QUANTUM Technology Sold by Cyberweapons Arms Manufacturers

Last October, I broke the story about the NSA’s top secret program to inject packets into the Internet backbone: QUANTUM. Specifically, I wrote about how QUANTUMINSERT injects packets into existing Internet connections to redirect a user to an NSA web server codenamed FOXACID to infect the user’s computer. Since then, we’ve learned a lot more about how QUANTUM works, and general details of many other QUANTUM programs.

These techniques make use of the NSA’s privileged position on the Internet backbone. It has TURMOIL computers directly monitoring the Internet infrastructure at providers in the US and around the world, and a system called TURBINE that allows it to perform real-time packet injection into the backbone. Still, there’s nothing about QUANTUM that anyone else with similar access can’t do. There’s a hacker tool called AirPwn that basically performs a QUANTUMINSERT attack on computers on a wireless network.

A new report from Citizen Lab shows that cyberweapons arms manufacturers are selling this type of technology to governments around the world: the US DoD contractor CloudShield Technologies, Italy’s Hacking Team, and Germany’s and the UK’s Gamma International. These programs intercept web connections to sites like Microsoft and Google—YouTube is specially mentioned—and inject malware into users’ computers.

Turkmenistan paid a Swiss company, Dreamlab Technologies—somehow related to the cyberweapons arms manufacturer Gamma International—just under $1M for this capability. Dreamlab also installed the software in Oman. We don’t know what other countries have this capability, but the companies here routinely sell hacking software to totalitarian countries around the world.

There’s some more information in this Washington Post article, and this essay on the Intercept.

In talking about the NSA’s capabilities, I have repeatedly said that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools. This is exactly what we’re seeing here. By developing these technologies instead of helping defend against them, the NSA—and GCHQ and CSEC—are contributing to the ongoing insecurity of the Internet.

Related: here is an open letter from Citizen Lab’s Ron Deibert to Hacking Team about the nature of Citizen Lab’s research and the misleading defense of Hacking Team’s products.

Tags: , , , , , ,

Posted on August 18, 2014 at 11:14 AM31 Comments

Comments

Benni August 18, 2014 11:28 AM

Here is an interesting comment about FinFisher from GammaGroup in Munich:

https://netzpolitik.org/2014/gamma-finfisher-gehackt-werbe-videos-von-exploits-und-quelltext-von-finfly-web-veroeffentlicht/#comment-1569882

“33,2 GB from the hacked files are encrypted with a pgp key from “afons.rauscher@vervis.de”. Apparently this is an employee from FinFisher. But according to Wikileaks, Vervis GmBH has licensed surveillance software 2010 from Gamma International. Vervis Comint Services GMBH are based in Rosenheim, this is only 10 kilometers away from Bad Aibling, where BND operates its large listening station. Finfisher itself is developed by GammaGroup international which has its headquaters in Munich, only 10 suburb train minutes away from Pullach, where BND has its headquaters. Are the FinFisher GMBH as well as the companies licensing this technology really front companies of the BND? That BND owns numerous front companies from which it earns money is long known….”

Yep that definitely sounds like BND. Offering spyware to Bahrain, with BND backdoors included, would enable BND to get data on Bahrain dissidents, possibly islamists, and if the Finfisher software is backdoored well enough, BND would have an entry door to hack Bahrein…

BND similarly went to selling products before. I have explained before how BND tried to sell its partially stolen database software to europol:

https://www.schneier.com/blog/archives/2014/06/more_details_on_1.html#c6672979

You want to buy the “Langenscheidt t1” translator software?

http://langenscheidt-t1-englisch-pro.softonic.de/

that was the only product sold by the BND company GMS, which acquired the language software metal from siemens. That way BND could let GMS be swallowed by Learnout and Hauspie, which they then over-hyped at the stock market so that BND could get its hands on the american language companies dictaphone and dragon….

http://www.heise.de/ct/artikel/Die-Bayern-Belgien-Connection-284812.html
In this link there is even a video where learnout admits of working for BND
https://netzpolitik.org/2013/deutsche-forschungen-zu-spracherkennung-fuer-us-geheimdienste-erinnern-an-lernout-hauspie-den-bnd-und-europol/

So the BND selling the surveillance software FinFisher to Bahrein, that would be quite the typical BND style of operations….

