Code Names for NSA Exploit Tools

This is from a Snowden document released by Le Monde:

General Term Descriptions:

HIGHLANDS: Collection from Implants
VAGRANT: Collection of Computer Screens
MAGNETIC: Sensor Collection of Magnetic Emanations
MINERALIZE: Collection from LAN Implant
OCEAN: Optical Collection System for Raster-Based Computer Screens
LIFESAFER: Imaging of the Hard Drive
GENIE: Multi-stage operation: jumping the airgap etc.
BLACKHEART: Collection from an FBI Implant
[…]
DROPMIRE: Passive collection of emanations using antenna
CUSTOMS: Customs opportunities (not LIFESAVER)
DROPMIRE: Laser printer collection, purely proximal access (***NOT*** implanted)
DEWSWEEPER: USB (Universal Serial Bus) hardware host tap that provides COVERT link over US link into a target network. Operates w/RF relay subsystem to provide wireless Bridge into target network.
RADON: Bi-directional host tap that can inject Ethernet packets onto the same targets. Allows bi-directional exploitation of denied networks using standard on-net tools.

There’s a lot to think about in this list. RADON and DEWSWEEPER seem particularly interesting.

Tags: , , ,

Posted on October 23, 2013 at 10:03 AM61 Comments

Comments

Andrew October 23, 2013 10:30 AM

For someone non-US based CUSTOMS deserves a bit of head-scratching me thinks…

OCEAN also caught my eye – I couldn’t help put associate it with Van Ecke phreaking at the first moment. Though I doubt its exactly that.

That after ignoring the big pink elephant in the middle of the room, that was already mentioned above.

Nicholas Weaver October 23, 2013 10:32 AM

Hmm, I wonder if RADON is a passively powered Ethernet tap…

You could perhaps do an inline device (just plug/plug) that scavenges enough power to operate to read the Ethernet and when desired, inject a packet or two. It would be even easier if the Ethernet cable is running POE.

Cat-5/Cat-5e is rated for 500m, and with slack even more, so there is probably enough power flowing through to scavenge enough energy if you are very low power.

If this isn’t what RADON is, someone should build the above and sell it to the NSA, probably some good money in it. 🙂

DEWSWEEPER seems like your basic wireless USB keylogger, perhaps with some better design/disguise and a different/stealthier RF channel. You can buy yourself one if you want.

nomad October 23, 2013 10:33 AM

From the website http://libwalk.so/liste-des-programmes-outils-nsa/

A
AGILITY – NSA internet information tool or database
AGILEVIEW – NSA internet information tool or database
ALPHA – SIGINT Exchange Designator for Great Britain
ANCHORY – NSA software system which provides web access to textual intelligence documents
AUTOSOURCE – NSA tool or database
AQUACADE – A class of SIGINT spy satellites (formerly RHYOLITE)
ASSOCIATION – NSA tool or database

B
BANYAN – NSA tool or database
BELLTOPPER – NSA database
BELLVIEW –
BINOCULAR – Former NSA intelligence dissemination tool
BLACKPEARL – NSA tool or database
BLARNEY – NSA internet and telephony network collection program
BOUNDLESS INFORMANT – DNI and DNR data visualization tool.
BULLRUN
BYEMAN (BYE) – Retired control system for overhead collection systems (1961-2005)

C
CADENCE – NSA collection tasking tool or database
CANYON – Class of COMINT spy satellites (1968-1977)
CANNON LIGHT – Counterintelligence database of the US Army
CHESS- Compartment of TALENT KEYHOLE for the U-2 spy plane
CONFIRM – NSA database for personell access
CONTRAOCTAVE – NSA tool or database
CONVEYANCE – A voice content ingest processor? / Provide filtering for PRISM.
CORONA – A series of photographic surveillance satellites (1959-1972)
COURIERSKILL – NSA Collection mission system
CREST – Database which automatically translates foreign language intercepts in English
CRYPTO ENABLED – collection derived from AO’s efforts to enable crypto (cf. lemonde.fr)
CULTWEAVE – Smaller size SIGINT database *

D
DANCINGOASIS – (?)
DELTA – Compartment for COMINT material from intercepts of Soviet military operations
DIKTER – SIGINT Exchange Designator for Norway
DINAR – Predecessor of the UMBRA compartment for COMINT
DISHFIRE – NSA internet information tool or database
DROPMIRE – passive collection of emanations using an antenna
DRTBOX –
DRUID – SIGINT Exchange Designator for third party countries
DYNAMO – SIGINT Exchange Designator for Denmark

E
ECHELON – A SIGINT collection network run by Australia, Canada, New Zealand, the United Kingdom, and the United States,
ECHO – SIGINT Exchange Designator for Australia
EVILOLIVE –

