NSA's TAO Head on Internet Offense and Defense

Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) group -- basically the country's chief hacker -- spoke in public earlier this week. He talked both about how the NSA hacks into networks, and what network defenders can do to protect themselves. Here's a video of the talk, and here are two good summaries.

Intrusion Phases

  • Reconnaissance
  • Initial Exploitation
  • Establish Persistence
  • Install Tools
  • Move Laterally
  • Collect Exfil and Exploit

The event was the USENIX Enigma Conference.

The talk is full of good information about how APT attacks work and how networks can defend themselves. Nothing really surprising, but all interesting. Which brings up the most important question: why did the NSA decide to put Joyce on stage in public? It surely doesn't want all of its target networks to improve their security so much that the NSA can no longer get in. On the other hand, the NSA does want the general security of US -- and presumably allied -- networks to improve. My guess is that this is simply a NOBUS issue. The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won't slow it down significantly. And the Chinese/Russian/etc state-sponsored attackers will have a harder time. Or, at least, that's what the NSA wants us to believe.

Wheels within wheels....

More information about the NSA's TAO group is here and here. Here's an article about TAO's catalog of implants and attack tools. Note that the catalog is from 2007. Presumably TAO has been very busy developing new attack tools over the past ten years.

BoingBoing post.

EDITED TO ADD (2/2): I was talking with Nicholas Weaver, and he said that he found these three points interesting:

  • A one-way monitoring system really gives them headaches, because it allows the defender to go back after the fact and see what happened, remove malware, etc.

  • The critical component of APT is the P: persistence. They will just keep trying, trying, and trying. If you have a temporary vulnerability -- the window between a vulnerability and a patch, temporarily turning off a defense -- they'll exploit it.

  • Trust them when they attribute an attack (e,g: Sony) on the record. Attribution is hard, but when they can attribute they know for sure -- and they don't attribute lightly.

Posted on February 1, 2016 at 6:42 AM • 37 Comments

Comments

AlbertFebruary 1, 2016 7:01 AM

Regarding exploits, I also wondered how an agency could obtain original firmware from a device, without inside cooperation.

One method is by agreement with chip vendors. They offer engineers and companies a compelling suite of free RTOS, various drivers, TCP/IP and USB stacks, you name it...for FREE. This is irresistible to startups.

Problem is, in the license agreement the engineer and company must give the chip manufacturer any and all modifications or adaptations to the original code.

AlbertFebruary 1, 2016 7:51 AM

You can link your AT&T account to a Yahoo account with little more than one click. Later, just try and unlink them. Even AT&T tech support can't do it. First they ask why would anyone do that? Then they run you through a gauntlet of delays and disconnects until the average person just gives up. If not, you will eventually be told it cannot be done. A few state they did finally succeed but I'm suspicious.

Yahoo is in free fall and no one knows what will become of it. Their email used by millions? No one is at the wheel and agencies will take advantage of this opportunity. Treat any suitors with caution, any company that has a relationship with an ISP is basically a portal to an agency. Read the fine print.

Yahoo recently stated they intend to notify email accounts of state-type attempts to gain access, it's a mirage.

AlbertFebruary 1, 2016 8:48 AM

In Attkisson's "Stonewalled" you can read about her experience with Verizon and what she Verizon did to she suspects to facilitate the compromise of her home network and computers.

By the way, if your AT&T account is linked to your Yahoo account you cannot close your AT&T account even if you are no longer a customer.

Clive RobinsonFebruary 1, 2016 9:54 AM

As I've said before the rules of the game are,

1, Do not connect unless you have to.

2, Instrument and mittigate if you have to connect.

Instrumenting via "cut wire" data diodes is a trick every defender should know and use. Attackers including the TAO hate it because in most cases they can not see you watching them. It's also the reason they don't use "zero days" for everyday surveillance, because not only do zero days "stand out" once instrumented they quickly become "dead in the water".

Since the first steps in TEMPEST / EmSec back in the trenches of World War One, the idea of segregation and distance, has been a bed rock of anti-surveillance. Brought up to date "energy gapping" and "guard perimeters" are still the way to go for much work you want to keep unsnooped by attackers.

However as has often been observed "Unconnected computers are little more than fancy paper weights". Thus there is an aproximate inverse relationship between connection and security.

There is the "Myth of LPI" which the likes of Tor try to use. With modern communications 99.999% of people use and "collect it all" of the NSA, GCHQ, et al, there is no "Low Probability of Intercept". Accept it and move on or try to make that 0.001% work for you, but you had better have extrodinarily deep pockets.