Hacking team is an italian company. With BND even running the management of crypto hardware manufacturers in switzerland for introducing backdoors http://cryptome.org/jya/cryptoa2.htm it would not be a surprise when they also run italian malware manufacturers. But today there is no information confirming this. Although distributing malware over youtube would be of their liking…..

Sam August 18, 2014 11:55 AM

So just to be clear, you object to the term “cyber-war” but are in favor of “cyber-weapon arms dealers” ?

Benni August 18, 2014 12:08 PM

Of course, it had to be….
http://buggedplanet.info/index.php?title=VERVIS

Vervis is in fact a “Spin off” from Nokia Siemens Networks (NSN) for technical service of monitoring installations”

Similar patterns, as always… the BND company GMS whose role in BND language technology I described above also was a “Siemens spin off”……

Seems BND is used to this procedure when it wants to sell products in order to get its foothold into somewhere…

Jack August 18, 2014 12:08 PM

I don’t know what article you’re reading Sam. Your reading comprehension seems to be lacking.

He said building offensive Internet cyber-weapons destabilizes the internet. What part of that do you not grasp. A wall isn’t a missile. Our “National Security Agencies” are just building missiles, now aimed at us, and protecting nothing. That’s the problem.

Bill Stewart August 18, 2014 12:09 PM

Yesterday’s NSA secret programs aren’t just today’s PhD theses and hacker tools – they’re also today’s advertising-insertion tools, used by some annoying coffee shops and other public WiFi access points.

Martin August 18, 2014 1:00 PM

Jack,
Bruce has objected to the term “cyberwar” many times, for several reasons.
Do you need someone to look it up for you?

Anura August 18, 2014 1:16 PM

Unfortunately, we can’t stop this without a major redesign of the internet, and even then it’s difficult.

We need end-to-end encryption of everything to prevent packet injection, but this is still vulnerable to TLAs stealing private keys or performing MITM attacks.

We need perfect-forward secrecy to prevent a TLA from stealing private keys. This is still vulnerable to MITM attacks, and malware on the client or server.

We need a certificate infrastructure that prevents an actor from forging a certificate by stealing an intermediate/root certificate (which they most likely have). This means it has to be a distributed network, but it is still vulnerable to malware.

We need operating systems, programming languages, and software that are significantly less vulnerable to both malware through vulnerabilities as well as social engineering.

Unfortunately, the economics alone will prevent any of this from happening; the problem is that economic cost of the software vulnerabilities, spying, etc. might eventually exceed the cost of completely rebuilding the infrastructure (which is enormous in and of itself).

b4b August 18, 2014 2:07 PM

CESG is equivalent to IAD and part of GCHQ. The US and the UK (and others such as Canada) have elected to subordinate IA to SIGINT. That is part of the problem as there is no balance of powers.

Andy August 18, 2014 2:08 PM

And we thought the CIA acting as drug dealers, in the 80’s, and funding secret operations with the proceeds was bad. This is a whole new level of bad. These tools will be used by democracies that fall into totalitarian regimes – maybe the U.S. will be one of those. The fourth amendment is being trashed by the NSA. The first amendment is being trashed by the courts and the attacks on press sources. It’s only a matter of time until the courts are stacked against the Constitution and the American people will pay the ultimate price.

Bruce Schneier August 18, 2014 2:09 PM

“So just to be clear, you object to the term ‘cyber-war’ but are in favor of ‘cyber-weapon arms dealers’?”

These are companies that build cyber-weapons and sell them to foreign governments. What would you call them?

And I don’t object to the term cyber-war. It’s a perfectly reasonable term. I just think it’s overused.

Bruce Schneier August 18, 2014 2:11 PM

“CESG is equivalent to IAD and part of GCHQ.”

Fixed. CSEC = Computer Security Establishment Canada.

Nick P August 18, 2014 2:53 PM

@ k9

“why aren’t newspapers using https?”

Same as most business security issues: their customers don’t really care so why should they?

parrot August 18, 2014 3:36 PM

I went to the RSA conference a few years ago and saw the big brother to the Cloudshield CS-2000. The CS-4000:

http://www.cloudshield.com/products/platforms/cs-4000.asp

It’s physically hardened so that no one can get into it without significant physical penetration testing expertise. I talked to an engineer there and he said the fans are so loud because the vent baffling requires way more pressure to push air through to get cool.