F
FAIRVIEW – NSA internet and telephony network collection program
FALLOUT – DNI metadata ingest processor / Provides filtering for PRISM.
FISHBOWL – NSA program for securing commercial smartphones
FOREMAN – ?
FOXACID – target the TOR’s users

G
GMMA (G) – Compartment for highly sensitive communication intercepts
GAMUT – NSA collection tasking tool or database
GENIE – implants of spywares
GENTE – multi-stage opetation; jumping the airgap etc. (lemonde.fr – GLOBAL BROKER – NSA tool or database

H
HAVE BLUE – Development program of the F-117A Stealth fighter-bomber
HAVE QUICK (HQ) – Frequency-hopping system used to protect military UHF radio traffic
HERCULES – CIA terrorism database
HIGHTIDE – NSA tool or database
HIGHLANDS – spywares implants

I
INDIA – SIGINT Exchange Designator for New Zealand
INTRUDER – Series of ELINT and COMINT spy satellites (since 2009)
ISHTAR – SIGINT Exchange Designator for Japan
IVY BELLS – NSA, CIA and Navy operation to place wire taps on Soviet underwater communication cables

J
JEROBOAM – Another name used for the TRUMPET spy satellites
JUGGERNAUT – Picks up all signals from mobile networks
JUMPSEAT – Class of SIGINT reconnaissance satellites (1971-1983)

K
KLONDIKE (KDK) – Control system for sensitive geospatial intelligence

L

LIFESAVER - imaging of the hard driver (from lemonde.fr
LITHIUM - ?
LOPERS - Software application for Public Switched Telephone Networks

M
MAGIC LANTERN – A keystroke logging software developed by the FBI
MAGNETIC – sensor collection of magnetic emanations (lemonde.fr)
MAGNUM – Series of SIGINT spy satellites (since 1985)
MAILORDER –
MAIN CORE – Federal database of personal and financial data of suspicious US citizens
MAINWAY – NSA database of bulk phone metadata (Call records DB)
MARINA – NSA database of bulk internet metadata (Internet records DB)
MENTOR – Class of SIGINT spy satellites (since 1995)
MESSIAH – NSA automated message handling system
METTLESOME – NSA Collection mission system
MINARET – A sister project to Project SHAMROCK (1967-1973)
MINERALIZE – collection from LAN implant (lemonde.fr
MOONLIGHTPATH – An NSA collection program
MORAY – Retired compartment for the least sensitive COMINT material

N
NUCLEON – Database for contents of phone calls (Voice data DB)

O
OAKSTAR – NSA internet and telephony network collection program, voir aussi “2013 mass surveillance disclosures”.
OCEAN – (?) from lemonde.fr.
OCEANARIUM – Database for SIGINT from NSA and intelligence sharing partners around the world.
OCELOT – Probably a NSA program for collection from internet and telephony networks
OCTAVE – NSA tool for telephone network tasking
OCTSKYWARD – NSA tool or database
OSCAR – SIGINT Exchange Designator for the USA

P
PATHFINDER – SIGINT analysis tool (made by SAIC)
PINWALE – Database for recorded signals intercepts/internet content (Video data DB)
PLUS – NSA SIGINT production feedback program *
PRISM – NSA collection program for foreign internet data
PROTON – Smaller size SIGINT database
PURPLE – Codename for a Japanese diplomatic cryptosystem during WWII
PUZZLECUBE – NSA tool or database

Q
QUANTUM – see FOXACID – target the TOR’s users,

R
RADON – host tap than can inject Ethernet packets onto the same target – exploitation of denied networks (cf. lemonde.fr)

RAGTIME (RT) - Codeword for four NSA surveillance programs
    (Ragtime-A, B, C et P).
 RAMPART / RAMPART-T - penetration of hard targets at or near leadership level
RENOIR - NSA telephone network visualization tool
RESERVE (RSV) - Control system for the National Reconnaissance Office (NRO)
RICHTER - SIGINT Exchange Designator for Germany
RUFF - Compartment of TALENT KEYHOLE for IMINT satellites
RHYOLITE - Class of SIGINT spy satellites (in 1975 changed to AQUACADE)

S

SABRE - Retired(?) SIGINT product codeword
SAVILLE - Narrow band voice encryption used for radio and telephone communication
SCISSOR 
SCORPIOFORE -
SHARKFIN - Sweeps up all-source communications intelligence at high speed and volumes
SEMESTER - NSA SIGINT reporting tool
SENTINEL - NSA database security filter
SETTEE- SIGINT Exchange Designator for South Korea
SHAMROCK - Operation for intercepting telegraphic data going in or out the US (1945-1975)
SHELLTRUMPET - NSA metadata processing program
SILKWORTH - A software program used for the ECHELON system
SIRE - A software program used for the ECHELON system
SKYWRITER - NSA internet intelligence reporting tool
SOLIS - SIGINT product databases
SPHINX - Counterintelligence database of the Defense Intelligence Agency
SPINNERET - an NSA operational branche?
SPOKE - Retired compartment for less sensitive COMINT material
STELLARWIND (STLW) - SCI compartment for the President's Surveillance Program information
STONE GHOST - DIA classified network for information exchange with UK, Canada and Australia
STORMBREW - NSA internet and telephony network collection program
STUMPCURSOR - Foreign computer accessing program of the NSA's Tailored Access Operations

