How the NSA hacks PCs, phones, routers, hard disks 'at speed of light': Spy tech catalog leaks
It's not as bad as you thought - it's much worse
Analysis A leaked NSA cyber-arms
catalog has shed light on the technologies US and UK spies use to infiltrate
and remotely control PCs, routers, firewalls, phones and software from some of
the biggest names in IT.
The
exploits, often delivered via the web, provide clandestine backdoor access
across networks, allowing the intelligence services to carry out
man-in-the-middle attacks that conventional security software has no chance of
stopping.
And if
that fails, agents can simply intercept your hardware deliveries from Amazon to
install hidden gadgets that rat you out via radio communications.
The
50-page top-secret document, written by an NSA division called ANT, is part of
an information dump sent to German
magazine Der Spiegel, and expounded upon by journalist Jacob
Appelbaum in his keynote to the 30th Chaos Communication Congress in Germany on
Monday. You can watch a clearly furious Appelbaum in the video below.
The
dossier is a glorified shopping catalog of technology for spies in the
so-called "Five Eyes" alliance of the UK, the US, Canada, Australia,
and New Zealand. It gives the clearest view yet of what the NSA, GCHQ and
associated intelligence agencies can do with your private data, and how they
manage it. Here's an easy-to-digest roundup of what was discussed.
Satellite
and optic-fiber communications stored
According
to Appelbaum, the NSA is running a two-stage data dragnet operation. The first
stage is TURMOIL, which collects data traffic passively via satellite and cable
taps and stores it – in some cases for up to 15 years – for future reference.
The NSA does not consider this surveillance because no human operator is
involved, just automatic systems.
Der
Spiegel gave
the example of the SEA-ME-WE-4 underwater
cable system, which runs from Europe to North Africa, then on to the Gulf
states to Pakistan and India before terminating in the Far East. The documents
show that on February 13 this year a tap was installed on the line by the NSA
that gave layer-two access
to all internet traffic flowing through that busy route.
However,
this passive capability is backed up by TURBINE, the active intervention side
of the NSA, run by its Tailored Access
Operations (TAO) hacking squad. By using a selection of
hardware and software tools, not to mention physical measures as we'll see
later on, the NSA promises that systems can be hacked "at the speed of
light," and the staffers in Maryland even took time to build a LOLcat picture
highlighting the capability:
Sure they own you, but look at the little kitty. Credit: NSA
"Tailored
Access Operations is a unique national asset that is on the front lines of
enabling NSA to defend the nation and its allies," the NSA said in a
statement on the report, adding that TAO's "work is centered on computer
network exploitation in support of foreign intelligence collection."
Windows
crash reports boon for spies
On the
subject of operating systems, Appelbaum said the documents revealed subversion
techniques against Windows, Linux, and Solaris. In the case of Microsoft, the
NSA is monitoring Windows software
crash reports to gain insight into vulnerabilities on a target
system and exploit them for its own ends.
“Customers
who choose to use error reports send limited information about, for example,
the process, application, or device driver, that may have encountered a problem,"
a Microsoft spokesperson told El Reg in a statement responding
to Der Spiegel's report.
"Reports
are then reviewed and used to improve customer experiences. Microsoft does not
provide any government with direct or unfettered access to our customer’s data.
We would have significant concerns if the allegations about government actions
are true."
NSA
buys up security exploits to attack vulnerabilities
When it
comes to active penetration, the TAO team has a system dubbed QUANTUMTHEORY, an
arsenal of zero-day exploits that it has either found itself or bought on the
open market from operators like VUPEN.
Once inside a computer, software dubbed SEASONEDMOTH is automatically secreted and
used to harvest all activity by the target in a 30-day period.
For
computers and networks that have firewalls and other security systems in place,
the NSA uses QUANTUMNATION, a tool that will scan defenses using software
dubbed VALIDATOR to find an exploitable hole, and then use it to seize control
using code dubbed COMMENDEER.
A system
dubbed QUANTUMCOPPER also gives the NSA the ability to interfere with TCP/IP
connections and disrupt downloads to inject malicious code or merely damage
fetched files. Appelbaum said such a system could be used to crash anonymizing
systems like Tor by forcing an endless series of resets – and makes the
designers of the Great Firewall of China look like amateurs.
The
website you are visiting is really not the website you want
But it's
a scheme dubbed QUANTUMINSERT that Appelbaum said was particularly concerning.
The documents show that if a target tries to log onto Yahoo! servers,
a subverted local router can intercept the request before it hits Meyer &
Co's data center and redirect it to a NSA-hosted mirror site where all activity
can be recorded and the connection tampered.
It's not
just Yahoo! in the firing line: QUANTUMINSERT can be set up to
automatically attack any computer trying to access all sorts of websites. The code
predominantly injects malware into religious or terrorism websites to seize
control of vulnerable web browsers and their PCs.
But the
technology has also been spotted monitoring visits to sites such as LinkedIn
and CNN.com, and will work with most major manufacturer's routers to pull off
its software injection. (If you think using HTTPS will highlight any of these
man-in-the-middle attacks, bear in mind it's believed that
the NSA and GCHQ have penetrated the security certificate system underpinning
SSL/TLS to allow the agencies' computers to masquerade as legit web servers.)
According
to the catalog, Cisco hardware firewalls, such as the PIX and ASA series, and
Juniper Netscreen and ISG 1000 products, can have backdoors installed in their
firmware to monitor traffic flowing in and out of small businesses and
corporate data centers. A boot ROM nasty exists for the Huawei Eudemon
firewalls, we're told; Huawei being the gigantic Chinese telcoms electronics
maker. Other BIOS-level malware is available for Juniper and and Hauawei
routers, according to the dossier.
"At
this time, we do not know of any new product vulnerabilities, and will continue
to pursue all avenues to determine if we need to address any new issues. If we
learn of a security weakness in any of our products, we will immediately
address it," said Cisco in a blog post.
"As
we have stated prior, and communicated to Der Spiegel, we do not
work with any government to weaken our products for exploitation, nor to
implement any so-called security ‘back doors’ in our products."
No comments:
Post a Comment