Scott Blaydes scott at sbce.org
Wed Mar 12 23:26:27 PDT 2014

On Mar 12, 2014, at 10:39 PM, coderman <coderman at gmail.com> wrote:

> so they've been spending tens of millions every year to red team
> privacy enhancing technologies.
> when do we get to see the results and improve our tools?
> ;)

This is the problem with Devops. If it was just good ‘ol sysadmining there wouldn’t be this level of automation, so the NSA would have to infect everyone manually. I knew the Devops movement was going to bite us in the ass.


> https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/
> ---
> How the NSA Plans to Infect 'Millions' of Computers with Malware
> By Ryan Gallagher and Glenn Greenwald 12 Mar 2014, 9:19 AM EDT
> Top-secret documents reveal that the National Security Agency is
> dramatically expanding its ability to covertly hack into computers on
> a mass scale by using automated systems that reduce the level of human
> oversight in the process.
> The classified files - provided previously by NSA whistleblower Edward
> Snowden - contain new details about groundbreaking surveillance
> technology the agency has developed to infect potentially millions of
> computers worldwide with malware "implants." The clandestine
> initiative enables the NSA to break into targeted computers and to
> siphon out data from foreign Internet and phone networks.
> The covert infrastructure that supports the hacking efforts operates
> from the agency's headquarters in Fort Meade, Maryland, and from
> eavesdropping bases in the United Kingdom and Japan. GCHQ, the British
> intelligence agency, appears to have played an integral role in
> helping to develop the implants tactic.
> In some cases the NSA has masqueraded as a fake Facebook server, using
> the social media site as a launching pad to infect a target's computer
> and exfiltrate files from a hard drive. In others, it has sent out
> spam emails laced with the malware, which can be tailored to covertly
> record audio from a computer's microphone and take snapshots with its
> webcam. The hacking systems have also enabled the NSA to launch
> cyberattacks by corrupting and disrupting file downloads or denying
> access to websites.
> The implants being deployed were once reserved for a few hundred
> hard-to-reach targets, whose communications could not be monitored
> through traditional wiretaps. But the documents analyzed by The
> Intercept show how the NSA has aggressively accelerated its hacking
> initiatives in the past decade by computerizing some processes
> previously handled by humans. The automated system - codenamed TURBINE
> - is designed to "allow the current implant network to scale to large
> size (millions of implants) by creating a system that does automated
> control implants by groups instead of individually."
> In a top-secret presentation, dated August 2009, the NSA describes a
> pre-programmed part of the covert infrastructure called the "Expert
> System," which is designed to operate "like the brain." The system
> manages the applications and functions of the implants and "decides"
> what tools they need to best extract data from infected machines.
> Mikko Hypponen, an expert in malware who serves as chief research
> officer at the Finnish security firm F-Secure, calls the revelations
> "disturbing." The NSA's surveillance techniques, he warns, could
> inadvertently be undermining the security of the Internet.
> "When they deploy malware on systems," Hypponen says, "they
> potentially create new vulnerabilities in these systems, making them
> more vulnerable for attacks by third parties."
> Hypponen believes that governments could arguably justify using
> malware in a small number of targeted cases against adversaries. But
> millions of malware implants being deployed by the NSA as part of an
> automated process, he says, would be "out of control."
> "That would definitely not be proportionate," Hypponen says. "It
> couldn't possibly be targeted and named. It sounds like wholesale
> infection and wholesale surveillance."
> The NSA declined to answer questions about its deployment of implants,
> pointing to a new presidential policy directive announced by President
> Obama. "As the president made clear on 17 January," the agency said in
> a statement, "signals intelligence shall be collected exclusively
> where there is a foreign intelligence or counterintelligence purpose
> to support national and departmental missions, and not for any other
> purposes."
> "Owning the Net"
> The NSA began rapidly escalating its hacking efforts a decade ago. In
> 2004, according to secret internal records, the agency was managing a
> small network of only 100 to 150 implants. But over the next six to
> eight years, as an elite unit called Tailored Access Operations (TAO)
> recruited new hackers and developed new malware tools, the number of
> implants soared to tens of thousands.
> To penetrate foreign computer networks and monitor communications that
> it did not have access to through other means, the NSA wanted to go
> beyond the limits of traditional signals intelligence, or SIGINT, the
> agency's term for the interception of electronic communications.