T

TALENT KEYHOLE (TK) - Control system for space-based collection platforms
TALK QUICK - An interim secure voice system created to satisfy urgent requirements imposed by conditions to Southeast Asia. Function was absorbed by AUTOSEVOCOM
TAPERLAY - covername for Global Numbering Data Base (GNDB)?
TAROTCARD - NSA tool or database
TEMPEST - Investigations and studies of compromising electronic emanations
THINTREAD - NSA program for wiretapping and sophisticated analysis of the resulting data
TRAFFICTHIEF - Part of the TURBULENCE and the PRISM programs
TRAILBLAZER - NSA Program to analyze data carried on communications networks
TREASUREMAP - NSA internet content visualization tool
TRIBUTARY - NSA provided voice threat warning network
TRINE - Predecessor of the UMBRA compartment for COMINT
TRUMPET - Series of ELINT reconnaissance satellites (1994-2008)
TUNINGFORK - NSA tool or database
TURBULENCE - NSA Program to detect threats in cyberspace (2005- )
TURMOIL - Part of the TURBULENCE program
TUSKATTIRE - DNR (telephony) ingest processor
TUTELAGE - Part of the TURBULENCE program

U

UMBRA - Retired compartment for the most sensitive COMINT material
UNIFORM - SIGINT Exchange Designator for Canada
UPSTREAM -

V
VAGRANT – computer screens / captures d’écrans [lemonde.fr](http://www.lemonde.fr/international/article/2013/10/22/la-diplomatie-francaise-sur-ecoute-aux-etats-unis35007173210.html
VORTEX – Class of SIGINT spy satellites (1978-1989)

W
WEALTHYCLUSTER – Program to hunt down tips on terrorists in cyberspace (2002- )
WEBCANDID – NSA tool or database
WHITEBOX –

X
XCONCORD – Program for finding key words in foreign language documents
XKEYSCORE (XKS) – Program for analysing SIGINT traffic

Z
ZARF – Compartment of TALENT KEYHOLE for ELINT satellites

Nicholas Weaver October 23, 2013 10:43 AM

Nomad: that list is questionable.

E.g. FOXACID is not “target Tor”, FOXACID are the web-exploit servers (redirect the user to in various ways, exploit the browser). QUANTUM is packet injection/redirection, with QUANTUMCOOKIE used to extract cookies (“forced sidejacking”) and QUANTUMINSERT used to redirect the victim to a FOXACID server for explotation.

HH October 23, 2013 11:24 AM

Great, Psychiatrists are going to have more work trying to convince paranoid schizophrenics that their delusions are overblown. I’m not blaming the news outlets, I’m just saddened at the reality of the situation. That Faraday cage MIGHT come in handy, and don’t throw out the tinfoil hat, either.

Mike the goat October 23, 2013 11:33 AM

Nicholas: or incorporate a UMTS radio into a keylogger and have a bug with virtually unlimited range. If you had it enable itself at a time (say 0400) and burst out the data really quick then disable the radio it would be difficult to detect with handheld sweepers too. There would be ample power available for a USB version of the device. Perhaps using a joule thief type circuit and a small rechargeable cell you could extract just enough for your short TX from the PS/2 port too (considering it has to supply at least enough mA to run the keyboard controller and light up three LEDs consecutively).

AJ October 23, 2013 12:53 PM

The mention of implants started me thinking about Dick Chaney. I wonder if that thing about disabling the wireless on his pacemaker was triggered by him seeing this wording (not that I would come to a different decision in his position…)? </speculation>

NobodySpecial October 23, 2013 1:13 PM

They should just use Ikea product names, then only Swedish whistleblowers would be able to leak secrets.

Carpe October 23, 2013 1:38 PM

@AJ

The security researcher who was going to do a presentation on medical device vulnerabilities (including pacemakers) died suddenly…

DerpSec October 23, 2013 1:56 PM

Obviously implants are placed exploitation devices. No surprise they use laser printers as a backdoor into the network but rf band usb? that isnt detected lol? Guess the nsa dont have many adversaries with SCIF tents

John Campbell October 23, 2013 2:38 PM

@H. Meadows: Somewhere there are wifi and bluetooth sniffers installed within women’s implants for some time now… and, somewhere– probably a network of OB/GYNs– are the front for the NSA to download the captured data…

(smirks)

Gawd, this sounds like Movie Plot Threat, doesn’t it?