Accepting it but still having anti-surveillance means thinking in a different way. It does not matter if you call it "meta-data issues" or "traffic analysis" the anti-methods are effectivly the same. As has been seen in military comms for over seventy five years the solutions are,

1, Fleet "Broadcasting".
2, Fixed rate traffic.
3, Full traffic padding.
4, Point to point "Link encryption"
5, End to end message encryption.
6, Full segregation between red/black traffic at all times.

In addition since the work of Harry Hinsley in the 1950's you need fault tolerant multipoint networks not just with high redundancy but also what we now call "mix net" behaviour.

Which brings us to one of my mems of "Efficiency -v- Security". Whilst it is possible to design secure systems to be efficient, it is usually to difficult to do so. Two of the big issues are "unintended side channels" and "transparancy" both of which cause information to leak to either passive or active atackers.

Solving these issues will if done properly limit the amount of information that leaks and render mata-data / traffic-analysis on your comunications virtually ineffective.

Having got this far you have a very basic "base line" from which you have to flesh out other security measures.

Use layers of different manufactures kit.

jonesFebruary 1, 2016 9:57 AM

The NSA is, or at least believes it is, so sophisticated in its attack techniques that these defensive recommendations won't slow it down significantly.

That may be the case; the "sources and methods" exclusion and the related, judicially-created "state secrets" privilege is more often than not a smokescreen used to evade accountability.

Pulitzer Prize winning historian Gary Wills observed that when we were bombing Cambodia, the Cambodians knew it, it was just the American people kept in the dark; when we were building the atom bomb, the Russians & Germans knew it, it was just the American people kept in the dark (Wills argues that given the proximity to the Geneva Protocols and general outrage over chemical warfare in WWI, there may not have been broad public support for a new weapon of this type); when were were planning to invade Cuba, Castro knew it & even complained to the UN, it was just the American people kept in the dark; today we have drone campaigns in some 9 different nations -- those people know they're being targeted, it's just the American people being kept in the dark about what's being done in our name.

That said, it's a distinctive feature of disinformation campaigns (as opposed to traditional propaganda) that true and false statements are mixed together, presented on equal footing...

old*man*cFebruary 1, 2016 10:05 AM

" four acres of Cray computers in the basement ". — Former NSA chief Michael Hayden

My smile for today.

QFebruary 1, 2016 10:06 AM

It seems to me that "PR" is the simplest explanation for the NSA deciding to send Joyce out to talk. Particularly if he didn't say anything surprising.

Saying a bunch of fairly common-sense things (or at least things that are a clear consensus among experts), won't really make much difference to their targets (and frankly probably won't make much difference to anyone else's targets), BUT it's something NSA can publicly point at, to try and counter the accusation that they're uninterested in actually keeping Americans secure.

albertFebruary 1, 2016 10:23 AM

The 'Albert' (in first 3 comments) is not me.

Not that I disagree with his/her criticism of Yahoo :)
. .. . .. --- ....

Nick PFebruary 1, 2016 11:34 AM

@ Bruce

"Which brings up the most important question: why did the NSA decide to put Joyce on stage in public?... wheels within wheels"

It's a combination of an image-improving, publicity stunt and an example of the defense side of their mission. The guy is a good presenter, too. Remember their M.O. going back a long time is to try to protect those that listen from many attackers while keeping us vulnerable to them. Let me illustrate how he's misdirecting the audiences.

Sure this is good advice against most black hats. The problem is it only protects upper layers of the stack. NSA TAO hits the lower ones, too. Some NSA tooling even attacks in ways that require TEMPEST-style shielding. An old list (see bottom part w/ layers) I put together shows more of the places they're hitting plus assurance activities that stopped their hackers in the past. The TAO catalog also specifically shows that they use implants, cables, radar, etc. Even laypeople in various agencies understood the capability enough to order it for field use. Yet, the TAO chief ignores that stuff in his recommendations despite it being in their own marketing material & NSA's defense criteria in certification. That means he intentionally leaving people vulnerable to TAO while telling them how to stop lesser attackers.

He also is unaware of or left off recommendations common in high-assurance security. That includes stuff on NSA's own web site. What people in high-assurance security usually did was a combination of airgaps, embedded hardware, micro/separation kernels, covert/side channel analysis, things like serial ports to avoid DMA risk, and so on. You have to get most of the attack surface out of the equation. Then, you make the TCB simple and strong for the rest. Diversified hardware checking each other in case those parts failed or were subverted. EMSEC safes or shielded datacenters as well given enemy uses radar attacks.