> Instead, it sought to broaden "active" surveillance methods - tactics
> designed to directly infiltrate a target's computers or network
> devices.
> In the documents, the agency describes such techniques as "a more
> aggressive approach to SIGINT" and says that the TAO unit's mission is
> to "aggressively scale" these operations.
> But the NSA recognized that managing a massive network of implants is
> too big a job for humans alone.
> "One of the greatest challenges for active SIGINT/attack is scale,"
> explains the top-secret presentation from 2009. "Human 'drivers' limit
> ability for large-scale exploitation (humans tend to operate within
> their own environment, not taking into account the bigger picture)."
> The agency's solution was TURBINE. Developed as part of TAO unit, it
> is described in the leaked documents as an "intelligent command and
> control capability" that enables "industrial-scale exploitation."
> TURBINE was designed to make deploying malware much easier for the
> NSA's hackers by reducing their role in overseeing its functions. The
> system would "relieve the user from needing to know/care about the
> details," the NSA's Technology Directorate notes in one secret
> document from 2009. "For example, a user should be able to ask for
> 'all details about application X' and not need to know how and where
> the application keeps files, registry entries, user application data,
> etc."
> In practice, this meant that TURBINE would automate crucial processes
> that previously had to be performed manually - including the
> configuration of the implants as well as surveillance collection, or
> "tasking," of data from infected systems. But automating these
> processes was about much more than a simple technicality. The move
> represented a major tactical shift within the NSA that was expected to
> have a profound impact - allowing the agency to push forward into a
> new frontier of surveillance operations.
> The ramifications are starkly illustrated in one undated top-secret
> NSA document, which describes how the agency planned for TURBINE to
> "increase the current capability to deploy and manage hundreds of
> Computer Network Exploitation (CNE) and Computer Network Attack (CNA)
> implants to potentially millions of implants." (CNE mines intelligence
> from computers and networks; CNA seeks to disrupt, damage or destroy
> them.)
> Eventually, the secret files indicate, the NSA's plans for TURBINE
> came to fruition. The system has been operational in some capacity
> since at least July 2010, and its role has become increasingly central
> to NSA hacking operations.
> Earlier reports based on the Snowden files indicate that the NSA has
> already deployed between 85,000 and 100,000 of its implants against
> computers and networks across the world, with plans to keep on scaling
> up those numbers.
> The intelligence community's top-secret "Black Budget" for 2013,
> obtained by Snowden, lists TURBINE as part of a broader NSA
> surveillance initiative named "Owning the Net."
> The agency sought $67.6 million in taxpayer funding for its Owning the
> Net program last year. Some of the money was earmarked for TURBINE,
> expanding the system to encompass "a wider variety" of networks and
> "enabling greater automation of computer network exploitation."
> Circumventing Encryption
> The NSA has a diverse arsenal of malware tools, each highly
> sophisticated and customizable for different purposes.
> One implant, codenamed UNITEDRAKE, can be used with a variety of
> "plug-ins" that enable the agency to gain total control of an infected
> computer.
> An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to
> take over a targeted computer's microphone and record conversations
> taking place near the device. Another, GUMFISH, can covertly take over
> a computer's webcam and snap photographs. FOGGYBOTTOM records logs of
> Internet browsing histories and collects login details and passwords
> used to access websites and email accounts. GROK is used to log
> keystrokes. And SALVAGERABBIT exfiltrates data from removable flash
> drives that connect to an infected computer.
> The implants can enable the NSA to circumvent privacy-enhancing
> encryption tools that are used to browse the Internet anonymously or
> scramble the contents of emails as they are being sent across
> networks. That's because the NSA's malware gives the agency unfettered
> access to a target's computer before the user protects their
> communications with encryption.
> It is unclear how many of the implants are being deployed on an annual
> basis or which variants of them are currently active in computer
> systems across the world.
> Previous reports have alleged that the NSA worked with Israel to
> develop the Stuxnet malware, which was used to sabotage Iranian
> nuclear facilities. The agency also reportedly worked with Israel to
> deploy malware called Flame to infiltrate computers and spy on
> communications in countries across the Middle East.