Maybe Halloween should have a contest about our “authorities” rather than “terrorist”… though, I grant, it is getting a little hard to tell them apart. (anyone remember a line like that from “Hopscotch”???)

noseyparkerunit October 23, 2013 3:34 PM

ONe thing I’ve niticed about these spies that on encrypted Linux, they don’t know how to do loopbacks (sometimes their efforts are quite pitiful it is so obvious that they just did it- plus I know which Linux and which has bad crypto from those efforts) but worse is that they end up breaking hard drives when they do it. I’ve lost quite a few.

H. Meadows October 23, 2013 4:04 PM

@John Campbell

Considering how womens…eh…curvature…can hide bombs, the authorities need to immediately establish a task force to confirm that those parts are what they purport to be.

It might even be possible to get a few willing volunteers for this;-)

Wael October 23, 2013 4:36 PM

DEWSWEEPER seem particularly interesting.

Yes! Imagine ordering a “subverted” USB connector cable that has the embedded RF transceivers and the antenna within the cable. The cable will look normal, and the victim will be non-the-wiser. Power comes from the Laptop, PC, printer, etc. But there must be some additional camouflaging (at the device driver or kernel level) or stealth so the functionality doesn’t give it away in device manager, for example. Pretty clever!
Speaking of bugs, I find these two most interesting. One is clever, and the other is funny.

and, most notorious of all, a listening device found in the U.S. embassy in Moscow in 1952. The hiding place: a hole in the Great Seal of the United States hanging in the ambassador’s study. The carved wooden seal, a gift from the Soviets seven years before, held buried inside it a small cylinder called a Hi-Q resonant cavity. The cylinder contained a diaphragm at one end and an antenna at the other. Voices in the room caused the diaphragm and then the antenna to vibrate. U.S. officials surmised that Soviet technicians across the street kept a high-power microwave beam trained on the seal to measure the vibrations, allowing them to reconstruct the conversations

This device required local power source, it’s more or less a passive device! Required an external Microwave beam. There was another one I read about long time ago, but can’t find a reference to it. Was a coat hanger passive device as well, except it required no external Microwave beam. The source of power was the sound. A high sensitivity receiver was located across the street. I would have thought a parabolic sound reflector would have sufficed, but apparently there was enough sound shielding, so the hanger was useful.

And:

A bizarre variation on the theme is the toilet-bowl bug, proposed by the late Bernard Spindel, a master eavesdropper of the 1950’s and 1960’s whose career included more than 200 arrests or indictments for illegal snooping. Using Spindel’s system, a spy on the roof of a building would place a microphone inside the air-vent pipe leading to the target toilet. Since the surface of the water in a toilet vibrates like a diaphragm in response to nearby voices, and since water is such an excellent conductor of sound, the voices would be carried up the pipe to the microphone.

Both courtesy of:
http://www.bugsweeps.com/info/spytech.html

Wael October 23, 2013 4:42 PM

Typo!

This device required local power source

Should be: This device required no power source…
And the Microwave beam is not a source of power either.

lost October 23, 2013 6:07 PM

I have argued many times that the actual USB 1.1 stack was hijacked, back in the 90’s.

That was before tinfoil hats were in fashion.

This was known as the “usb optical drive bug”, and was on most mainstream motherboards that we built back then.

I always argued that the stack was trying to write to mem or cache, and then would hang when trying to transfer out to network.

This really came to a head with WinME, and Vista early release.

I would say everyone building a box, and trying to incorporate usb cd drives , ran into this problem.

Prob lowball cost of at least 500 mil in hardware, and the death of WinME.

Dirk Praet October 23, 2013 7:49 PM

RADON and DEWSWEEPER seem particularly interesting.

The NSA versions of Pwnie Express’s Pwn Plg Elite ?

GENIE: Multi-stage operation: jumping the airgap etc.

Bruce may wish to ask GG more about this one.

In other, only slightly related news, it would seem that POTUS has his hands full answering phone calls from government leaders in Europe who are less than happy with having their communications monitored. And the EU Parliament yesterday passed a motion to suspend the 2010 SWIFT financial data exchange program with the US. Diplomatic HAZ-SPY teams are facing some troublesome damage control over the next weeks.

Nick P October 23, 2013 8:20 PM

@ Dirk Praet

You’re description gave me the impression that SWIFT transactions were to cease or something. It’s actually just the counterterror-related information exchange that they’re trying to suspend. So, business as usual but with less actionable intelligence going in the direction of US if the measure passes. Of course, they can still watch everything that happens on their side which will probably give them useful info in and of itself.

