On Wed, Dec 11, 2013 at 7:17 AM, coderman <coderman@gmail.com> wrote:
... thus CNE in this case is cell MitM/WiFi pwn with a USRP rogue tower to get identifiers for TAO. and TAO is where they get dirty with "remote exploitation" of the device itself and other targets ...
see also this section on the OPEC hacks: http://arstechnica.com/information-technology/2013/11/quantum-of-pwnness-how... """ Here’s how the NSA and GCHQ go after an organization like OPEC step by step, based on an analysis of the NSA and GCHQ documents exposed by Snowden: Step 1: Identify. Using the NSA-built packet capture and inspection system called TURMOIL, the agencies filter through Internet traffic at a network choke point looking for specific "fingerprints" in traffic that identify users with the organization being targeted. Data from TURMOIL gets pulled into a number of traffic analysis tools, such as XKeyscore and TRAFFICTHIEF, which do different sorts of packet analysis. XKeyscore is the NSA's distributed search engine, catching a large chunk of international Internet traffic for analysis. It helps find things deep in the clutter of the Internet that analysts might miss by allowing them to use search terms to find things in both live and cached Internet traffic. TRAFFICTHIEF, on the other hand, is much more focused. It filters for very "strong" indicators, like known sets of IP addresses, addresses within e-mail traffic, or user names in logins to social networks or other services. It provides less depth of analysis than XKeyscore, but it can handle much larger loads of data because it is more selective about what it processes. Together, the tools can be used to identify the systems used by an individual or organization, including ranges of addresses that they may use from work or home. Step 2: Target. Using the profiles built using the surveillance tools, the agencies can then identify potential points of attack. XKeyscore, for example, can be used to search for patterns that identify known security vulnerabilities within a range of addresses. Web visit histories, e-mail traffic, and other data are analyzed looking for the most likely (and least detectable) approach to gain access, and a specific attack plan is crafted, including the identification of where to launch the attack from. At the NSA, this sort of thing is the work of Tailored Access Operations. In the case of OPEC, the targeting process apparently went on for several years as the NSA sought openings for an attack. Step 3: Attack. Depending on who the target is, the NSA and GCHQ have a variety of options. The least costly is to use access provided by one of the intelligence agencies' telecommunications "partners" who own network equipment at an exchange or other choke point that the target's Internet traffic passes through. The agency running the attack can use that access to introduce changes to Internet routing tables that detour the targeted individual's traffic. But in some cases, the NSA and GCHQ may have to perform "unilateral" taps on network backbones to gain that level of access—targeting a piece of network hardware to take over or splicing directly into the target's own connection to the Internet. It's not clear which attack the NSA used to gain access to OPEC's systems, though the GCHQ used a Quantum attack two years later to gain its own very special access to the cartel's network. In the case of the Belgacom hack, the GCHQ used a Quantum insert attack—routing the Web requests for LinkedIn and Slashdot from the engineer being targeted to a server posing as those sites. The NSA has used the same approach to intercept traffic to sites such as Google. The man-in-the-middle server can present content from the actual sites the target intended to visit, but it can also add content to the traffic, using what's called packet injection—modifying the contents of the data as it passes through—and intercept the user's credentials. And by using a forged certificate, the NSA can intercept encrypted traffic intended for the destination site. Once the user has connected to the fake server, the intelligence agencies can use the connection to launch attacks against the target's Web browser to install monitoring software or other malware, using similar techniques to those used by hackers. They can also use credentials exposed via the man-in-the-middle attack to gain access to other accounts owned by the target and to troll through connections in those services that might be potential targets. Step 4: Exploit. Once the target's computer has been successfully attacked, the effort begins to look much like that of the Chinese cyber warriors' attack of the New York Times or what cyber criminals typically do when they score access to high-value targets. The agencies' hackers work to stealthily expand their level of access, using customized remote administration tools to grab user privileges and gain access to other network resources—mail servers, file servers, and other network systems. They then start to "exfiltrate" data from these systems and deliver them to analysts. """