According to this manual, agents had to use the string above to avoid reinfection of target systems.  That string appears 14 times in the files that Shadow Broker released.

The Intercept article goes into detail on a number of other tools that were released.

What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten.  We know that they are years old and date to the time of the Snowden leaks.  We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.

If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business.  I guess that is good news/bad news.  Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed.  Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.

This story just gets wilder.

Information for this post came from Network World, The Intercept and Network World again.

Facebooktwitterredditlinkedinmailby feather

GCHQ Outed – Collecting Just As Much Data As The NSA

As I said last night in the article about the European Court of Justice, every national intelligence agency that has the ability to do so is vacuuming data from the Internet.

The Intercept wrote a very detailed article analyzing some new documents from the Edward Snowden document dump.  The article links to the original documents for those who are interested in even more details.

The goal of this particular program was simple:  Record the website browsing habits of “every visible user on the Internet”.  Pretty simple.  A lot of data.

The program, called Karma Police, was launched by GCHQ, the British equivalent of the NSA, about 7 years ago, quietly.

The documents reveal a series of interrelated programs.  One profiles your browsing habits.  Another analyzes instant messages, emails, Skype usage, text messages, cell phone locations and social media use.  Still other programs track “suspicious” Google searches and another the usage of Google Maps.

Just like the formerly secret NSA programs, the British programs do away with the need for court orders or warrants.

According to the documents, in 2010 GCHQ was logging about 30 billion records a day.  By 2012 they were up to 50 billion records a day with plans to upgrade it to 100 billion records a day.  The claim was that this would be the biggest government surveillance system in the world.

One use, for example, was to collect intelligence about what Internet radio stations people were listening to.  Suspicious listening habits call for more surveillance.  The web browsing habits could be examined.  For one lucky soul who was targeted, they discovered that, in addition to a suspicious radio station, the person also visited Facebook, Yahoo, You Tube, the porn site Redtube, Blogspot and other web sites.

The code name Karma Police likely comes from the British band  Radiohead’s song of the same name.  The lyrics “This is what you’ll get, when you mess with us” is repeated throughout the song.

Like similar NSA programs, the raw data is fed into a holding pen, in this case called The Black Hole.  Between 2007 and 2009, it collected 1.1 trillion events or about 10 billion a day.  Given other numbers in the documents, that volume is likely many times that big now.

Given the volume of data, analysis tools are needed.  One tool, called MUTANT BROTH, was used to sift through all of the cookies captured to correlate data to a particular user.  They can use the cookies to figure out what you do at what time of day.

You may remember that the Dutch SIM card maker Gemalto was hacked (that was revealed last year).  These documents indicate that GCHQ was behind that attack and it now makes sense.  At the time, Gemalto said that the hackers only got 2G (second generation) cellphone SIM card crypto keys, not the 3G or 4G SIMs used in the US and Britain.  Why would the hackers want that?  Because it is likely that middle eastern countries are still running 2G cell networks.  Make sense?  They used the data from Karma Police to target Gemalto employees and then hack their computers to hack the encryption keys they wanted.  While Gemalto denied it, it may be that there was not enough isolation between the administrative network and the network where the encryption keys were stored.

In addition to these programs, there are many other programs, each of which has a special function – analyze emails, analyze search engine queries, look at Google Map queries and other things.

Because of Britain’s location on the planet, many fiber optic cables between the U.S. and the rest of the world flow through Britain, making them a rich opportunity for tapping.  In 2010, GCHQ said there were 1,600 cables passing through Britain and they could tap most of them.  One would assume that capability has increased since then.

Like with the NSA, the rules say that GCHQ is not supposed read the content of citizen’s data they snare, but that does not include metadata of citizens.  This loophole of sifting through the metadata of British citizens also allows for the same action for citizens of the Five Eyes (US, Britain, Canada, Australia and New Zealand).

Because of the volume of data, like with the NSA, GCHQ stores the metadata for between 30 and 180 days and communications for 3 to 30 days, unless they want to keep it longer.

In one document it says that, compared to oversight rules in the U.S., the U.K. has “a light oversight regime”.

One challenge for all of the intelligence agencies is encryption.  While most encryption may not be bullet proof, it is likely bullet resistant and until the encryption is cracked you may not know whether the content is about what to bring home from the store or who the next terrorist target is.

It will be interesting to see if the Brits make a big deal over this.

Information for this post came from The Intercept.

Facebooktwitterredditlinkedinmailby feather

NSA, GCHQ Hack Anti Virus Software Vendors

A newly published article in The Intercept says that the NSA and GCHQ hacked anti virus vendor’s software and networks in order to “neutralize the threat” posed by that software.  Based on newly released Edward Snowden documents, GCHQ obtained a warrant in 2008-2009 to  have legal permission to monitor web traffic, hack email and reverse engineer the software in order to find weaknesses (see article).

The NSA examined emails to anti virus vendors to find new malware and vulnerabilities.