Batard October 23, 2013 9:07 PM

Saw your comment on the video privacy protection act.

Theroretical question: So if someone paid a site to look at certain short videos they had up on their website and which the site had a policy of allowing you to download, and you presumed they had some kind of almost like youtube like pay agreement, just different and then after that person rentecd them someone broke into her computer, wrote reports of the videos rented since she destroyed them after watching, would that website or other persons be liable for reporting such or following such person to their home computer when they rented the video. Would that be $2500 per incident? Just wondering. Fill in the details with your imagination for which site

H. Meadows October 23, 2013 10:23 PM

@Wael
Yes! Imagine ordering a “subverted” USB connector cable that has the embedded RF transceivers and the antenna within the cable.

hmm yea I was just thinking about whether some cell phone SIM card could be embedded into a 64GB USB stick.

Wael October 23, 2013 10:48 PM

@ H. Meadows,

whether some cell phone SIM card could be embedded into a 64GB USB stick.

Of course it can! It’s actually pretty easy. Would not be functional though, without the modem HW and SW stack 🙂 Also, an unknown USB stick would look suspicious, especially the ones sprinkled in the parking lot 😉 A Cable is more deceiving, I would think.

OfficerX October 24, 2013 4:56 AM

How convenient that this glossary, the leaker and all the docs are in English. Imagine the fun if we will have a Chinese or Russian NSA case one day…

Clive Robinson October 24, 2013 6:28 AM

@ H. Meadows, Wael,

    … whether some cell phone SIM card could be embedded into a 64GB USB stick

Err I don’t want to make the pair of you feel like a couple of “not observing” types but there are quite litterly millions of such devices out there made by the likes of ZTE and people are quite happily buying them everyday either directly or as part of a mobile internet contract.

Put the design the other way around as GSM wirless modem for broadband Internet with an included Flash memory device / card.

Nearly all such Broadband Modem USB sticks have an inbuilt USB memory stick used to store the mobile broadband software put there by the service providers. When you plug it in the computer it declairs it’s self as a USB Memory device (and a custom modem) with an autorun file the OS kicks off and runs, this installs the general device driver and “skins” and other nasties proprietry to the Service Provider.

Under earlier versions of Linux you could use it as both ie to start as a memory device then as a modem, and if you knew the “magic words” to send it it would revert back to being a memory device. Some earlier ZTE devices had a “bug” in them that enabled you to use it as both at the same time.

This was well known to those people working at Hanslope Park and why they made enquires as to a contract to design a USB memory card where it had a built in GSM device that could use SMS messages and GPS to “wipe” the contents of the flash memory.

I still have a working prototype sitting under my workbench at home because the people between Hanslope and me would not except the plain and simple reality that all data stored on the device would have to be encrypted –due to wear leveling issues– and it would also have to have both a sizable rechargable battery and some method by which it would have to go into Aircraft mode and thus a secure wipe of the device could not be done.

What they would not accept was softloadable keys via the radio interface using an internal PubKey / shared secret arangment.

And I guess the Ed Snowden revelations show why because it makes a replay attack all to easy…

Skeptical October 24, 2013 10:01 AM

The bug in the seal is one my favorites too. Technologically elegant and poetically hilarious.

Have to add that I’m not the biggest fan of leaking program codenames. I find them as fascinating as anyone else, but I also don’t like handing free clues to adversarial and oppressive foreign states. God knows whether in some boozy bar at 0200 a year ago some guy three shots away from alcohol poisoning trying to describe his job to a pretty young woman chatting with him accidentally mentions the codename; the pretty low level foreign officer types up the contact, notes the guy states himself an engineer working in the General Services Administration on some project called X. Low-value, discontinuing contact, report ends. But then the codename is leaked in the news, and a search is run against contact reports, and lo and behold, what was low-value has become high-value, and a new target is born…

But yeah, definitely an interesting list of science projects in that list.

Nick P October 24, 2013 10:31 AM

@ Wael, Mike the Goat

A subverted cable is interesting. I’m not sure about what kind of chip I’d put in there but I have another idea. Replace their cable with a nearly identical looking one (or modify theirs) whereby some of the shielding around the wires is actually something that amplifies the signal. Maybe just a thin layer of something conductive that sticks out the wire an unnoticeable amount. If one wants transmitters, the standard connectors of some cables are pretty big and could possibly disguise a tiny one.

John Campbell October 24, 2013 11:10 AM

Are we sure DEWSWEEPER isn’t busy playing “MINESWEEPER” on penetrated Windows systems?

Wael October 24, 2013 11:26 AM

@ Clive Robinson,

Err I don’t want to make the pair of you feel like a couple of “not observing” types but there are quite litterly millions of such devices out there made by the likes of ZTE and people are quite happily buying them everyday either directly or as part of a mobile internet contract.

