Blog: February 2014 Archives

NEBULA: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

NEBULA

(S//SI//FVEY) Multi-Protocol macro-class Network-In-a-Box (NIB) system. Leverages the existing Typhon GUI and supports GSM, UMTS, CDMA2000 applications. LTE capability currently under development.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • Dual Carrier System
  • EGSM 900MHz
  • UMTS 2100MHz
  • CDMA2000 1900MHz
  • Macro-class Base station
  • 32+Km Range
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data

(S//SI//REL) Advanced Features:

  • GPS — Supporting NEBULA applications
  • Designed to be self-configuring with security and encryption features
  • 802.11 — Supports high speed wireless LAN remote command and control

(S//SI//REL) Enclosure:

  • 8.5″H x 13.0″W x 16.5″D
  • Approximately 45 lbs
  • Actively cooled for extreme environments

(S//SI//REL) NEBULA System Kit:

  • NEBULA System
  • 3 Interchangeable RF bands
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 1500 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Multiple BSR units can be interconnected to form a macro network using 802.3 and 802.11 back-haul.
  • Future GPRS and HSDPA data service and associated application

Status:

Unit Cost: $250K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 28, 2014 at 2:16 PM9 Comments

GENESIS: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

GENESIS

(S//SI//REL) Commercial GSM handset that has been modified to include a Software Defined Radio (SDR) and additional system memory. The internal SDR allows a witting user to covertly perform network surveys, record RF spectrum, or perform handset location in hostile environments.

(S//SI//REL) The GENESIS systems are designed to support covert operations in hostile environments. A witting user would be able to survey the local environment with the spectrum analyzer tool, select spectrum of interest to record, and download the spectrum information via the integrated Ethernet to a laptop controller. The GENESIS system could also be used, in conjunction with an active interrogator, as the finishing tool when performing Find/Fix/Finish operations in unconventional environments.

(S//SI//REL) Features:

  • Concealed SDR with Handset Menu Interface
  • Spectrum Analyzer Capability
  • Find/Fix/Finish Capability
  • Integrated Ethernet
  • External Antenna Port
  • Internal 16 GB of storage
  • Multiple Integrated Antennas

(S//SI//REL) Future Enhancements:

  • 3G Handset Host Platform
  • Additional Host Platforms
  • Increased Memory Capacity
  • Additional Find/Fix/Finish Capabilities
  • Active Interrogation Capabilities

Status: Current GENESIS platform available. Future platforms available when developments are completed.

Unit Cost: $15K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 27, 2014 at 2:08 PM15 Comments

Was the iOS SSL Flaw Deliberate?

Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement.

The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is a single line of code: a second “goto fail;” statement. Since that statement isn’t a conditional, it causes the whole procedure to terminate.

The flaw is subtle, and hard to spot while scanning the code. It’s easy to imagine how this could have happened by error. And it would have been trivially easy for one person to add the vulnerability.

Was this done on purpose? I have no idea. But if I wanted to do something like this on purpose, this is exactly how I would do it.

EDITED TO ADD (2/27): If the Apple auditing system is any good, they would be able to trace this errant goto line not just to the source-code check-in details, but to the specific login that made the change. And they would quickly know whether this was just an error, or a deliberate change by a bad actor. Does anyone know what’s going on inside Apple?

EDITED TO ADD (2/27): Steve Bellovin has a pair of posts where he concludes that if this bug is enemy action, it’s fairly clumsy and unlikely to be the work of professionals.

Posted on February 27, 2014 at 6:03 AM168 Comments

ENTOURAGE: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

ENTOURAGE

(S//SI//REL) Direction Finding application operating on the HOLLOWPOINT platform. The system is capable of providing line of bearing for GSM/UMTS/CDMA2000/FRS signals. A band-specific antenna and laptop controller is needed to compliment the HOLLOWPOINT system and completes the ground based system.

(S//SI) The ENTOURAGE application leverages the 4 Software Defined Radio (SDR) units in the HOLLOWPOINT platform. This capability provides an “Artemis-like” capability for waveforms of interest (2G,3G,others). The ENTOURAGE application works in conjunction with the NEBULA active interrogator as part of the Find/Fix/Finish capabilities of the GALAXY program.

(S//SI//REL) Features:

  • Software Defined Radio System
  • Operating range 10MHz – 4GHz
  • 4 Receive paths, all synchronized
  • 1 Transmit path
  • DF capability on GSM/UMTS/CDMA2000/FRS signals
  • Gigabit Ethernet
  • Integrated GPS
  • Highly Mobile and Deployable

(S//SI//REL) Enclosure:

  • 1.8″H x 8.0″W x 8.0″D
  • Approximately 3 lbs
  • 15 Watts
  • Passively cooled

(S//SI//REL) Future Developments:

  • WiMAX
  • WiFi
  • LTE

Status: The system is in the final testing stage and will be in production Spring 09.

Unit Cost: $70K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 26, 2014 at 2:38 PM21 Comments

DDoSing a Cell Phone Network

Interesting research:

Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) in 3G networks that aims to flood an HLR/AuC of a mobile operator. We also prove that the discovered APT can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available.

The attack involves cloning SIM cards, then making multiple calls from different handsets in different locations with the same SIM card. This confuses the network into thinking that the same phone is in multiple places at once.

Note that this has not been tested in the field, but there seems no reason why it wouldn’t work.

There’s a lot of insecurity in the fact that cell phones and towers largely trust each other. The NSA and FBI use that fact for eavesdropping, and here it’s used for a denial-of-service attack.