It's all more work than most will do. It also counters the mainstream favorites like Linux/BSD, at least usual usage. So, uptake of high-security methods stayed low enough for TAO to have an easy job. Hell, as he points out, they rarely have to use advanced methods because uptake of bad security practices in general also stayed pretty high. Snowden leaks haven't changed that: economic and social factors that inspired insecure crap remain for proprietary and FOSS. So, follow this advice or not, they'll still probably get in because root problems are still there plus he left categories off. Might stop others, though. Even that gap is closing as security researchers and black hats pay more attention to firmware, routers, etc.

beFebruary 1, 2016 11:37 AM

This also reflects evolving priorities in NSA's essential military mission. Having crippled the US IT industry with tampering and sabotage, NSA has to placate their most powerful corporate victims to survive. At the same time, as a military organization their new hot area is bulk CNE to target domestic dissidents and "facilitate their arrest without probable cause.”

http://johntowery.com/newfiles/149773844-Domestic-Terrorism-Conference-Dossiers-Redacted.pdf

https://shadowproof.com/2016/01/28/legal-grassroots-groups-support-lawsuit-against-alleged-military-spying-on-activists/

blakeFebruary 1, 2016 11:50 AM

@Clive Robinson

There's probably even a place for the analogue hole here too though:

https://en.wikipedia.org/wiki/Analog_hole

Originally conceived in the copy protection setting but the theme is the same: if secure content arrives in a manner that a human can consume, then some process can duplicate the human-consumable parts.

There's a small difference in contexts - presumably users will cooperate with security more when it's their own information rather than some film - but you can't guarantee total user cooperation in the military / classified information setting.

> they don't use "zero days" for everyday surveillance ... not only do zero days "stand out" once instrumented they quickly become "dead in the water"

They're also expensive. Plus they're still a TLA so you have to fill out (in triplicate) a form to authorise 0-day use on a non-priority-1 collection target. Then you have to get signatures from your boss, your bosses boss, Janice in accounting, get your form back from the filing cabinet behind the "beware of the leopard" sign ...

rFebruary 1, 2016 12:18 PM

Zero days are really no different from the other holes being listed here. YES, one can pay for them... But all technologies have development costs, the difference is only from a usability standpoint. The zero days may be the shortest lived and potentially one-shot but they may have indirect qualities like mortar fire whereas EM would require proximity and LOS? MORE to the point, a zero day might die but the ROP or PoC included with it may still be useful as we recently saw. So it's not a simple statement to assume they're merely expensive? I have to pay to interdict your equipment, I have to pay to develop the silk screened hardware in your keyboard and I may have to use a zero day to infiltrate your supplier.

Coyne TibbetsFebruary 1, 2016 12:46 PM

NSA never burns anything. They published these, therefore this is all now obsolete and they have better techniques in place.

X-RayFebruary 1, 2016 1:11 PM

"NOBUS", "NObody But US", hah, amusing phrase. That is the way it always is.

From the breakdown, I do not see anything there which is not already known. I think it is a goodwill package. It certainly could have diversionary elements to it.

Lateral movement is the big thing, especially on the increasing IoT/BYOD world, and with the significant lack of strong security detection systems out there for lateral movement.

The NSA does have defensive purposes tasked to them, and not little, either.

NOBUS is certainly a good stance to hold. If they are so competent as to help close the doors, and still get by anyway, that is actually refreshing.

The NSA has taken some huge hits nationally and globally by getting deeply engaged in domestic surveillance programs. Domestic surveillance should not even be on their agenda. That is FBI work. Taking themselves away from their mission statement can certainly be disheartening for them, and disheartened intelligence employees are more likely to give up secrets, or otherwise become corrupted.

X-RayFebruary 1, 2016 1:28 PM

@r, Clive Robinson

Zero Days.


They can be reused, however, Clive is correct, once they are caught, it is bad. Detection of being caught is important. It is a similar issue to any of the best surveillance technology, however. More automated with zero days, however. Once zero days are caught the information taken from them can be put on national firewalls, and so wherever and whenever they are used,that nation can grab very important data about the attacking nation.

Russia invented retroreflectors, ala, the Embassy Seal bug, and you see that technology even today in the TAO catalog. And there are people who have duplicated that technology from the TAO catalog so anyone can have, at least, a trivial if much less potent version. And there are specific detection systems which can be implemented from that information, providing counter-surveillance data they can use to find such attacks. (To varying degrees.)

