On Mar 12, 2014, at 10:39 PM, coderman <[email protected]> wrote: > so they've been spending tens of millions every year to red team > privacy enhancing technologies. > > when do we get to see the results and improve our tools? > > ;) >
This is the problem with Devops. If it was just good ‘ol sysadmining there wouldn’t be this level of automation, so the NSA would have to infect everyone manually. I knew the Devops movement was going to bite us in the ass. |-) > > https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ > --- > How the NSA Plans to Infect 'Millions' of Computers with Malware > By Ryan Gallagher and Glenn Greenwald 12 Mar 2014, 9:19 AM EDT > > Top-secret documents reveal that the National Security Agency is > dramatically expanding its ability to covertly hack into computers on > a mass scale by using automated systems that reduce the level of human > oversight in the process. > > The classified files - provided previously by NSA whistleblower Edward > Snowden - contain new details about groundbreaking surveillance > technology the agency has developed to infect potentially millions of > computers worldwide with malware "implants." The clandestine > initiative enables the NSA to break into targeted computers and to > siphon out data from foreign Internet and phone networks. > > The covert infrastructure that supports the hacking efforts operates > from the agency's headquarters in Fort Meade, Maryland, and from > eavesdropping bases in the United Kingdom and Japan. GCHQ, the British > intelligence agency, appears to have played an integral role in > helping to develop the implants tactic. > > In some cases the NSA has masqueraded as a fake Facebook server, using > the social media site as a launching pad to infect a target's computer > and exfiltrate files from a hard drive. In others, it has sent out > spam emails laced with the malware, which can be tailored to covertly > record audio from a computer's microphone and take snapshots with its > webcam. The hacking systems have also enabled the NSA to launch > cyberattacks by corrupting and disrupting file downloads or denying > access to websites. > > The implants being deployed were once reserved for a few hundred > hard-to-reach targets, whose communications could not be monitored > through traditional wiretaps. But the documents analyzed by The > Intercept show how the NSA has aggressively accelerated its hacking > initiatives in the past decade by computerizing some processes > previously handled by humans. The automated system - codenamed TURBINE > - is designed to "allow the current implant network to scale to large > size (millions of implants) by creating a system that does automated > control implants by groups instead of individually." > > In a top-secret presentation, dated August 2009, the NSA describes a > pre-programmed part of the covert infrastructure called the "Expert > System," which is designed to operate "like the brain." The system > manages the applications and functions of the implants and "decides" > what tools they need to best extract data from infected machines. > > Mikko Hypponen, an expert in malware who serves as chief research > officer at the Finnish security firm F-Secure, calls the revelations > "disturbing." The NSA's surveillance techniques, he warns, could > inadvertently be undermining the security of the Internet. > > "When they deploy malware on systems," Hypponen says, "they > potentially create new vulnerabilities in these systems, making them > more vulnerable for attacks by third parties." > > Hypponen believes that governments could arguably justify using > malware in a small number of targeted cases against adversaries. But > millions of malware implants being deployed by the NSA as part of an > automated process, he says, would be "out of control." > > "That would definitely not be proportionate," Hypponen says. "It > couldn't possibly be targeted and named. It sounds like wholesale > infection and wholesale surveillance." > > The NSA declined to answer questions about its deployment of implants, > pointing to a new presidential policy directive announced by President > Obama. "As the president made clear on 17 January," the agency said in > a statement, "signals intelligence shall be collected exclusively > where there is a foreign intelligence or counterintelligence purpose > to support national and departmental missions, and not for any other > purposes." > > > > "Owning the Net" > > The NSA began rapidly escalating its hacking efforts a decade ago. In > 2004, according to secret internal records, the agency was managing a > small network of only 100 to 150 implants. But over the next six to > eight years, as an elite unit called Tailored Access Operations (TAO) > recruited new hackers and developed new malware tools, the number of > implants soared to tens of thousands. > > To penetrate foreign computer networks and monitor communications that > it did not have access to through other means, the NSA wanted to go > beyond the limits of traditional signals intelligence, or SIGINT, the > agency's term for the interception of