One would assume that these agencies want to use these newly discovered vulnerabilities before they are patched.

According to the warrant request, GCHQ considered Kaspersky’s software an obstruction to its hacking operation and need to reverse engineer it to find ways to neutralize the problem.  They said that they needed to exploit Kaspersky’s software in order to prevent the detection of our activities.

The NSA discovered, back in 2008, according to the leaked documents, that Kaspersky’s software transmitted sensitive information back to the company’s servers.  Apparently, Kaspersky encodes information in the header of the request, like you often see on the command line in your browser, and that information allowed NSA to get information like serial numbers, the service plan paid for and configuration.  Sending this information in the header is often done, but is a bad security practice unless it is encrypted, which it typically is not.  The Intercept tested Kaspersky software last month and found that it did transmit some information back to Kaspersky’s servers unencrypted.  They, of all people, should know better.

Again according the released documents, NSA and GCHQ have targeted 25 or more non-American and non-British anti virus vendors. Missing from the list are McAfee and Sophos.  Whether the NSA and GCHQ did not think those were legitimate targets because they were not foreign companies (McAfee is a U.S. company, Sophos is British) or whether they were targeted under different authority is not clear.

Gene Kaspersky, in particular, has been a thorn in the side of the intelligence agencies over the years.  Just this month he revealed the attack, suspected to be from Israel, of the hotels hosting the Iran nuclear talks.

Not suprisingly, NSA and GCHQ declined to comment for the article.

From the NSA’s viewpoint, anti malware vendor’s are a threat to them – from uncovering the agency’s own malware to alerting about holes in software which the NSA and GCHQ would prefer to keep to themselves.

When U.S. Cyber Command was set up and placed until the control of the NSA, privacy advocates said that it was impossible for the NSA to serve two masters – protect U.S. citizens and hack foreign ones.  If they found a vulnerability, do they tell the vendor so that they can fix it and foreign hackers and intelligence agencies can’t use it against U.S. citizens and companies or do they keep it to themselves to use against their targets?  Historically, the NSA has been accused of not revealing bugs.

In fact, as recently as last year, the President confirmed the authority that the NSA has to not reveal security holes if they are useful for national security purposes (see article).   This should not come as a big surprise to anyone and foreign intelligence services are likely doing the same thing.  I am sure that, in some cases, the agencies trade vulnerabilities like the rest of trade MP3 files.

What this means to you and me is that we should not count on the government – ours or anyone else’s – to protect us from cyber threats – especially in those cases where the threat is counter to their own interests.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Is your encryption secure? – Sure, just like flying pigs (keep reading)

Der Spiegel wrote an article on efforts by the NSA and GCHQ (their British equivalent) to crack encryption of various sorts.

Take the article at what it is worth;  it is based on documents that Snowden released, so it is a little bit old.

I apologize that this post is pretty long, but there is a lot of information in the article and I think it is useful to understand what the state of the art is.  If you think the NSA is, in any way, trying to accomplish different goals than say the Russian FSB, then you are wrong. They are likely ahead of the hacker community only because they have a $10 billion annual budget.

For most people, keeping the NSA out is not your goal, but if the NSA figures out a sneaky way to break something, it is likely that, at some point, a hacker may figure it out too.  If the NSA has to spend a million dollars to crack something, that is probably out of the realm of possibility of the hackers – until next year when it costs a quarter of that.  Unless, of course, that hacker works for an unfriendly government.

The Cliff Notes version goes like this.  If you want a longer version, read the article :).  When I refer to the NSA below, I really mean all the NSA like agencies in every country, friendly or not.