They took the CS-2000 cyber weapon and physically hardened it so that they could drop it into a network and the only way you could access it would be remotely from where ever command and control was. It struck me then that this physical hardening was because it wasn’t being used for what they said it was…

Nick P August 18, 2014 3:59 PM

@ parrot

Between its PL/5 accreditation and performance, it seems like a great product. But…

“It struck me then that this physical hardening was because it wasn’t being used for what they said it was”

…that’s entirely possible. And it’s certainly fast enough to manipulate traffic without people noticing. And their main customers are those sneaky people trying to backdoor everything. Hmm…

Bob S. August 18, 2014 5:17 PM

Meanwhile,

The internet just BROKE under its own weight – we explain how
Next time, big biz, listen to your network admin
By Trevor Pott, 13 Aug 2014

“512KDay On Tuesday, 12 August, 2014, the internet hit an arbitrary limit of more than 512,000 routes. This 512K route limit is something we have known about for some time.

The fix for Cisco devices – and possibly others – is fairly straightforward. Internet service providers and businesses around the world chose not to address this issue in advance, as a result causing major outages around the world….”

http://www.theregister.co.uk/2014/08/13/512k_invited_us_out_to_play/

Cloud devices all over the world are going “tits up” (an El Reg favorite technical term). I have noticed several comment boards burping badly just today.

Shouldn’t the NSA have been working towards FIXING the internet, rather than actively BREAKING the internet with exploits, illegal and unconstitutional conduct?

This is nuts.

Shouldn’t the blog’s secret word become “insecurity”?

MattNY August 18, 2014 8:01 PM

I wonder how much of that technology was bought by the million dollars a month that General Alexander is getting.

Clive Robinson August 18, 2014 8:30 PM

@ Bruce,

In talking about the NSA’s capabilities, I have repeatedly said that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools

To be honest, I’ve yet to see anything the NSA, GCHQ, et all are up to that we have not know for some considerable time was technicaly possible, and in many cases already being done by others such as hackers for some time beforhand.

In fact a look back over this and other technical blogs shows the techniques were not only known but talked about in sufficient depth to enable even undergrads to develop them as projects.

I’ve even suggested on this blog in the past PhD level projects and all I’ve ever asked for in return was a beer (yet to see one yet 😉

The simple fact is the NSA et al are from what we have seen quite a few years behind the curve and have opted to play catch up by the crude brut force technique of “throw more money at the problem”.

Out side of a very limited field of expertise the NSA et al are just like many other government empires, just resource consumers and petty in fighters, run by those who’s main skill set is playing at politics and staffed by those who’s lack of confidence in their own abilities atracts them to the perks of government service.

franc August 18, 2014 8:56 PM

Am I being naive? Is there a possibility of creating a “real time blocklist” a la spam blocking services? Or a filter list like torrent clients use? There has to be a sensible way to defend against this – it’s probably impossible to stop completely, but at least you can make it a bit harder for the pantysniffers to get in.

Thoth August 18, 2014 9:36 PM

CSEC = Computer Security Establishment Canada.

So… the Security part of Canada is engaging in Insecurity propagation. How ironic isn’t it ?

Besides the technical portion of the problem, the human portion of the problem is rather significant. In simple, those in power (elites) would form their own glass ceiling and prevent those below from accessing them. All these cyber-weapons are their tools to prevent lost of power. The only way to make their efforts less effective, widespread use of proper security is required and a healthy distrust and divorce of agencies supporting these elites should be driven back home.

It’s about time we re-engineering all the insecure components we have propagate for many decades and bear the pain of making the quantum leap. Exposure and removal of security theaters are required and easy and widespread education and propagation of security tools are necessary as well.

And foremost and most importantly, widespread knowledge and awareness of the power play and it’s consequences with proper defensive techniques introduced in stages would be the most important. In essence, awareness and education should be top priority.

You maybe using data diodes and HSMs you built to communicate with your friends but your friends do not like those spooky crypto creeps and their inconveniences. You are not as secure or probably a little more secure than your friends until all of them are as secure or more secure than you. Peer pressure maybe used to make or break security. If your friends insist to not encrypt their mails and follow security procedures, there is very little you can do and security is as strong as it’s weakest link.

