"I hunt sysadmins"

coderman coderman at gmail.com
Thu Mar 20 17:15:08 PDT 2014

can such a tasking pass my PCI PA-DSS audit for me??

"Imagine a master list of all admins of all networks on earth..."

'Inside the NSA's Secret Efforts to Hunt and Hack System Administrators'
 - https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
   also, slides:

Across the world, people who work as system administrators keep
computer networks in order - and this has turned them into unwitting
targets of the National Security Agency for simply doing their jobs.
According to a secret document provided by NSA whistleblower Edward
Snowden, the agency tracks down the private email and Facebook
accounts of system administrators (or sys admins, as they are often
called), before hacking their computers to gain access to the networks
they control.

The document consists of several posts - one of them is titled "I hunt
sys admins" - that were published in 2012 on an internal discussion
board hosted on the agency's classified servers. They were written by
an NSA official involved in the agency's effort to break into foreign
network routers, the devices that connect computer networks and
transport data across the Internet. By infiltrating the computers of
system administrators who work for foreign phone and Internet
companies, the NSA can gain access to the calls and emails that flow
over their networks.

The classified posts reveal how the NSA official aspired to create a
database that would function as an international hit list of sys
admins to potentially target. Yet the document makes clear that the
admins are not suspected of any criminal activity - they are targeted
only because they control access to networks the agency wants to
infiltrate. "Who better to target than the person that already has the
'keys to the kingdom'?" one of the posts says.

The NSA wants more than just passwords. The document includes a list
of other data that can be harvested from computers belonging to sys
admins, including network maps, customer lists, business
correspondence and, the author jokes, "pictures of cats in funny poses
with amusing captions." The posts, boastful and casual in tone,
contain hacker jargon  (pwn, skillz, zomg, internetz) and are
punctuated with expressions of mischief. "Current mood: devious,"
reads one, while another signs off, "Current mood: scheming."

The author of the posts, whose name is being withheld by The
Intercept, is a network specialist in the agency's Signals
Intelligence Directorate, according to other NSA documents. The same
author wrote secret presentations related to the NSA's controversial
program to identify users of the Tor browser - a privacy-enhancing
tool that allows people to browse the Internet anonymously. The
network specialist, who served as a private contractor prior to
joining the NSA, shows little respect for hackers who do not work for
the government. One post expresses disdain for the quality of
presentations at Blackhat and Defcon, the computer world's premier
security and hacker conferences:

It is unclear how precise the NSA's hacking attacks are or how the
agency ensures that it excludes Americans from the intrusions. The
author explains in one post that the NSA scours the Internet to find
people it deems "probable" administrators, suggesting a lack of
certainty in the process and implying that the wrong person could be
targeted. It is illegal for the NSA to deliberately target Americans
for surveillance without explicit prior authorization. But the
employee's posts make no mention of any measures that might be taken
to prevent hacking the computers of Americans who work as sys admins
for foreign networks. Without such measures, Americans who work on
such networks could potentially fall victim to an NSA infiltration

The NSA declined to answer questions about its efforts to hack system
administrators or explain how it ensures Americans are not mistakenly
targeted. Agency spokeswoman Vanee' Vines said in an email statement:
"A key part of the protections that apply to both U.S. persons and
citizens of other countries is the mandate that information be in
support of a valid foreign intelligence requirement, and comply with
U.S. Attorney General-approved procedures to protect privacy rights."

As The Intercept revealed last week, clandestine hacking has become
central to the NSA's mission in the past decade. The agency is working
to aggressively scale its ability to break into computers to perform
what it calls "computer network exploitation," or CNE: the collection
of intelligence from covertly infiltrated computer systems. Hacking
into the computers of sys admins is particularly controversial because
unlike conventional targets - people who are regarded as threats - sys
admins are not suspected of any wrongdoing.

In a post calling sys admins "a means to an end," the NSA employee
writes, "Up front, sys admins generally are not my end target. My end
target is the extremist/terrorist or government official that happens
to be using the network some admin takes care of."

The first step, according to the posts, is to collect IP addresses
that are believed to be linked to a network's sys admin. An IP address
is a series of numbers allocated to every computer that connects to
the Internet. Using this identifier, the NSA can then run an IP
address through the vast amount of signals intelligence data, or
SIGINT, that it collects every day, trying to match the IP address to
personal accounts.

"What we'd really like is a personal webmail or Facebook account to
target," one of the posts explains, presumably because, whereas IP
addresses can be shared by multiple people, "alternative selectors"
like a webmail or Facebook account can be linked to a particular
target. You can "dumpster-dive for alternate selectors in the big
SIGINT trash can" the author suggests. Or "pull out your wicked
Google-fu" (slang for efficient Googling) to search for any "official
and non-official e-mails" that the targets may have posted online.

Once the agency believes it has identified a sys admin's personal
accounts, according to the posts, it can target them with its
so-called QUANTUM hacking techniques. The Snowden files reveal that
the QUANTUM methods have been used to secretly inject surveillance
malware into a Facebook page by sending malicious NSA data packets
that appear to originate from a genuine Facebook server. This method
tricks a target's computer into accepting the malicious packets,
allowing the NSA to infect the targeted computer with a malware
"implant" and gain unfettered access to the data stored on its hard

"Just pull those selectors, queue them up for QUANTUM, and proceed
with the pwnage," the author of the posts writes. ("Pwnage," short for
"pure ownage," is gamer-speak for defeating opponents.) The author
adds, triumphantly, "Yay! /throws confetti in the air."

In one case, these tactics were used by the NSA's British counterpart,
Government Communications Headquarters, or GCHQ, to infiltrate the
Belgian telecommunications company Belgacom. As Der Speigel revealed
last year, Belgacom's network engineers were targeted by GCHQ in a
QUANTUM mission named "Operation Socialist" - with the British agency
hacking into the company's systems in an effort to monitor

While targeting innocent sys admins may be surprising on its own, the
"hunt sys admins" document reveals how the NSA network specialist
secretly discussed building a "master list" of sys admins across the
world, which would enable an attack to be initiated on one of them the
moment their network was thought to be used by a person of interest.
One post outlines how this process would make it easier for the NSA's
specialist hacking unit, Tailored Access Operations (TAO), to
infiltrate networks and begin collecting, or "tasking," data:

Aside from offering up thoughts on covert hacking tactics, the author
of these posts also provides a glimpse into internal employee
complaints at the NSA. The posts describe how the agency's spies gripe
about having "dismal infrastructure" and a "Big Data Problem" because
of the massive volume of information being collected by NSA
surveillance systems. For the author, however, the vast data troves
are actually something to be enthusiastic about.

"Our ability to pull bits out of random places of the Internet, bring
them back to the mother-base to evaluate and build intelligence off of
is just plain awesome!" the author writes. "One of the coolest things
about it is how much data we have at our fingertips."


More information about the cypherpunks mailing list