electronic communications. > Instead, it sought to broaden "active" surveillance methods - tactics > designed to directly infiltrate a target's computers or network > devices. > > In the documents, the agency describes such techniques as "a more > aggressive approach to SIGINT" and says that the TAO unit's mission is > to "aggressively scale" these operations. > > But the NSA recognized that managing a massive network of implants is > too big a job for humans alone. > > "One of the greatest challenges for active SIGINT/attack is scale," > explains the top-secret presentation from 2009. "Human 'drivers' limit > ability for large-scale exploitation (humans tend to operate within > their own environment, not taking into account the bigger picture)." > > The agency's solution was TURBINE. Developed as part of TAO unit, it > is described in the leaked documents as an "intelligent command and > control capability" that enables "industrial-scale exploitation." > > TURBINE was designed to make deploying malware much easier for the > NSA's hackers by reducing their role in overseeing its functions. The > system would "relieve the user from needing to know/care about the > details," the NSA's Technology Directorate notes in one secret > document from 2009. "For example, a user should be able to ask for > 'all details about application X' and not need to know how and where > the application keeps files, registry entries, user application data, > etc." > > In practice, this meant that TURBINE would automate crucial processes > that previously had to be performed manually - including the > configuration of the implants as well as surveillance collection, or > "tasking," of data from infected systems. But automating these > processes was about much more than a simple technicality. The move > represented a major tactical shift within the NSA that was expected to > have a profound impact - allowing the agency to push forward into a > new frontier of surveillance operations. > > The ramifications are starkly illustrated in one undated top-secret > NSA document, which describes how the agency planned for TURBINE to > "increase the current capability to deploy and manage hundreds of > Computer Network Exploitation (CNE) and Computer Network Attack (CNA) > implants to potentially millions of implants." (CNE mines intelligence > from computers and networks; CNA seeks to disrupt, damage or destroy > them.) > > Eventually, the secret files indicate, the NSA's plans for TURBINE > came to fruition. The system has been operational in some capacity > since at least July 2010, and its role has become increasingly central > to NSA hacking operations. > > Earlier reports based on the Snowden files indicate that the NSA has > already deployed between 85,000 and 100,000 of its implants against > computers and networks across the world, with plans to keep on scaling > up those numbers. > > The intelligence community's top-secret "Black Budget" for 2013, > obtained by Snowden, lists TURBINE as part of a broader NSA > surveillance initiative named "Owning the Net." > > The agency sought $67.6 million in taxpayer funding for its Owning the > Net program last year. Some of the money was earmarked for TURBINE, > expanding the system to encompass "a wider variety" of networks and > "enabling greater automation of computer network exploitation." > > > > Circumventing Encryption > > The NSA has a diverse arsenal of malware tools, each highly > sophisticated and customizable for different purposes. > > One implant, codenamed UNITEDRAKE, can be used with a variety of > "plug-ins" that enable the agency to gain total control of an infected > computer. > > An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to > take over a targeted computer's microphone and record conversations > taking place near the device. Another, GUMFISH, can covertly take over > a computer's webcam and snap photographs. FOGGYBOTTOM records logs of > Internet browsing histories and collects login details and passwords > used to access websites and email accounts. GROK is used to log > keystrokes. And SALVAGERABBIT exfiltrates data from removable flash > drives that connect to an infected computer. > > The implants can enable the NSA to circumvent privacy-enhancing > encryption tools that are used to browse the Internet anonymously or > scramble the contents of emails as they are being sent across > networks. That's because the NSA's malware gives the agency unfettered > access to a target's computer before the user protects their > communications with encryption. > > It is unclear how many of the implants are being deployed on an annual > basis or which variants of them are currently active in computer > systems across the world. > > Previous reports have alleged that the NSA worked with Israel to > develop the Stuxnet malware, which was used to sabotage Iranian > nuclear facilities. The agency also reportedly worked with Israel to > deploy malware called Flame to infiltrate computers and spy on > communications in countries across the Middle East. > > According to the Snowden files, the technology has been used to seek > out terror suspects as well as individuals regarded by the NSA as > "extremist." But the mandate of the NSA's hackers is not limited to > invading the systems of those who pose a threat to national security. > > In one secret post on an internal message board, an operative from the > NSA's Signals Intelligence Directorate describes using malware attacks > against systems administrators who work at foreign phone and Internet > service providers. By hacking an administrator's computer, the agency > can gain covert access to communications that are processed by his > company. "Sys admins are a means to an end," the NSA operative writes. > > The internal post - titled "I hunt sys admins" - makes clear that > terrorists aren't the only targets of such NSA attacks. Compromising a > systems administrator, the operative notes, makes it easier to get to > other targets of interest, including any "government official that > happens to be using the network some admin takes care of." > > Similar tactics have been adopted by Government Communications > Headquarters, the NSA's British counterpart. As the German newspaper > Der Spiegel reported in September, GCHQ hacked computers belonging to > network engineers at Belgacom, the Belgian telecommunications > provider. > > The mission, codenamed "Operation Socialist," was designed to enable > GCHQ to monitor mobile phones connected to Belgacom's network. The > secret files deem the mission a "success," and indicate that the > agency had the ability to covertly access Belgacom's systems since at > least 2010. > > Infiltrating cellphone networks, however, is not all that the malware > can be used to accomplish. The NSA has specifically tailored some of > its implants to infect large-scale network routers used by Internet > service providers in foreign countries. By compromising routers - the > devices that connect computer networks and transport data packets > across the Internet - the agency can gain covert access to monitor > Internet traffic, record the browsing sessions of users, and intercept > communications. > > Two implants the NSA injects into network routers, HAMMERCHANT and > HAMMERSTEIN, help the agency to intercept and perform "exploitation > attacks" against data that is sent through a Virtual Private Network, > a tool that uses encrypted "tunnels" to enhance the security and > privacy of an Internet session. > > The implants also track phone calls sent across the network via Skype > and other Voice Over IP software, revealing the username of the person > making the call. If the audio of the VOIP conversation is sent over > the Internet using unencrypted "Real-time Transport Protocol" packets, > the implants can covertly record the audio data and then return it to > the NSA for analysis. > > But not all of the NSA's implants are used to gather intelligence, the > secret files show. Sometimes, the agency's aim is disruption rather > than surveillance. QUANTUMSKY, a piece of NSA malware developed in > 2004, is used to block targets from accessing certain websites. > QUANTUMCOPPER, first tested in 2008, corrupts a target's file > downloads. These two "attack" techniques are revealed on a classified > list that features nine NSA hacking tools, six of which are used for > intelligence gathering. Just one is used for "defensive" purposes - to > protect U.S. government networks against intrusions. > > > > "Mass exploitation potential" > > Before it can extract data from an implant or use it to attack a > system, the NSA must first install the malware on a targeted computer > or network. > > According to one top-secret document from 2012, the agency can deploy > malware by sending out spam emails that trick targets into clicking a > malicious link. Once activated, a "back-door implant" infects their > computers within eight seconds. > > There's only one problem with this tactic, codenamed WILLOWVIXEN: > According to the documents, the spam method has become less successful > in recent years, as Internet users have become wary of unsolicited > emails and less likely to click on anything that looks suspicious. > > Consequently, the NSA has turned to new and more advanced hacking > techniques. These include performing so-called "man-in-the-middle" and > "man-on-the-side" attacks, which covertly force a user's internet > browser to route to NSA computer servers that try to infect them with > an implant. > > To perform a man-on-the-side attack, the NSA observes a target's > Internet traffic using its global network of covert "accesses" to data > as it flows over fiber optic cables or satellites. When the target > visits a website that the NSA is able to exploit, the agency's > surveillance sensors alert the TURBINE system, which then "shoots" > data packets at the targeted computer's IP address within a fraction > of a second. > > In one man-on-the-side technique, codenamed QUANTUMHAND, the agency > disguises itself as a fake Facebook server. When a target attempts to > log in to the social media site, the NSA transmits malicious data > packets that trick the target's computer into thinking they are being > sent