Tag Archives: Snowden

NSA, GCHQ Hack Anti Virus Software Vendors

A newly published article in The Intercept says that the NSA and GCHQ hacked anti virus vendor’s software and networks in order to “neutralize the threat” posed by that software.  Based on newly released Edward Snowden documents, GCHQ obtained a warrant in 2008-2009 to  have legal permission to monitor web traffic, hack email and reverse engineer the software in order to find weaknesses (see article).

The NSA examined emails to anti virus vendors to find new malware and vulnerabilities.

One would assume that these agencies want to use these newly discovered vulnerabilities before they are patched.

According to the warrant request, GCHQ considered Kaspersky’s software an obstruction to its hacking operation and need to reverse engineer it to find ways to neutralize the problem.  They said that they needed to exploit Kaspersky’s software in order to prevent the detection of our activities.

The NSA discovered, back in 2008, according to the leaked documents, that Kaspersky’s software transmitted sensitive information back to the company’s servers.  Apparently, Kaspersky encodes information in the header of the request, like you often see on the command line in your browser, and that information allowed NSA to get information like serial numbers, the service plan paid for and configuration.  Sending this information in the header is often done, but is a bad security practice unless it is encrypted, which it typically is not.  The Intercept tested Kaspersky software last month and found that it did transmit some information back to Kaspersky’s servers unencrypted.  They, of all people, should know better.

Again according the released documents, NSA and GCHQ have targeted 25 or more non-American and non-British anti virus vendors. Missing from the list are McAfee and Sophos.  Whether the NSA and GCHQ did not think those were legitimate targets because they were not foreign companies (McAfee is a U.S. company, Sophos is British) or whether they were targeted under different authority is not clear.

Gene Kaspersky, in particular, has been a thorn in the side of the intelligence agencies over the years.  Just this month he revealed the attack, suspected to be from Israel, of the hotels hosting the Iran nuclear talks.

Not suprisingly, NSA and GCHQ declined to comment for the article.

From the NSA’s viewpoint, anti malware vendor’s are a threat to them – from uncovering the agency’s own malware to alerting about holes in software which the NSA and GCHQ would prefer to keep to themselves.

When U.S. Cyber Command was set up and placed until the control of the NSA, privacy advocates said that it was impossible for the NSA to serve two masters – protect U.S. citizens and hack foreign ones.  If they found a vulnerability, do they tell the vendor so that they can fix it and foreign hackers and intelligence agencies can’t use it against U.S. citizens and companies or do they keep it to themselves to use against their targets?  Historically, the NSA has been accused of not revealing bugs.

In fact, as recently as last year, the President confirmed the authority that the NSA has to not reveal security holes if they are useful for national security purposes (see article).   This should not come as a big surprise to anyone and foreign intelligence services are likely doing the same thing.  I am sure that, in some cases, the agencies trade vulnerabilities like the rest of trade MP3 files.

What this means to you and me is that we should not count on the government – ours or anyone else’s – to protect us from cyber threats – especially in those cases where the threat is counter to their own interests.






Is your encryption secure? – Sure, just like flying pigs (keep reading)

Der Spiegel wrote an article on efforts by the NSA and GCHQ (their British equivalent) to crack encryption of various sorts.

Take the article at what it is worth;  it is based on documents that Snowden released, so it is a little bit old.

I apologize that this post is pretty long, but there is a lot of information in the article and I think it is useful to understand what the state of the art is.  If you think the NSA is, in any way, trying to accomplish different goals than say the Russian FSB, then you are wrong. They are likely ahead of the hacker community only because they have a $10 billion annual budget.

For most people, keeping the NSA out is not your goal, but if the NSA figures out a sneaky way to break something, it is likely that, at some point, a hacker may figure it out too.  If the NSA has to spend a million dollars to crack something, that is probably out of the realm of possibility of the hackers – until next year when it costs a quarter of that.  Unless, of course, that hacker works for an unfriendly government.

The Cliff Notes version goes like this.  If you want a longer version, read the article :).  When I refer to the NSA below, I really mean all the NSA like agencies in every country, friendly or not.

