The NSA's New Code Breakers

[Eugen Leitl]

(thank, John, worth reposting full-text)

http://www.foreignpolicy.com/articles/2013/10/15/the_nsa_s_new_codebreakers?page=full

The NSA's New Code Breakers

America's using front companies, break-in artists, and hacktivists to spy on
everyone -- and only North Korea seems able to resist.

BY MATTHEW M. AID | OCTOBER 15, 2013

There was a time when the code breakers of the National Security Agency
actually took the lead in solving enemy encryption systems. These days, not
so much. In today's NSA, it's hackers, break-in artists, corporate liaisons,
and shadow salesman using front companies who are at the forefront of this
effort. Even so-called "hacktivists" play an unwitting role in helping the
NSA gain access to computer networks -- both hostile and friendly.

Just about the only place that's somewhat immune to the NSA's new style of
code-breaking attacks? North Korea, because it's so disconnected from the
rest of the world's networks.

Former U.S. intelligence officials confirm that the more than 1,500
cryptanalysts, mathematicians, scientists, engineers, and computer
technicians who comprise NSA's elite cryptanalytic unit, the Office of
Cryptanalysis and Exploitation Services (S31), have had a remarkably large
number of code-breaking successes against foreign targets since the 9/11
attacks. But these wins were largely dependent on clandestine intelligence
activities for much of their success in penetrating foreign communications
networks and encryption systems, and not the more traditional cryptanalytic
attacks on encrypted messages that were the norm during the Cold War era.
Prior to 9/11, NSA's cryptanalysts used their huge stable of supercomputers
to break cipher systems using what is referred to as "brute force methods" --
using the super computers to run every cipher permutation until the message
or messages in question become readable. It was a long, tedious, and
extremely costly process (today NSA spends over $247 million a year to buy
and maintain its state-of-the-art supercomputer systems just for
cryptanalytic use). But it did work if there were inherent vulnerabilities or
structural weakness in the cipher being attacked, or if the system's users
did not practice proper communications security procedures, such as changing
the cipher keys and passwords frequently.

The NSA today has more supercomputers than ever and the agency still employs
a number of puzzle-solvers, linguists, and math geeks. But these classic
cryptanalysts have, in part, given way to a new breed.

You won't learn this in the files leaked by former NSA contractor Edward
Snowden -- at least not directly. According to individuals who have reviewed
the entire collection of 50,000 documents provided to the media by Snowden,
what is missing from the papers is any document which lays out in detail just
how successful the agency's code-breaking efforts have been. There are
numerous documents in the Snowden collection describing individual NSA
cryptologic programs, such as NSA's mostly unsuccessful multi-year effort to
crack the encryption protection used by the anonymizer service Tor. But no
reports describing the agency's cryptanalytic successes and failures have
been found in the Snowden collection to date.

Interviews with current and former intelligence officials conducted over the
past two months have revealed that since 9/11, NSA's computer scientists,
electronic engineers, software programmers, and collection specialists have
been remarkably inventive in finding new and innovative ways to circumvent
the protections supposedly offered by encryption systems by compromising them
through clandestine means. Among these clandestine means are CIA and FBI
"black bag jobs," as well as secret efforts by the U.S. intelligence
community to interdict the shipment of advanced encryption technology to
America's enemies around the world, inserting "back doors" into
commercially-available computer, communications and encryption technologies
which allow NSA to covertly access these systems without the users knowing
it.

But the most sensitive of these clandestine techniques, and by far the most
productive to date, is to covertly hack into targeted computers and copy the
documents and message traffic stored on these machines before they are
encrypted, a process known within NSA as "Endpoint" operations.
Responsibility for conducting these Endpoint operations rests with the
computer hackers of NSA's cyberespionage unit, the Office of Tailored Access
Operations (TAO).

According to sources familiar with the organization's operations, TAO has
been enormously successful over the past 12 years in covertly inserting
highly sophisticated spyware into the hard drives of over 80,000 computer
systems around the world, although this number could be much higher. And
according to the sources, these implants are designed in such a way that they
cannot be detected by currently available commercial computer security
software. It has been suggested to me by a reliable source that "this is not
an accident," with the insinuation being that many of the biggest
commercially-available computer security software systems made in the United
States and overseas have been compromised by NSA, either covertly or with the
knowledge and consent of the companies that manufacture these systems.

Former agency personnel confirm that in innumerable instances these TAO
implants have allowed NSA's analysts to copy and read all of the unencrypted
documents stored on the targeted computer's hard drive, as well as copy every
document and email message produced and/or transmitted by the machine. But
more importantly, TAO has helped NSA's cryptanalysts solve several hundred
foreign government and commercial encryption systems because these spyware
implants, if properly inserted into the computer, can covertly alter its
security software as well as copy the encryption system's technical
parameters, especially the system's encryption algorithm and access
passwords, in a way that cannot be detected. These implants can compromise
the encryption systems used by not only the targeted computer, but also all
other computer systems that it communicates with using encryption technology.