This is assuming the TAO catalog was not released as a disinformation project. Which is a possibility. If so, consider just how deeply it would have misdirected foreign intelligence.

Are they that smart, are they that sophisticated? I would say, probably like either of you, "probably not". And, then I would stop myself, and say, "But that is exactly what that sort wants people to think of them".

As relevant as the TAO catalog has seemed to be - and probably is - we have not see anyone, anyway, declaring they have caught these systems in the wild. We have, however, seen other systems, software systems, of stunning sophistication caught in the wild and disclosed.

Which brings up another angle to zero day *software* versus zero day *hardware*, if the zero day software can be detected, it usually can have that detection replicated, ala, through AV and firewall rules.

But, how to create a system that detects signal reflection going on for a retroreflector? Not nearly so easy. Or how to discover it? Maybe not as easy as the catalog may imply, either.

(And there surely are zero day attacks not easily caught, at all. Such as ones which hit at embedded systems, or utilize protocols very poorly widely known. This can even include ubuiqitous protocols such as bluetooth 4 or OTA or 5ghz and very low level wifi. Even a very deep and obscure server or browser security vulnerability could potentially bypass any protection scheme -- and likewise, the attack apps which accompany it. Often, just one chain in that link is what gets caught. For instance, some behavior of the attack app. And that might lead back to the zero day. IF record of it was kept in the app or somehow cataloged on the network and other security systems. Certainly, far from always the case.)


@blake

They're also expensive. Plus they're still a TLA so you have to fill out (in triplicate) a form to authorise 0-day use on a non-priority-1 collection target. Then you have to get signatures from your boss, your bosses boss, Janice in accounting, get your form back from the filing cabinet behind the "beware of the leopard" sign ..

Giving your good zero day to other agencies, or even departments would be serious fail. :-)


AnonFebruary 1, 2016 1:39 PM

If a thief told me how to secure valuables, I'd have to ask why. So it is with the NSA being helpful, too. As always, it's what they didn't say that is perhaps most interesting.

GrauhutFebruary 1, 2016 2:32 PM


Of cause its NOBUS. And of cause they want critical infrastructure enterprise networks to be protected by their owners against foreign threads, since its part of their new job definition to protect them too.

And the new NSA risk management surely knows that bad image encourages whistle blowers and makes human resource aquisition more expensive.

http://www.rmmagazine.com/2015/12/01/mission-critical-how-the-nsas-first-cro-is-integrating-risk-management-into-national-security/

ThomasFebruary 1, 2016 2:32 PM

@Clive

> Which brings us to one of my mems of "Efficiency -v- Security".

In a resource limited works it's really "everything -v- everything else".
Do I spend time improving documentation or fixing bugs? Adding features or improving performance?
Everything is a trade-off, it's just that non-security deficiencies can be remedied.

Bugs? Missing features? No worries, we'll get v1.0 out the door and patch it.
Insecure protocol? Elbonian hackers copied your data? oops.. better luck next time

rFebruary 1, 2016 8:54 PM

@x-ray,

I just thought of two things, #1 foxconn (and others) is an english wh***, she may have too many employees to be secure against injection of any sort.

And #2, is anyone using EPR for traditional signaling? (I know survival times for entangled pairs are supposedly low?) This would be capable of supplanting EMSEC as you're positing and pretty much a game changer where manufacturing is concerned wouldn't it?

It certainly wouldn't enable mass eavesdropping directly unless it was used to flatten multiple RNGs/seeds simul.

So, who's on first?

P.S.
I do generally agree with you that their confidence is refreshing. I just hope I didn't spoil any fun with those questions.

How to de-sync a next gen system then?

X-RayFebruary 2, 2016 12:41 AM

@r

Nope, sorry. I just know some types of zero day, and some types of attack and defense methodology. I do not work for the US, and strongly doubt you would ever find such an engineer on here.

They are hyper paranoid and don't talk shop from my minimal experience. Not at trade shows and definitely would not online.

Frankly, I really don't think they would have much to say. Really what does that all get down to... but boring. A step above the excitement of forensic accounting.

Clive RobinsonFebruary 2, 2016 4:33 AM

@ X-Ray,

Russia invented retroreflectors, ala, the Embassy Seal bug, and you see that technology even today in the TAO catalog.

Speaking of which you and many others might find this of interest,

http://mail.blockyourid.com/~gbpprorg/mil/cavity/index.html

I've designed and manufactured a number of illuminated reflector / retroreflector / radar surveillance devices some unlike those in the TAO catalogue use techniques to stop them being found by the "proffesional" non-linear junction detectors or howl around detectors. I was aware of the deficiencies of "The Thing / Great Seal bug" long before the TAO catalogue made an appearance.