from the real Facebook. By concealing its malware within what > looks like an ordinary Facebook page, the NSA is able to hack into the > targeted computer and covertly siphon out data from its hard drive. A > top-secret animation demonstrates the tactic in action. > > The documents show that QUANTUMHAND became operational in October > 2010, after being successfully tested by the NSA against about a dozen > targets. > > According to Matt Blaze, a surveillance and cryptography expert at the > University of Pennsylvania, it appears that the QUANTUMHAND technique > is aimed at targeting specific individuals. But he expresses concerns > about how it has been covertly integrated within Internet networks as > part of the NSA's automated TURBINE system. > > "As soon as you put this capability in the backbone infrastructure, > the software and security engineer in me says that's terrifying," > Blaze says. > > "Forget about how the NSA is intending to use it. How do we know it is > working correctly and only targeting who the NSA wants? And even if it > does work correctly, which is itself a really dubious assumption, how > is it controlled?" > > In an email statement to The Intercept, Facebook spokesman Jay > Nancarrow said the company had "no evidence of this alleged activity." > He added that Facebook implemented HTTPS encryption for users last > year, making browsing sessions less vulnerable to malware attacks. > > Nancarrow also pointed out that other services besides Facebook could > have been compromised by the NSA. "If government agencies indeed have > privileged access to network service providers," he said, "any site > running only [unencrypted] HTTP could conceivably have its traffic > misdirected." > > A man-in-the-middle attack is a similar but slightly more aggressive > method that can be used by the NSA to deploy its malware. It refers to > a hacking technique in which the agency covertly places itself between > computers as they are communicating with each other. > > This allows the NSA not only to observe and redirect browsing > sessions, but to modify the content of data packets that are passing > between computers. > > The man-in-the-middle tactic can be used, for instance, to covertly > change the content of a message as it is being sent between two > people, without either knowing that any change has been made by a > third party. The same technique is sometimes used by criminal hackers > to defraud people. > > A top-secret NSA presentation from 2012 reveals that the agency > developed a man-in-the-middle capability called SECONDDATE to > "influence real-time communications between client and server" and to > "quietly redirect web-browsers" to NSA malware servers called FOXACID. > In October, details about the FOXACID system were reported by the > Guardian, which revealed its links to attacks against users of the > Internet anonymity service Tor. > > But SECONDDATE is tailored not only for "surgical" surveillance > attacks on individual suspects. It can also be used to launch bulk > malware attacks against computers. > > According to the 2012 presentation, the tactic has "mass exploitation > potential for clients passing through network choke points." > > Blaze, the University of Pennsylvania surveillance expert, says the > potential use of man-in-the-middle attacks on such a scale "seems very > disturbing." Such an approach would involve indiscriminately > monitoring entire networks as opposed to targeting individual > suspects. > > "The thing that raises a red flag for me is the reference to 'network > choke points,'" he says. "That's the last place that we should be > allowing intelligence agencies to compromise the infrastructure - > because that is by definition a mass surveillance technique." > > To deploy some of its malware implants, the NSA exploits security > vulnerabilities in commonly used Internet browsers such as Mozilla > Firefox and Internet Explorer. > > The agency's hackers also exploit security weaknesses in network > routers and in popular software plugins such as Flash and Java to > deliver malicious code onto targeted machines. > > The implants can circumvent anti-virus programs, and the NSA has gone > to extreme lengths to ensure that its clandestine technology is > extremely difficult to detect. An implant named VALIDATOR, used by the > NSA to upload and download data to and from an infected machine, can > be set to self-destruct - deleting itself from an infected computer > after a set time expires. > > In many cases, firewalls and other security measures do not appear to > pose much of an obstacle to the NSA. Indeed, the agency's hackers > appear confident in their ability to circumvent any security mechanism > that stands between them and compromising a computer or network. "If > we can get the target to visit us in some sort of web browser, we can > probably own them," an agency hacker boasts in one secret document. > "The only limitation is the 'how.'" > > > > Covert Infrastructure > > The TURBINE implants system does not operate in isolation. > > It is linked to, and relies upon, a large network of