  • Sustained (meaning, I assume, ongoing) Skype data collection began in February 2011, according to an NSA training document.  In the fall of 2011, the code crackers declared their mission accomplished.
  • Since that same time (February 2011), Skype has been under order from the secret U.S. FISA court to not only supply information to the NSA, but also to make itself accessible as a source of data for the agency.  Whatever that exactly means is unclear, but it is likely not good for your privacy.
  • The NSA considers all use of encryption (except by them, I assume) a threat to their mission and it likely is.  If they cannot snoop, what use are they?  If people start using high quality encryption, they will make the snoop’s jobs that much harder.  But not impossible.
  • If you look in the dictionary for the word “packrat”, it will say, “see U.S. NSA”.  They horde data like you would not believe.  In fact, the rules that govern how long the NSA can keep data exclude encrypted data.  That they can keep forever.  So, if they ever figure out how to decrypt something, they can go back and look at the stuff that they have in inventory and figure out how much of that they can now decrypt and analyze.
  • In the leaked Snowden documents was a presentation from 2012 talking about NSA successes and failures regarding crypto.  Apparently, they categorize crypto into 5 levels from trivial to catastrophic.
  • Monitoring a document’s path through the Internet is considered trivial.
  • Recording Facebook chats is considered minor.
  • Decrypting mail sent via the Russian mail service Mail.ru is considered moderate.
  • The mail service Zoho and TOR are considered major problems (level 4).
  • Truecrypt also causes them major problems as does OTR, the encrypted IM protocol.  The Truecrypt project mysteriously shut down last year with no explanation.  Was it because the NSA was pressuring them?  No one knows or if they do, they are not talking.
  • It seems clear that open source software, while it probably contains as many weaknesses and bugs as closed source software, is much harder for organizations like the NSA to compromise because people CAN look at the source code.  Most people don’t have the skills, but there are enough geeks out there that obvious back doors in the code will likely be outed.  With Microsoft or Apple, that check and balance does not exist.
  • Things become catastrophic for the NSA at level 5.  The IM system CSpace and the VoIP protocol ZRTP (the Z stands for Phil Zimmerman for those of you who know of him) are or were level 5.  ZRTP is used by Redphone, an open source, encrypted, VoIP solution.
  • Apparently PGP, although it is 20 years old, also lands in the NSA’s category 5.
  • Cracking VPNs is also high on the NSA’s list. The Der Spiegel article doesn’t go into a lot of detail here other than to say that the NSA  has a lot of people working on it.  They were processing 1,000 VPN decrypt requests an hour in 2009 and expected to process 100,000 per hour by the end of 2011.  Their plan, according to Der Spiegel, was to be able to decrypt 20% of these  – i.e. 20,000 VPN connections per hour.  That was in 2011.  This is almost 2015.  You do the math.
  • The older VPN protocol PPTP is reported to be easy for them to crack while IPSEC seems to be harder.
  • SSL or it’s web nickname HTTPS is apparently no problem for them at all.  According to an NSA document, they planned to crack 10 million SSL connections a day by 2012.
  • Britian’s GCHQ has a database called FLYING PIG that catalogs SSL and TLS activity and produces weekly trend reports.  The number of cataloged SSL connections in FLYING PIG for just one week for the top 40 sites was in the billions.  This is a big database, apparently.
  • The NSA Claims that it can sometimes decrypt SSH sessions (I assume this is due to the user’s choice of bad cryptographic keys).  SSH is often used by admins to remotely access servers.
  • NSA participates in the standards processes to actively weaken cryptographic standards – even though this ultimately hurts U.S. businesses;  it also furthers the NSA’s mission.
  • The NSA steals cryptographic keys whenever possible.  Why do things the hard way when the simple way is an option.

While most hackers are not as smart or well funded as the NSA or the British GCHQ, sometimes luck is on their side.  Other, less friendly governments (think IRAN for example), might be willing to spend hundreds of millions of dollars to mess with the U.S. and since the don’t have to pay their scientists very much (the alternative to working for those governments might be being dead), their money likely goes further.

Would Iran or someone like them enjoy taking down the northeast power grid and darken the U.S from Boston to Virginia.  To quote a former vice presidential candidate – You betcha.  If they could damage the grid so that it took longer to get the lights back on (see the item from the other day on the attack on the German steel plant) would that be an extra benefit. You betcha.

So while I am using the NSA as an example, you could just as easily replace that with Iran, or Russia or China.

Being prepared is probably a good plan.



The NSA likes your sexually explicit content

Both the New York Times and USA Today reported on an interview with former NSA employee Edward Snowden that appeared in the Guardian.

In the interview, Snowden says that NSA analysts do exactly what you would expect twenty something single guys to do when they come across sexually explicit pictures as part of looking for terrorists.  They share it with other analysts, who share it again.

Snowden says – and this does not particularly conflict with anything the brass has said – that most of what is being collected is not the communications of ‘targets’ – their code word for potential terrorists – but rather the communications of your neighbors, including intimate communications of consenting adults.

Assume that during the course of their normal search activities they come across a nude photograph of a cute young thing in a sexually compromising position.   Purely coincidental to what they are searching for.  Assume that she is not holding a block of C4 or Semtex (military grade explosives) while in this compromising situation.

What SHOULD happen is the analyst should go about his business looking for people trying to harm the United States.  What DOES happen is that he shows it to the guy in the next cube.  Then they share it with Bill and Bill shares it with Sam.  You get the idea.

Does this happen every time?   Highly unlikely.  Does it happen sometimes?  Highly likely.  Is there anything you can do about it?  Probably not directly, but get involved in the political process.  Ask your politicians what their position is on government snooping.  Vote.  Speak out.  It will not change things overnight, but if we don’t participate, it likely will get worse.

Of course the person in the photo has no clue that she has become a virtual pinup girl inside the NSA.  In fact, she has no way of knowing that the photo or sext has found it’s way into an NSA database.

They call it a fringe benefit s of working at the NSA.

I suspect that some in the NSA will deny this is happening.

Remember that this is the same agency that allowed a 29 year old contractor to walk out the door with almost 2 million documents and were not aware of that until he told them, so I would not particularly believe that they know the answer to your question.

Think about that before you send that next intimate text or email.  Someone may be watching you.  And sharing it.