The thing is though like all transducers, bugs either active or passive in design can be detected, if you have the right equipment and resources. But who want's to irradiate everthing in a normal room with high energy... Some times it's easier to find a "hole in the ground" or make something similar hence Obama and his SCIF tent[1] in hotel rooms...

Though you would not want to spend to much time in some SCIFs [2] they are afterall anechoic chambers which absorb both sound and EM waves "From DC to Daylight and beyond" (to misquote Buzz Lightyear). Which is why some more permanent facilities tend to have "hard" furniture and wall hangings.

But The Great Seal Bug was not the first "pasive" device Theremin designed. He also developed what we would these days call a "laser mic"using focused infraread beams. Originaly a very difficult thing to do but these days you can buy the bits for a hobby version[3] for just a little more than pocket change.

Any way enough of that, time for a mug of "strong brownian motion" producer[4].

[1] http://www.bbc.co.uk/news/world-us-canada-12810675

[2] The human brain does not like such environments as they "feel dead" which is why they have been used to "soften up" people as part of an extended tourture process (strip you naked, strap you in a dentists chair or face down on a table with your feet on the floor a black bag over your head in an anehcoic room and wait for your brain to panic, then go chat to you when you stop screaming). But as always there are some that find such things "mind freeing" (see flotation tanks etc).

[3] http://hackaday.com/2010/09/25/laser-mic-makes-eavesdropping-remarkably-simple/

[4] "Standard NATO Tea" [5] for those who have not read Douglas Adams and his description of the "Infinate impropability drive" discovery.

[5] A pint or 500ml mug of double boiled hot strong but milky tea with two heaped spoons of sugar, preferably with two "oatmeal blocks" or a hot and runny "egg banjo".

Astrid C.February 2, 2016 5:39 AM

I've been offline for longer than I'd like and otherwise unable to catch up on the news, but from what I can remember -- haven't the NSA and the FBI been on opposing ends of the encryption debate lately? I want to say within the past week.

I would imagine our two favorite intelligence agencies haven't exactly been getting along lately and this latest move was pulled just to piss Comey off. Of course, there's probably a whole lot more to it than that, but if there's anything I know about organization politics, it's that the wank doesn't really change no matter where you go, and that high school never ends. The stakes are high, though. Which sucks.

How much research is currently being conducted on scatternets and the 6LoWPAN (https://en.wikipedia.org/wiki/6LoWPAN) protocol in particular? Reading up on the subject instantly made me think "Bluetooth-based botnets". Only in far nicer terms.

I can start passing out the tin foil hats if everyone would like, but -- what if this is one of the latest and the greatest variations on a ruthless exploit?

Hm, milky tea, oatmeal, eggs... cripes, that sounds delicious.

Nicholas WeaverFebruary 2, 2016 9:46 AM

They really ARE trying to regain trust, after shit like Dual-EC, Interdiction, etc. And this is part of it.

And also I think its that it is all No-NOBUS, the two or three known TAO techniques that aren't commonly available to other actors (yet), notably Interdiction and packet injection weren't mentioned, but everything else in the TAO arsenal is really no different than anybody else's arsenal. And I think it might be sinking in over at the Fort that with very few exceptions, everything they do is No-NOBUS.


Since also I think it IS true that defense is starting to win in equities, talking about this is really important for the general defense side so that is also why they did it. EG, although the Dual-EC did sell out the unclassified IA side, it sold it out with a keyed backdoor so as long as the NSA doesn't lose that secret, its still "safe" from everyone else.


There were a couple of nuggets that I found interesting:

a) That an IDS on a one-way tap really gives them headaches, because that way after the fact a defender can go back, see what happened, remove beachheads, etc etc etc.

b) The real emphasis that the secret sauce for APT is the P, persistence. They will just keep trying, trying, trying. After all, they do have an army of monkeys, err, Air Force Lieutenants, to keep pounding away...

c) TRUST them when they attribute an attack (like Sony) on the record. I agree, but it is good to have someone like the TAO head say that.