clandestine > surveillance "sensors" that the agency has installed at locations > across the world. > > The NSA's headquarters in Maryland are part of this network, as are > eavesdropping bases used by the agency in Misawa, Japan and Menwith > Hill, England. > > The sensors, codenamed TURMOIL, operate as a sort of high-tech > surveillance dragnet, monitoring packets of data as they are sent > across the Internet. > > When TURBINE implants exfiltrate data from infected computer systems, > the TURMOIL sensors automatically identify the data and return it to > the NSA for analysis. And when targets are communicating, the TURMOIL > system can be used to send alerts or "tips" to TURBINE, enabling the > initiation of a malware attack. > > The NSA identifies surveillance targets based on a series of data > "selectors" as they flow across Internet cables. These selectors, > according to internal documents, can include email addresses, IP > addresses, or the unique "cookies" containing a username or other > identifying information that are sent to a user's computer by websites > such as Google, Facebook, Hotmail, Yahoo, and Twitter. > > Other selectors the NSA uses can be gleaned from unique Google > advertising cookies that track browsing habits, unique encryption key > fingerprints that can be traced to a specific user, and computer IDs > that are sent across the Internet when a Windows computer crashes or > updates. > > What's more, the TURBINE system operates with the knowledge and > support of other governments, some of which have participated in the > malware attacks. > > Classification markings on the Snowden documents indicate that NSA has > shared many of its files on the use of implants with its counterparts > in the so-called Five Eyes surveillance alliance - the United Kingdom, > Canada, New Zealand, and Australia. > > GCHQ, the British agency, has taken on a particularly important role > in helping to develop the malware tactics. The Menwith Hill satellite > eavesdropping base that is part of the TURMOIL network, located in a > rural part of Northern England, is operated by the NSA in close > cooperation with GCHQ. > > Top-secret documents show that the British base - referred to by the > NSA as "MHS" for Menwith Hill Station - is an integral component of > the TURBINE malware infrastructure and has been used to experiment > with implant "exploitation" attacks against users of Yahoo and > Hotmail. > > In one document dated 2010, at least five variants of the QUANTUM > hacking method were listed as being "operational" at Menwith Hill. The > same document also reveals that GCHQ helped integrate three of the > QUANTUM malware capabilities - and test two others - as part of a > surveillance system it operates codenamed INSENSER. > > GCHQ cooperated with the hacking attacks despite having reservations > about their legality. One of the Snowden files, previously disclosed > by Swedish broadcaster SVT, revealed that as recently as April 2013, > GCHQ was apparently reluctant to get involved in deploying the QUANTUM > malware due to "legal/policy restrictions." A representative from a > unit of the British surveillance agency, meeting with an obscure > telecommunications standards committee in 2010, separately voiced > concerns that performing "active" hacking attacks for surveillance > "may be illegal" under British law. > > In response to questions from The Intercept, GCHQ refused to comment > on its involvement in the covert hacking operations. Citing its > boilerplate response to inquiries, the agency said in a statement that > "all of GCHQ's work is carried out in accordance with a strict legal > and policy framework which ensures that our activities are authorized, > necessary and proportionate, and that there is rigorous oversight." > > Whatever the legalities of the United Kingdom and United States > infiltrating computer networks, the Snowden files bring into sharp > focus the broader implications. Under cover of secrecy and without > public debate, there has been an unprecedented proliferation of > aggressive surveillance techniques. One of the NSA's primary concerns, > in fact, appears to be that its clandestine tactics are now being > adopted by foreign rivals, too. > > "Hacking routers has been good business for us and our 5-eyes partners > for some time," notes one NSA analyst in a top-secret document dated > December 2012. "But it is becoming more apparent that other nation > states are honing their skillz [sic] and joining the scene." > > ------ > > Documents published with this article: > > Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail > Five Eyes Hacking Large Routers > NSA Technology Directorate Analysis of Converged Data > Selector Types > There Is More Than One Way to Quantum > NSA Phishing Tactics and Man in the Middle Attacks > Quantum Insert Diagrams > The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics > TURBINE and TURMOIL > VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN > Industrial-Scale Exploitation > Thousands of Implants > > > ---
signature.asc
Description: Message signed with OpenPGP using GPGMail