I have quite a few of them myself — I must be a super “not observing” sort 🙁 The thing is this is supposed to be a covert device, and likely used in an environment where the person of interest is savvy or in a small company with a competent IT admin. When you use one of those USB (WiFi, CDMA, LTE, 3G, 4G…), it’ll be very obvious visually, and viewable from “Device Manager” or a command prompt (ipconfig or ifconfig, and its friends). You can also use bus scanning tools that will list what site on various busses, their vendor ID, their name, the functions they provide, IO ports, etc. A “dmesg” command will also show such device initialization.

When I said:

Of course it can! It’s actually pretty easy. Would not be functional though, without the modem HW and SW stack 🙂

I meant the SIM alone is not sufficient to do the deed, you’ll need the rest of the system, although it’s very easy to embed a SIM in a USB stick… (you don’t see the humor?) Besides, I doubt NSA will order something this easy to spot from ZTE ( a Chinese company, by the way — 中兴通讯股份有限公司) — then again…

Wael October 24, 2013 11:40 AM

@ Nick P,

A subverted cable is interesting. 1: I’m not sure about what kind of chip I’d put in there but I have another idea. 2: Replace their cable with a nearly identical looking one (or modify theirs) 3: whereby some of the shielding around the wires is actually something that amplifies the signal.

1: A 3g/4g subsystem, not just a chip. They are quite small, and some fit in a watch: http://www.omate.com/
2: Then you’ll require physical presence at the site. The idea is to ship them something they order. Sometimes the location is out of reach, may even be an unknown address.
3: An amplifying shield! What a concept 🙂 Reminds me of Scotty from a star trek movie with “Transparent Aluminum”

PS: Correction to the previous post:
what site on various busses
should say:
what sits on various busses

Nick P October 24, 2013 12:18 PM

@ Wael

  1. Good example. Perhaps something like this might be useful?
  2. “Then you’ll require physical presence at the site. The idea is to ship them something they order. Sometimes the location is out of reach, may even be an unknown address.” I was actually implying supply chain subversion of the cable except for the “or modify theirs” case. I figured you’d connect the dots. You did, I see. 😉
  3. “An amplifying shield! What a concept 🙂 Reminds me of Scotty from a star trek movie with “Transparent Aluminum””

Thank you and lol. As an ultracareful black hat, one of my main principles back in the day was to attack whatever target’s trusted (or ignored) the most. So, make a shield amplify, make an IPS give my code privileged access, put the keylogger in their big ergonomic keyboard, ensure their UPS does more than provide backup power, and so on. There are many more opportunities today than before despite all the advances in security technology. It’s why I smirk when someone says a possibility I mention is too theoretical or paranoid… yet I used in the field successfully. I imagine a TLA could do a tad more than me. 😉

Wael October 24, 2013 12:37 PM

@ Nick P,

You wouldn’t think NSA is using some of these subverted cables internally, would you? Who knows… Maybe their supply chain has been compromised, and another organization, unheard of, is watching over them 😉

Some_Guy_In_A_Diner October 24, 2013 2:17 PM

The scope and breath of this list is depressing. They are busy devils, aren’t they. Everything needs to be engineered.

CallMeLateForSupper October 24, 2013 4:29 PM

“NSA Exploit Tools”
Tools for exploiting NSA. 🙂 Being the exploiter for a change – instead of the exploited – would feel good about now.

Terry in Phoenix October 24, 2013 4:34 PM

Our country (U.S.A.) was founded on having three separate branches of government. The Executive Branch controls and has access to all the data from the NSA. The NSA, the FBI and the CIA all work for the President of the United States. How can Congress and the Supreme Court sit idly by and let the Executive Branch read their emails and track their phone calls? The founding premise of this nation has been violated and the President has been given the “Keys to the Kingdom”. The previous resident of the White House was not tech savvy or anything savvy for that matter. However this President is tech savvy and knows how to use that data. And every President from now on will also. We no longer have a Republic when one and only one branch of government can spy on the other two. How can the people, the Congress and the Supreme Court not see this? This country is so screwed!

Mike the goat October 24, 2013 5:01 PM

Nick: the very shielding of the cable could be used as an antenna. One compromised DVI cable + an “active” keylogger = completely subverted PC without having to worry about the software. The key logger module could be made quite small and just pass its data on to the UMTS module buried in the DVI cable. You wouldn’t need that much room. Consider having the cellular hardware at one end (in the shell on the connector which often has plenty of dead room inside) and the “brains” (DVI=>IP – perhaps use a COTS IC from a KVM) and small secondary cell to accumulate charge on the other end. Seeing as it will be just between monitor and PC we could use the extra “ethernet” wires in the DVI cable for comms between each end. It need not be much bigger than a standard cable.

