Postmortem: NSA Exploits of the Day
When I decided to post an exploit a day from the TAO implant catalog, my goal was to highlight the myriad of capabilities of the NSA’s Tailored Access Operations group, basically, its black bag teams. The catalog was published by Der Spiegel along with a pair of articles on the NSA’s CNE—that’s Computer Network Exploitation—operations, and it was just too much to digest. While the various nations’ counterespionage groups certainly pored over the details, they largely washed over us in the academic and commercial communities. By republishing a single exploit a day, I hoped we would all read and digest each individual TAO capability.
It’s important that we know the details of these attack tools. Not because we want to evade the NSA—although some of us do—but because the NSA doesn’t have a monopoly on either technology or cleverness. The NSA might have a larger budget than every other intelligence agency in the world combined, but these tools are the sorts of things that any well-funded nation-state adversary would use. And as technology advances, they are the sorts of tools we’re going to see cybercriminals use. So think of this less as what the NSA does, and more of a head start as to what everyone will be using.
Which means we need to figure out how to defend against them.
The NSA has put a lot of effort into designing software implants that evade antivirus and other detection tools, transmit data when they know they can’t be detected, and survive reinstallation of the operating system. It has software implants designed to jump air gaps without being detected. It has an impressive array of hardware implants, also designed to evade detection. And it spends a lot of effort on hacking routers and switches. These sorts of observations should become a road map for anti-malware companies.
Anyone else have observations or comments, now that we’ve seen the entire catalog?
The TAO catalog isn’t current; it’s from 2008. So the NSA has had six years to improve all of the tools in this catalog, and to add a bunch more. Figuring out how to extrapolate to current capabilities is also important.
Evan • March 12, 2014 7:18 AM
It makes me think about how out of date most computer security mechanisms actually are. They’re designed to thwart the wrong person sitting down at a workstation, or at most logging in remotely, and doing something to retrieve data or intentionally or unintentionally wreck the system – so we have things like passwords and tell people not to write them down, as if not having a post-it note can prevent computer thieves from getting at your data.
But – and the NSA exploits are but one example of this, there are so many others – increasingly attacks don’t come in the form of unauthorized users, they come through subversion. Subversion of authorized users’ accounts (trojans, spyware), subversion of reputational trust (phishing), subversion of physical infrastructure (MITM), subversion of hardware (numerous TAO implants), subversion of even the standards and protocols of security itself (Dual_EC_DRBG). While it’s no longer the case that physical access to a machine is enough to extract all the interesting data, it remains enough to compromise it and wait for an authorized user to access it to take whatever, so user authentication can provide at best only a last line of defense against modern attacks.
It sounds a bit cliché, but I really do think we need to rethink the current approach to securing communication and data storage. As it is we’re far behind the curve and falling further and further every day.