> According to the Snowden files, the technology has been used to seek
> out terror suspects as well as individuals regarded by the NSA as
> "extremist." But the mandate of the NSA's hackers is not limited to
> invading the systems of those who pose a threat to national security.
> In one secret post on an internal message board, an operative from the
> NSA's Signals Intelligence Directorate describes using malware attacks
> against systems administrators who work at foreign phone and Internet
> service providers. By hacking an administrator's computer, the agency
> can gain covert access to communications that are processed by his
> company. "Sys admins are a means to an end," the NSA operative writes.
> The internal post - titled "I hunt sys admins" - makes clear that
> terrorists aren't the only targets of such NSA attacks. Compromising a
> systems administrator, the operative notes, makes it easier to get to
> other targets of interest, including any "government official that
> happens to be using the network some admin takes care of."
> Similar tactics have been adopted by Government Communications
> Headquarters, the NSA's British counterpart. As the German newspaper
> Der Spiegel reported in September, GCHQ hacked computers belonging to
> network engineers at Belgacom, the Belgian telecommunications
> provider.
> The mission, codenamed "Operation Socialist," was designed to enable
> GCHQ to monitor mobile phones connected to Belgacom's network. The
> secret files deem the mission a "success," and indicate that the
> agency had the ability to covertly access Belgacom's systems since at
> least 2010.
> Infiltrating cellphone networks, however, is not all that the malware
> can be used to accomplish. The NSA has specifically tailored some of
> its implants to infect large-scale network routers used by Internet
> service providers in foreign countries. By compromising routers - the
> devices that connect computer networks and transport data packets
> across the Internet - the agency can gain covert access to monitor
> Internet traffic, record the browsing sessions of users, and intercept
> communications.
> Two implants the NSA injects into network routers, HAMMERCHANT and
> HAMMERSTEIN, help the agency to intercept and perform "exploitation
> attacks" against data that is sent through a Virtual Private Network,
> a tool that uses encrypted "tunnels" to enhance the security and
> privacy of an Internet session.
> The implants also track phone calls sent across the network via Skype
> and other Voice Over IP software, revealing the username of the person
> making the call. If the audio of the VOIP conversation is sent over
> the Internet using unencrypted "Real-time Transport Protocol" packets,
> the implants can covertly record the audio data and then return it to
> the NSA for analysis.
> But not all of the NSA's implants are used to gather intelligence, the
> secret files show. Sometimes, the agency's aim is disruption rather
> than surveillance. QUANTUMSKY, a piece of NSA malware developed in
> 2004, is used to block targets from accessing certain websites.
> QUANTUMCOPPER, first tested in 2008, corrupts a target's file
> downloads. These two "attack" techniques are revealed on a classified
> list that features nine NSA hacking tools, six of which are used for
> intelligence gathering. Just one is used for "defensive" purposes - to
> protect U.S. government networks against intrusions.
> "Mass exploitation potential"
> Before it can extract data from an implant or use it to attack a
> system, the NSA must first install the malware on a targeted computer
> or network.
> According to one top-secret document from 2012, the agency can deploy
> malware by sending out spam emails that trick targets into clicking a
> malicious link. Once activated, a "back-door implant" infects their
> computers within eight seconds.
> There's only one problem with this tactic, codenamed WILLOWVIXEN:
> According to the documents, the spam method has become less successful
> in recent years, as Internet users have become wary of unsolicited
> emails and less likely to click on anything that looks suspicious.
> Consequently, the NSA has turned to new and more advanced hacking
> techniques. These include performing so-called "man-in-the-middle" and
> "man-on-the-side" attacks, which covertly force a user's internet
> browser to route to NSA computer servers that try to infect them with
> an implant.
> To perform a man-on-the-side attack, the NSA observes a target's
> Internet traffic using its global network of covert "accesses" to data
> as it flows over fiber optic cables or satellites. When the target
> visits a website that the NSA is able to exploit, the agency's
> surveillance sensors alert the TURBINE system, which then "shoots"
> data packets at the targeted computer's IP address within a fraction
> of a second.
> In one man-on-the-side technique, codenamed QUANTUMHAND, the agency
> disguises itself as a fake Facebook server. When a target attempts to
> log in to the social media site, the NSA transmits malicious data
> packets that trick the target's computer into thinking they are being
> sent from the real Facebook. By concealing its malware within what
> looks like an ordinary Facebook page, the NSA is able to hack into the
> targeted computer and covertly siphon out data from its hard drive. A
> top-secret animation demonstrates the tactic in action.