According to confidential sources familiar with TAO's operations, many of
NSA's cryptanalytic "success stories" against high-priority targets such as
Russia and the People's Republic of China in recent years have been the
direct result of TAO's cyberespionage efforts. For example, sources confirm
that much of what the U.S. intelligence community knows about China's
computer hacking efforts against targets in the United States, Europe, and
Asia stems from TAO's intelligence collection efforts since 2005, when TAO
reportedly achieved a major technical breakthrough against a Chinese target.

But TAO doesn't just spy on America's rivals. In 2012, the group reportedly
compromised the encryption system used by an important G8 country to transmit
sensitive diplomatic communications via satellite to its embassies around the
world. The same is true with a number of countries in the Middle East and
South Asia, including Egypt, Syria, Iran, and Pakistan, although the details
of these successes are not yet known. And finally, sources report that TAO
has successfully compromised the privacy protection systems currently used on
a range of 4G cell phones and hand-held devices, thanks in large part to help
from a major American telecommunications company.

There are high-profile targets that have proven resistant to TAO's
cyberespionage efforts over the years, however. For example, TAO has
reportedly had virtually no success penetrating North Korean government
computer systems or networks because there are so few of them and they are
heavily protected from access to the outside world.

Over time, TAO has become increasingly accomplished at its mission, thanks in
part to the high-level cooperation that it secretly receives from the "big
three" American telecommunications companies (AT&T, Verizon, and Sprint),
most of the large U.S.-based internet service providers, and many of the top
computer security software manufacturers and consulting companies. According
to a February 2012 budget document (.pdf) published earlier this year by
ProPublica, these companies "Insert vulnerabilities into commercial
encryption systems, IT systems, networks, and endpoint communications devices
used by targets" on behalf of TAO.

TAO is also very active in the global computer security industry marketplace,
using the CIA, Defense Intelligence Agency, and State Department to help it
keep close tabs on the latest computer security devices and software systems
being developed around the world. And while details are lacking, informed
sources report that TAO has been active in covertly buying up commercially
available "hacker tools" or spyware software systems from individuals and
companies in the United States and overseas, particularly in Western Europe,
to help facilitate its ever-growing computer network exploitation efforts.

The extreme sensitivity of TAO's collection efforts has required the NSA to
take extraordinary steps to try to disguise its computer hacking activities.
For instance, current and former intelligence sources confirm that TAO
increasingly depends on clandestine techniques, such as commercial cover, to
hide its activities. TAO uses an array of commercial business entities, some
of them proprietary companies established specifically for this purpose, to
try to hide its global computer hacking activities from computer security
experts in a maze of interlocking computer servers and command-and-control
systems located in the United States and overseas that have no discernible
link to NSA or the U.S. government.

These sources also say that TAO gets a lot of help from politically-motivated
hackers, or "hacktivists," who unintentionally help NSA by providing ideas to
improve TAO's collection efforts. (Exactly which hacktivists have been
particularly helpful, these sources wouldn't say.) Working closely with NSA's
computer security experts at the NSA/CSS Threat Operations Center, TAO
personnel perform detailed forensic post-mortem studies of every major
successful computer penetration operation around the world. Some of these are
pulled off by criminal outfits, some by government-backed groups, others by
political actors. In each case, the agency's personnel looks for new
techniques or procedures that they can use to get inside computer systems
around the world.

There is no question that TAO's future looked incredibly bright before the
first newspaper articles began appearing in the British and American press in
June 2013 based on documents leaked by Snowden. Now, industry sources
familiar with TAO say that the organization's future prospects have dimmed
somewhat.

A number of foreign-based computer systems and IT networks that formerly were
major producers of intelligence information for TAO have over the past three
months changed security procedures and encryption systems, routed traffic to
more secure computer nodes or servers, erected new firewalls, or have gone
offline altogether. According to recent press reports, the Russian government
for a time reverted back to using manual typewriters rather than commit
sensitive information to their computer systems. And a number of European
countries and Brazil have begun shifting their most sensitive data and
communications traffic to secure networks that they hope will be resistant to
NSA's intrusive surveillance activities.

But this is, I am sure, just the tip of the iceberg. I have no doubt that the
damage to TAO's foreign intelligence collection capabilities and its ability
to facilitate the solution of foreign encryption systems by NSA's
cryptanalysts has been substantial. The big question that will determine
TAO's future prospects is whether the damage done so far proves to be
irreparable.