  • Sustained (meaning, I assume, ongoing) Skype data collection began in February 2011, according to an NSA training document.  In the fall of 2011, the code crackers declared their mission accomplished.
  • Since that same time (February 2011), Skype has been under order from the secret U.S. FISA court to not only supply information to the NSA, but also to make itself accessible as a source of data for the agency.  Whatever that exactly means is unclear, but it is likely not good for your privacy.
  • The NSA considers all use of encryption (except by them, I assume) a threat to their mission and it likely is.  If they cannot snoop, what use are they?  If people start using high quality encryption, they will make the snoop’s jobs that much harder.  But not impossible.
  • If you look in the dictionary for the word “packrat”, it will say, “see U.S. NSA”.  They horde data like you would not believe.  In fact, the rules that govern how long the NSA can keep data exclude encrypted data.  That they can keep forever.  So, if they ever figure out how to decrypt something, they can go back and look at the stuff that they have in inventory and figure out how much of that they can now decrypt and analyze.
  • In the leaked Snowden documents was a presentation from 2012 talking about NSA successes and failures regarding crypto.  Apparently, they categorize crypto into 5 levels from trivial to catastrophic.
  • Monitoring a document’s path through the Internet is considered trivial.
  • Recording Facebook chats is considered minor.
  • Decrypting mail sent via the Russian mail service Mail.ru is considered moderate.
  • The mail service Zoho and TOR are considered major problems (level 4).
  • Truecrypt also causes them major problems as does OTR, the encrypted IM protocol.  The Truecrypt project mysteriously shut down last year with no explanation.  Was it because the NSA was pressuring them?  No one knows or if they do, they are not talking.
  • It seems clear that open source software, while it probably contains as many weaknesses and bugs as closed source software, is much harder for organizations like the NSA to compromise because people CAN look at the source code.  Most people don’t have the skills, but there are enough geeks out there that obvious back doors in the code will likely be outed.  With Microsoft or Apple, that check and balance does not exist.
  • Things become catastrophic for the NSA at level 5.  The IM system CSpace and the VoIP protocol ZRTP (the Z stands for Phil Zimmerman for those of you who know of him) are or were level 5.  ZRTP is used by Redphone, an open source, encrypted, VoIP solution.
  • Apparently PGP, although it is 20 years old, also lands in the NSA’s category 5.
  • Cracking VPNs is also high on the NSA’s list. The Der Spiegel article doesn’t go into a lot of detail here other than to say that the NSA  has a lot of people working on it.  They were processing 1,000 VPN decrypt requests an hour in 2009 and expected to process 100,000 per hour by the end of 2011.  Their plan, according to Der Spiegel, was to be able to decrypt 20% of these  – i.e. 20,000 VPN connections per hour.  That was in 2011.  This is almost 2015.  You do the math.
  • The older VPN protocol PPTP is reported to be easy for them to crack while IPSEC seems to be harder.
  • SSL or it’s web nickname HTTPS is apparently no problem for them at all.  According to an NSA document, they planned to crack 10 million SSL connections a day by 2012.
  • Britian’s GCHQ has a database called FLYING PIG that catalogs SSL and TLS activity and produces weekly trend reports.  The number of cataloged SSL connections in FLYING PIG for just one week for the top 40 sites was in the billions.  This is a big database, apparently.
  • The NSA Claims that it can sometimes decrypt SSH sessions (I assume this is due to the user’s choice of bad cryptographic keys).  SSH is often used by admins to remotely access servers.
  • NSA participates in the standards processes to actively weaken cryptographic standards – even though this ultimately hurts U.S. businesses;  it also furthers the NSA’s mission.
  • The NSA steals cryptographic keys whenever possible.  Why do things the hard way when the simple way is an option.

While most hackers are not as smart or well funded as the NSA or the British GCHQ, sometimes luck is on their side.  Other, less friendly governments (think IRAN for example), might be willing to spend hundreds of millions of dollars to mess with the U.S. and since the don’t have to pay their scientists very much (the alternative to working for those governments might be being dead), their money likely goes further.

Would Iran or someone like them enjoy taking down the northeast power grid and darken the U.S from Boston to Virginia.  To quote a former vice presidential candidate – You betcha.  If they could damage the grid so that it took longer to get the lights back on (see the item from the other day on the attack on the German steel plant) would that be an extra benefit. You betcha.

So while I am using the NSA as an example, you could just as easily replace that with Iran, or Russia or China.

Being prepared is probably a good plan.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

The NSA likes your sexually explicit content

Both the New York Times and USA Today reported on an interview with former NSA employee Edward Snowden that appeared in the Guardian.

In the interview, Snowden says that NSA analysts do exactly what you would expect twenty something single guys to do when they come across sexually explicit pictures as part of looking for terrorists.  They share it with other analysts, who share it again.

Snowden says – and this does not particularly conflict with anything the brass has said – that most of what is being collected is not the communications of ‘targets’ – their code word for potential terrorists – but rather the communications of your neighbors, including intimate communications of consenting adults.

Assume that during the course of their normal search activities they come across a nude photograph of a cute young thing in a sexually compromising position.   Purely coincidental to what they are searching for.  Assume that she is not holding a block of C4 or Semtex (military grade explosives) while in this compromising situation.

What SHOULD happen is the analyst should go about his business looking for people trying to harm the United States.  What DOES happen is that he shows it to the guy in the next cube.  Then they share it with Bill and Bill shares it with Sam.  You get the idea.

Does this happen every time?   Highly unlikely.  Does it happen sometimes?  Highly likely.  Is there anything you can do about it?  Probably not directly, but get involved in the political process.  Ask your politicians what their position is on government snooping.  Vote.  Speak out.  It will not change things overnight, but if we don’t participate, it likely will get worse.

Of course the person in the photo has no clue that she has become a virtual pinup girl inside the NSA.  In fact, she has no way of knowing that the photo or sext has found it’s way into an NSA database.

They call it a fringe benefit s of working at the NSA.

I suspect that some in the NSA will deny this is happening.

Remember that this is the same agency that allowed a 29 year old contractor to walk out the door with almost 2 million documents and were not aware of that until he told them, so I would not particularly believe that they know the answer to your question.

Think about that before you send that next intimate text or email.  Someone may be watching you.  And sharing it.

M

Facebooktwitterredditlinkedinmailby feather