> The documents show that QUANTUMHAND became operational in October
> 2010, after being successfully tested by the NSA against about a dozen
> targets.
> According to Matt Blaze, a surveillance and cryptography expert at the
> University of Pennsylvania, it appears that the QUANTUMHAND technique
> is aimed at targeting specific individuals. But he expresses concerns
> about how it has been covertly integrated within Internet networks as
> part of the NSA's automated TURBINE system.
> "As soon as you put this capability in the backbone infrastructure,
> the software and security engineer in me says that's terrifying,"
> Blaze says.
> "Forget about how the NSA is intending to use it. How do we know it is
> working correctly and only targeting who the NSA wants? And even if it
> does work correctly, which is itself a really dubious assumption, how
> is it controlled?"
> In an email statement to The Intercept, Facebook spokesman Jay
> Nancarrow said the company had "no evidence of this alleged activity."
> He added that Facebook implemented HTTPS encryption for users last
> year, making browsing sessions less vulnerable to malware attacks.
> Nancarrow also pointed out that other services besides Facebook could
> have been compromised by the NSA. "If government agencies indeed have
> privileged access to network service providers," he said, "any site
> running only [unencrypted] HTTP could conceivably have its traffic
> misdirected."
> A man-in-the-middle attack is a similar but slightly more aggressive
> method that can be used by the NSA to deploy its malware. It refers to
> a hacking technique in which the agency covertly places itself between
> computers as they are communicating with each other.
> This allows the NSA not only to observe and redirect browsing
> sessions, but to modify the content of data packets that are passing
> between computers.
> The man-in-the-middle tactic can be used, for instance, to covertly
> change the content of a message as it is being sent between two
> people, without either knowing that any change has been made by a
> third party. The same technique is sometimes used by criminal hackers
> to defraud people.
> A top-secret NSA presentation from 2012 reveals that the agency
> developed a man-in-the-middle capability called SECONDDATE to
> "influence real-time communications between client and server" and to
> "quietly redirect web-browsers" to NSA malware servers called FOXACID.
> In October, details about the FOXACID system were reported by the
> Guardian, which revealed its links to attacks against users of the
> Internet anonymity service Tor.
> But SECONDDATE is tailored not only for "surgical" surveillance
> attacks on individual suspects. It can also be used to launch bulk
> malware attacks against computers.
> According to the 2012 presentation, the tactic has "mass exploitation
> potential for clients passing through network choke points."
> Blaze, the University of Pennsylvania surveillance expert, says the
> potential use of man-in-the-middle attacks on such a scale "seems very
> disturbing." Such an approach would involve indiscriminately
> monitoring entire networks as opposed to targeting individual
> suspects.
> "The thing that raises a red flag for me is the reference to 'network
> choke points,'" he says. "That's the last place that we should be
> allowing intelligence agencies to compromise the infrastructure -
> because that is by definition a mass surveillance technique."
> To deploy some of its malware implants, the NSA exploits security
> vulnerabilities in commonly used Internet browsers such as Mozilla
> Firefox and Internet Explorer.
> The agency's hackers also exploit security weaknesses in network
> routers and in popular software plugins such as Flash and Java to
> deliver malicious code onto targeted machines.
> The implants can circumvent anti-virus programs, and the NSA has gone
> to extreme lengths to ensure that its clandestine technology is
> extremely difficult to detect. An implant named VALIDATOR, used by the
> NSA to upload and download data to and from an infected machine, can
> be set to self-destruct - deleting itself from an infected computer
> after a set time expires.
> In many cases, firewalls and other security measures do not appear to
> pose much of an obstacle to the NSA. Indeed, the agency's hackers
> appear confident in their ability to circumvent any security mechanism
> that stands between them and compromising a computer or network. "If
> we can get the target to visit us in some sort of web browser, we can
> probably own them," an agency hacker boasts in one secret document.
> "The only limitation is the 'how.'"
> Covert Infrastructure
> The TURBINE implants system does not operate in isolation.
> It is linked to, and relies upon, a large network of clandestine
> surveillance "sensors" that the agency has installed at locations
> across the world.