If you had additional time you could simply replace their keyboard with an identical one with the keylogger secreted inside. Then again you could solder it straight onto the motherboard if you had that much access (or just wait in the room and put a gun to their head = much easier!)

Wael October 24, 2013 5:19 PM

@ Mike the goat,

(or just wait in the room and put a gun to their head = much easier!)

Actually, the easiest would be to insert a mole in the IT department — What they call an implant (or a third order implant)[1]. Remember! The tool was supposed to act as a bridge into the internal network, not just to “keylog” — They want to sniff internal traffic, and do other cool things…

[1] Real implant (mole) with 2 silicon implants, as some were jokingly? saying above 🙂

Doug Coulter October 24, 2013 6:16 PM

Terry, who says they don’t see this, but all are dirty and compromised already? We are talking about the most black-mailable group of persons on the planet, and digging dirt on them isn’t even as hard as it is on, say, me.

I inhaled, I did do the girl, and did some bad things more than once, if I enjoyed them – I’m hard to blackmail.

A congress-critter? How many have you met, and talked to for more than 30 seconds (or 5 for that matter) without your BS detector pegging off-scale? All dirty, all lying thieves, but the big difference is THEY CARE if it comes out. If it does, they lose their job and perks, which is what they live for.

In other words, it’s already too late – for them.

If some previously unknown dirt comes out about me – no one will bat an eye about it, including me. But then, I don’t “do” politics.
And the people I’d care if they knew, either probably do already, and wouldn’t care about one more bit. They know me to be someone who has been pretty uniformly a good and helpful guy.
It would take something pretty serious to dislodge that, and unless I’ve suffered from some undetected memory loss, I haven’t done anything that bad. Someone they trust more than I would have to be in the business of fabricating quite a lot. I can’t think of who that would (could?) be.

Mike the goat October 24, 2013 6:31 PM

Wael: indeed, or perhaps their Van Eck emanations are strong enough to be detected by that apartment across the street that the spooks have set up a directional antenna in.

Wael October 24, 2013 6:49 PM

@ Mike the goat,

Haven’t you heard? The landlord got fed-up with them. They got evicted out of the apartment. The four of them live in a white Van now — Van Eck, you see the irony?
They still can see the signal, which I think will be very difficult to decode. And still, they can’t inject packets on the net, unless they’re utilizing Nick P’s ingenious “Amplifier Shield” device 😉

Dirk Praet October 24, 2013 9:00 PM

@ Nick P.

So, business as usual but with less actionable intelligence going in the direction of US if the measure passes.

Being realistic about it, it’s primarily a strong political signal. In the end, it’s the EC that decides, not the EP. With strong opposition from centre-right MEPs, the UK and Swedish US lapdog Cecilia Malmström as the commisionner in charge of EU Home Affairs, it’s unlikely that the 2010 Terrorist Finance Tracking Program (TFTP) will be suspended anywhere soon. But at least some things are starting to move. EP President Martin Schulz today also called for a suspension of the free trade talks between the EU and the US.

With the latest revelations about the NSA’s spying on French telecommunications and listening in on Angela Merkel’s phone calls, we have passed beyond the point that European leaders can stay deaf, dumb and blind about the affair without ridiculing themselves in the eyes of their electorate. Today, this resulted in a joined French-German initiative to “discuss” with the US new rules on “spying on friends” at this week’s European summit. There are new amendments on the table to revise the rules on “Safe Harbour” for non-EU entities in the upcoming EU Data Protection Regulation.

There is also a substantial increase in EU mainstream media coverage as compared to June and July, with many a journalist having caught on to the deceptive word games by US officials. Everywhere in Europe, with the exception of the UK, maybe, Barack Obama is falling out of grace faster than a cheetah leaving a salad bar.

I have no doubt that many in the USG are acutely aware of how the NSA’s global surveillance dragnet is undermining transatlantic relations, but unless those in charge start coming up with better responses than flat denials or self-righteous statements by serial liars like DNI Clapper, the reputation of the US all over Europe is pretty much toast and its perception on par with that of Russia and China. It really is a strange foreign policy to try and fight enemy threats by creating even more enemies, even among your friends. I don’t think that has ever worked out for anyone.

Figureitout October 24, 2013 9:36 PM

the reputation of the US all over Europe is pretty much toast and its perception on par with that of Russia and China.
Dirk Praet
–Goddamit, I saw this first hand. I didn’t even want to identify myself in public as an American. This insanity is so destructive that now any American telling you to trust them, you would be wise to call “feldergarb”…Sometimes I wonder if I should’ve been in the State Dept. for Belgium to at least try to work out issues in this country but others willingly are destroying any hope of making any resemblance of a trusting relationship. I wonder if anyone in your country is spying on the U.S.