If everyone feels the urgency of protecting themselves and make an effort, then the collective security would rise and would make it very inconvenient for these petty elites to spy and compromise everyone that they once could.

Just Passin' Thru August 19, 2014 2:08 PM

@Bob S.

Darn. The secret word WAS “insecurity”, so we’re going to have to change it now.

Anura August 19, 2014 6:01 PM

@Clive

The simple fact is the NSA et al are from what we have seen quite a few years behind the curve and have opted to play catch up by the crude brut force technique of “throw more money at the problem”.

I don’t necessarily think we can say that’s the case, it’s just that in these broad sweeping operations it doesn’t make sense to use super-advanced techniques. The larger the program, the more people involved, the higher the probability of a leak. I mean, when it comes to things like physical implants, there isn’t a whole lot of places you can go, but when we look at something like Flame, we do see new cryptanalysis against MD5.

So it’s a matter of prioritizing; the internet is really really insecure, so for bulk surveillance there is no need to use anything that the public doesn’t already know. I think Flame tells us that they probably have a lot more up their sleave that they save for high value targets.

Benni August 20, 2014 3:00 PM

Here is a map with the road between Bad Aibling Station of BND and the company “vervis” which apparently has licensed FinFisher, but on the other hand the developers at the finfisher websites signed their a pgp key with a vervis email adress:

https://www.google.de/maps/dir/Br%C3%BCckenstra%C3%9Fe+1,+83022+Rosenheim/Bad+Aibling+Station,+83043+Bad+Aibling/@47.8479792,11.9931756,12z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x47761a3d8a844355:0x6b6960af2ef9338!2m2!1d12.13911!2d47.84848!1m5!1m1!1s0x47761d90f4ce0ea9:0x9005bb27143f3fdf!2m2!1d11.98465!2d47.879387

Should take 15 minutes to travel between both locations. I especially find the company website from vervis so appealing: http://www.vervis.de/ I mean, If I were a company, developing software for law enforcement, I would certainly have such a wonderful homepage that advertises all my products……

On the otherhand, I think BND could at least make an effort to create better homepages for its front companies…..

Benni August 21, 2014 1:33 PM

Now NSA gets its hand on the FinFisher sourcecode.

How?

Well, the german federal police, BKA, ordered FinFisher in order to test whether this software could be useful for police as a trojan. (BND tried before to sell software to police, as I noted in a comment above.)

As new secret documents now reveal, involved in the tests that included a copy of the FinFisher sourcecode is not only BKA, but the known NSA contractor CSC.

https://netzpolitik.org/2014/geheimes-dokument-bundeskriminalamt-darf-finfisherfinspy-nicht-einsetzen-versucht-einfach-neue-version-nochmal/

However, the spooks who developed FinFisher either are overly helpful to their NSA colleagues, or they want to hide something from them. Therefore, even CSC can not test and inspect the FinFisher software alone but this done “in cooperation” with developers of FinFisher…

So BKA gets a software from finfisher whose quality was approved by finfisher, and NSA gets the finfisher sourcecode. Seems to be a win-win situation….

sena kavote August 21, 2014 6:22 PM

It is bound to happen that NSA breaks to a computer that already has finfisher, or finfisher gets to NSA-cracked computer. And many other combinations with FBI, organized crime, russians, chinese, different sections and departments of these…

Maybe the router in Syria got bricked by NSA because russians already had their malware on it?

My guess is that if they get to a same server, they have difficulty seeing each other. If one sees another, disinformation may be feeded. If removal is attempted, one way could be by informing the server owner.

If seeing the other attacker is easy in general, then would that mean that we could have some defensive software tools that we could put inside our computers in similar places that attackers might use?

Name (required) August 29, 2014 7:58 PM

“cyber-weapon arms dealers” – probably Microsoft and Linux are the largest dealers in the world.

andrews September 1, 2014 11:16 AM

probably Microsoft and Linux are the largest dealers

Afraid not. Microsoft sells product, and it is possible that it fosters something of a monoculture in which attacks are made easier. They may also directly cooperate with the TLAs.

However, Linux is not a dealer. Linux is an operating system kernel, almost always packaged with supporting material. Significantly, Linux is packaged and sold by many competing vendors.

Subverting the competing vendors, while avoiding having one claim an advantage on the basis of having resisted subversion, will be more difficult.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.