> The NSA's headquarters in Maryland are part of this network, as are
> eavesdropping bases used by the agency in Misawa, Japan and Menwith
> Hill, England.
> The sensors, codenamed TURMOIL, operate as a sort of high-tech
> surveillance dragnet, monitoring packets of data as they are sent
> across the Internet.
> When TURBINE implants exfiltrate data from infected computer systems,
> the TURMOIL sensors automatically identify the data and return it to
> the NSA for analysis. And when targets are communicating, the TURMOIL
> system can be used to send alerts or "tips" to TURBINE, enabling the
> initiation of a malware attack.
> The NSA identifies surveillance targets based on a series of data
> "selectors" as they flow across Internet cables. These selectors,
> according to internal documents, can include email addresses, IP
> addresses, or the unique "cookies" containing a username or other
> identifying information that are sent to a user's computer by websites
> such as Google, Facebook, Hotmail, Yahoo, and Twitter.
> Other selectors the NSA uses can be gleaned from unique Google
> advertising cookies that track browsing habits, unique encryption key
> fingerprints that can be traced to a specific user, and computer IDs
> that are sent across the Internet when a Windows computer crashes or
> updates.
> What's more, the TURBINE system operates with the knowledge and
> support of other governments, some of which have participated in the
> malware attacks.
> Classification markings on the Snowden documents indicate that NSA has
> shared many of its files on the use of implants with its counterparts
> in the so-called Five Eyes surveillance alliance - the United Kingdom,
> Canada, New Zealand, and Australia.
> GCHQ, the British agency, has taken on a particularly important role
> in helping to develop the malware tactics. The Menwith Hill satellite
> eavesdropping base that is part of the TURMOIL network, located in a
> rural part of Northern England, is operated by the NSA in close
> cooperation with GCHQ.
> Top-secret documents show that the British base - referred to by the
> NSA as "MHS" for Menwith Hill Station - is an integral component of
> the TURBINE malware infrastructure and has been used to experiment
> with implant "exploitation" attacks against users of Yahoo and
> Hotmail.
> In one document dated 2010, at least five variants of the QUANTUM
> hacking method were listed as being "operational" at Menwith Hill. The
> same document also reveals that GCHQ helped integrate three of the
> QUANTUM malware capabilities - and test two others - as part of a
> surveillance system it operates codenamed INSENSER.
> GCHQ cooperated with the hacking attacks despite having reservations
> about their legality. One of the Snowden files, previously disclosed
> by Swedish broadcaster SVT, revealed that as recently as April 2013,
> GCHQ was apparently reluctant to get involved in deploying the QUANTUM
> malware due to "legal/policy restrictions." A representative from a
> unit of the British surveillance agency, meeting with an obscure
> telecommunications standards committee in 2010, separately voiced
> concerns that performing "active" hacking attacks for surveillance
> "may be illegal" under British law.
> In response to questions from The Intercept, GCHQ refused to comment
> on its involvement in the covert hacking operations. Citing its
> boilerplate response to inquiries, the agency said in a statement that
> "all of GCHQ's work is carried out in accordance with a strict legal
> and policy framework which ensures that our activities are authorized,
> necessary and proportionate, and that there is rigorous oversight."
> Whatever the legalities of the United Kingdom and United States
> infiltrating computer networks, the Snowden files bring into sharp
> focus the broader implications. Under cover of secrecy and without
> public debate, there has been an unprecedented proliferation of
> aggressive surveillance techniques. One of the NSA's primary concerns,
> in fact, appears to be that its clandestine tactics are now being
> adopted by foreign rivals, too.
> "Hacking routers has been good business for us and our 5-eyes partners
> for some time," notes one NSA analyst in a top-secret document dated
> December 2012. "But it is becoming more apparent that other nation
> states are honing their skillz [sic] and joining the scene."
> ------
> Documents published with this article:
> Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail
> Five Eyes Hacking Large Routers
> NSA Technology Directorate Analysis of Converged Data
> Selector Types
> There Is More Than One Way to Quantum
> NSA Phishing Tactics and Man in the Middle Attacks
> Quantum Insert Diagrams
> The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics
> Industrial-Scale Exploitation
> Thousands of Implants
> ---

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140313/2c59bea6/attachment-0002.sig>

More information about the cypherpunks mailing list