Nick P October 24, 2013 11:25 PM

@ Dirk

Good point. It will be interesting to see what effect it has. It’s not lost on me that the most powerful elites are in both US and Europe, having pushed a globalist agenda for a long time to their mutual benefit. And regularly screw both areas for profit. Anything threatening their billions will be put down. So, with that being in my worldview, I think these things will have little effect on trade for big players. Might hurt the US diplomatically and in future deals with other countries. Might also cause them to buy less stuff from us that might contain sensitive information.

I’m just waiting and watching though. Who knows, the worldview that served me well for many years might turn on its head with the world getting fed up and actually acting. I wouldn’t mind being surprised this time. We shall see.

@ Wael

Haha

@ Mike the goat

Interesting setup. Could work. I also remind people that, if your willing to tamper with their actual setup, the keylogger can easily be on the inside of the computer. As can a whole bug. The port they plug the peripherals or cables into doesn’t need to be the actual port. 😉 This is best for when you know they’ll never look in the box or when you have a safe window of opportunity to put it there and retrieve it.

EDIT: I wrote that before reading the last part of your post. You said solder it to the motherboard, which is what I was writing. Dangerous minds think alike haha.

Re van eck spooks across the street with an antenna

Nice, subtle reference to what the Soviets did to our embassies. You must have read about it at some point. (I’ve heard it happened to them too, but can’t recall.) It’s one of the reasons our guidelines on embassies were supposed to have a certain distance between the fence and the building in all directions. Many people thought it was physical security or wasteful land management, but it was a TEMPEST security requirement the whole time. One that some locations ignored to their peril. {toothy grin}

Nick P October 24, 2013 11:46 PM

@ Wael

“You wouldn’t think NSA is using some of these subverted cables internally, would you? Who knows… Maybe their supply chain has been compromised, and another organization, unheard of, is watching over them ;)”

Funny I think that could very well be possible since our country outsourced so much of its manufacturing. I think the NSA has been worried too. The clue was a defence grant I read about a while back to deal with enemy supply chain poisoning. The tech would automatically detect malicious circuits in foreign sourced hardware. Presumably powered by a combination of electricity, AI and magic. I hear the work is “ongoing” but my own analysis went like this…

Option A: Build a local fab, maintain its security, and produce security critical chips.

Option B: Outsource the chip work to untrustworthy countries, import the chips through COTS logistics, scan them with “Antivirus for Chips,” and put them in sensitive applications unmonitored.

“Option B seems legit,” some Washington power brokers said and so on that path they go…

Wael October 25, 2013 12:09 AM

@ Nick P

Funny I think that could very well be possible since our country outsourced so much of its manufacturing.

As far as I know, China will not allow a crypto device manufactured outside of China to be used in consumer computers. May imply a lot of things. I would think it implies they are scared what they are doing to others will happen to them. It also implies they are not as carefree about subversion as some other countries are. I’m not going to rant about the outsourcing issue — it’ll change nothing! Greed will win 😉

Mike the goat October 25, 2013 7:01 AM

Nick: the crazy thing is that there are so many ways to subvert a PC focusing solely on hardware hacks I don’t even know where to start. Completely O.T. and probably should have waited for tomorrow’s Squid post but I was looking up the key on the MIT server for a friend of mine and noticed his key was signed by “Michael Vario”. I have a w.o.t. visualization tool I wrote which makes a graphic of trust relationships in my keyring. The other day I imported Bruce’s new key (along with his old counterpane key) as I was curious why he changed keys suddenly and wanted to know if he’d signed his new key with his old key. Anyway I noticed the same chap had signed Bruce’s key too. So I start looking up well known people in our industry – yeah, you guessed it – all signed by the same chap (but not one of them countersigned). Anyway I dug some digging and found a cryptome thread where someone has noticed the same thing. There was even some Alex Jones style conspiracy page from someone who clearly doesn’t know how public key signing works as he claims that because this guy signed all Snowden/verax keys and also signed Greenwald and Co’s keys around the same time that Snowden is hiding out under that name (only an idiot could come to that conclusion, especially considering that nobody has signed his key in return. I wrote a brief article about it and how morons like this guy are responsible for eroding the WOT model. Kinda like a PGP version of the “Sammy” Facebook thing a while back (evil JavaScript which made the user a friend of the guy then posted the evil js to the wall of the victim for his friends to fall victim to).

Speaking of malicious JavaScript I am working on a nice little website that – if injected into an iframe – will login to your xDSL router (slowly building a database up of models to support) using default credentials, set a password, turn on syslog and point it at the C&C server and also enable remote access). Proof of concept, of course. The idea has been tried before but I am aiming to support a wide variety of SOHO routers.

David Leppik October 25, 2013 11:48 AM

Thank goodness it looks like “implant” means a bug on an interface. I really hope it doesn’t actually involve surgery.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.