Posted on February 26, 2014 at 6:55 AM14 Comments

EBSR: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

EBSR

(S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • LxT Model: 900/1800/1900MHz
  • LxU Model: 850/1800/1900MHz
  • Pico-class (1Watt) Base station
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • SMS Capability

(S//SI//REL) Enclosure:

  • 1.9″H x 8.6″W x 6.3″D
  • Approximately 3 lbs
  • Actively cooled for extreme environments

(S//SI//REL) EBSR System Kit:

  • EBSR System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 90 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Multiple BSR units can be interconnected to form a macro network using 802.3 and 802.11 back-haul.
  • Supports Landshark/Candygram capabilities.

Status:

Unit Cost: $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 25, 2014 at 2:11 PM7 Comments

Breaking Up the NSA

The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission — protecting the security of U.S. communications and eavesdropping on the communications of our enemies — has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.

Putting the U.S. Cyber Command, the military’s cyberwar wing, in the same location and under the same commander, expanded the NSA’s power. The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk. It’s time we thought about breaking up the National Security Agency.

Broadly speaking, three types of NSA surveillance programs were exposed by the documents released by Edward Snowden. And while the media tends to lump them together, understanding their differences is critical to understanding how to divide up the NSA’s missions.

The first is targeted surveillance.

This is best illustrated by the work of the NSA’s Tailored Access Operations (TAO) group, including its catalog of hardware and software “implants” designed to be surreptitiously installed onto the enemy’s computers. This sort of thing represents the best of the NSA and is exactly what we want it to do. That the United States has these capabilities, as scary as they might be, is cause for gratification.

The second is bulk surveillance, the NSA’s collection of everything it can obtain on every communications channel to which it can get access. This includes things such as the NSA’s bulk collection of call records, location data, e-mail messages and text messages.

This is where the NSA overreaches: collecting data on innocent Americans either incidentally or deliberately, and data on foreign citizens indiscriminately. It doesn’t make us any safer, and it is liable to be abused. Even the director of national intelligence, James Clapper, acknowledged that the collection and storage of data was kept a secret for too long.

The third is the deliberate sabotaging of security. The primary example we have of this is the NSA’s BULLRUN program, which tries to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices.” This is the worst of the NSA’s excesses, because it destroys our trust in the Internet, weakens the security all of us rely on and makes us more vulnerable to attackers worldwide.

That’s the three: good, bad, very bad. Reorganizing the U.S. intelligence apparatus so it concentrates on our enemies requires breaking up the NSA along those functions.

First, TAO and its targeted surveillance mission should be moved under the control of U.S. Cyber Command, and Cyber Command should be completely separated from the NSA. Actively attacking enemy networks is an offensive military operation, and should be part of an offensive military unit.

Whatever rules of engagement Cyber Command operates under should apply equally to active operations such as sabotaging the Natanz nuclear enrichment facility in Iran and hacking a Belgian telephone company. If we’re going to attack the infrastructure of a foreign nation, let it be a clear military operation.

Second, all surveillance of Americans should be moved to the FBI.

The FBI is charged with counterterrorism in the United States, and it needs to play that role. Any operations focused against U.S. citizens need to be subject to U.S. law, and the FBI is the best place to apply that law. That the NSA can, in the view of many, do an end-run around congressional oversight, legal due process and domestic laws is an affront to our Constitution and a danger to our society. The NSA’s mission should be focused outside the United States — for real, not just for show.

And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.

Computer and network security is hard, and we need the NSA’s expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts — from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly—no secrecy required.

This is a radical solution, but the NSA’s many harms require radical thinking. It’s not far off from what the President’s Review Group on Intelligence and Communications Technologies, charged with evaluating the NSA’s current programs, recommended. Its 24th recommendation was to put the NSA and U.S. Cyber Command under different generals, and the 29th recommendation was to put encryption ahead of exploitation.

I have no illusions that anything like this will happen anytime soon, but it might be the only way to tame the enormous beast that the NSA has become.

This essay previously appeared on CNN.com.

Slashdot thread. Hacker News thread.

Posted on February 25, 2014 at 6:43 AM55 Comments

CYCLONE Hx9: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

CYCLONE Hx9

(S//SI//FVEY) EGSM (900MGz) macro-class Network-In-a-Box (NIB) system. Uses the existing Typhon GUI and supports the full Typhon feature base and applications.

(S//SI//REL) Operational Restrictions exist for equipment deployment.

(S//SI//REL) Features:

  • EGSM 900MHz
  • Macro-class (+43dBm)
  • 32+Km Range
  • Optional Battery Kits
  • Highly Mobile and Deployable
  • Integrated GPS, MS, & 802.11
  • Voice & High-speed Data
  • GSM Security & Encryption

(S//SI//REL) Advanced Features:

  • GPS — Supporting Typhon applications
  • GSM Handset Module — Supports auto-configuration and remote command and control features.
  • 802.11 — Supports high speed wireless LAN remote command and control

(S//SI//REL) Enclosure:

  • 3.5″H x 8.5″W x 9″D
  • Approximately 8 lbs
  • Actively cooled for extreme environments

(S//SI//REL) Cyclone Hx9 System Kit:

  • Cyclone Hx9 System
  • AC/DC power converter
  • Antenna to support MS, GPS, WIFI, & RF
  • LAN, RF, & USB cables
  • Pelican Case
  • (Field Kit only) Control Laptop and Accessories

(S//SI//REL) Separately Priced Options:

  • 800 WH LiIon Battery Kit

(S//SI//REL) Base Station Router Platform:

  • Overlay GSM cellular communications supporting up to 32 Cyclone Mx9 systems providing full mobility and utilizing a VoIP back-haul.
  • GPRS data service and associated application

Unit Cost: $70K for two months

Status: Just out of development, first production runs ongoing.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 24, 2014 at 2:44 PM4 Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.