SpookyFebruary 2, 2016 1:39 PM

I'd have to agree with several posters above that this is a laughably obvious PR move: an obligatory, symbolic gesture carefully designed to portray a posture of openness, benevolence and reassurance that NSA's interests are not completely at odds with those of corporate America. I'd even go so far as to say that this man--while clearly intelligent, well-spoken and likely on the NSA payroll--is probably not the actual head of TAO. Pause to consider that. If you were the NSA, what possible justification could you have for placing the name and face of the man (currently) behind every U.S. covert computer espionage operation on the planet in front of an unscreened public audience and a bank of television cameras? Every foreign intelligence operative in the area is going to be targeting this guy. So, I'd wager that he's a proxy, and--besides making for good PR--is probably also acting as bait, on behalf of the counter-intelligence folks. And they're not particularly nice...

X-RayFebruary 2, 2016 1:48 PM

@Clive Robinson

Very good site, is that yours? I have bookmarked it, some great research there.

Here's the "reverse engineering" of the retroreflectors in the TAO Catalog I was mentioning:

https://www.youtube.com/results?search_query=retroreflector+ossmann

Ossmann is the creator of the popular HackRF SDR, and has created some other popular and interesting gadgets in the past few years. I have only seen the Defcon show there, but sure he and others have taken it further since then.

Granted, looks like quite behind that work on that page. :-)

A related, interesting project from 2014:
http://www.engadget.com/2014/08/04/visual-microphone/
http://arstechnica.com/science/2014/08/researchers-reconstruct-human-speech-by-recording-a-potato-chip-bag/


Though you would not want to spend to much time in some SCIFs [2] they are afterall anechoic chambers which absorb both sound and EM waves "From DC to Daylight and beyond" (to misquote Buzz Lightyear). Which is why some more permanent facilities tend to have "hard" furniture and wall hangings


Yeah, thankfully, I have evaded such scenarios.


[2] The human brain does not like such environments as they "feel dead" which is why they have been used to "soften up" people as part of an extended tourture process (strip you naked, strap you in a dentists chair or face down on a table with your feet on the floor a black bag over your head in an anehcoic room and wait for your brain to panic, then go chat to you when you stop screaming). But as always there are some that find such things "mind freeing" (see flotation tanks etc).


There was an interesting replay of a cognitive behavioral study on that in a recent show, think it was Mind Games.

Personally, I certainly did not mind my time playing in an isolation tank. Tried one in the mid eighties at a ski park. Only wished I had snuck on that trip some psychedelics, which I did in trips afterwards. :-) Lol.


I am obviously a noob in such areas, but I am surprised they aren't able to do continuous sweeps for such EM. Maybe they can, but as you say, they still need skiffs. Scifs. With even cheap tools and open source software you can really well figure out where signals are coming from. Instead of triangulation, there is an easy to use heat map for db power via Google Earth/Maps that can be used.


X-RayFebruary 2, 2016 2:16 PM

@Astrid C

I've been offline for longer than I'd like and otherwise unable to catch up on the news, but from what I can remember -- haven't the NSA and the FBI been on opposing ends of the encryption debate lately? I want to say within the past week.

Frankly, that would be nice. I tend to not pay as much attention to the specifics. Frankly, I simply keep up on security tech news as part of my job, and these articles come out because some new, stupid ass statement someone makes, and it makes me angry. Then, I try and forget about it. Working in the IT security field, it is hard enough to do the job, we really do not need meddling, poorly informed bureaucrats trying to reverse much of the hard work.

I would imagine our two favorite intelligence agencies haven't exactly been getting along lately and this latest move was pulled just to piss Comey off. Of course, there's probably a whole lot more to it than that, but if there's anything I know about organization politics, it's that the wank doesn't really change no matter where you go, and that high school never ends. The stakes are high, though. Which sucks.

They are such different agencies, with such different specialties, I would be very surprised if they were ever truly working together like sisters from the same family.

Also, there are significant domain disputes.

How much research is currently being conducted on scatternets and the 6LoWPAN (https://en.wikipedia.org/wiki/6LoWPAN) protocol in particular? Reading up on the subject instantly made me think "Bluetooth-based botnets". Only in far nicer terms.


There are a number of very important short range protocols, and a number of scary, potential [and PoC proven] attacks against them. Personally, I believe security wise one of the best attacks is by hacking one individual, and then they walk into a building, and their phone hacks everyone else.

Obviously, such an attack could be started remotely, such as through a hacked over the air update, and then anyone that person is near could be hacked. They could even have their phone appear to have, for instance, bluetooth off. Not that there tends to be much security against these things. The protocols are complex and require specialized tools, quite often. Being short distance, they are difficult to monitor.

Such hacks, could, as well, install rootkits that exist in the firmware which do such things as turn the phones into microphones and gps units for the attacker. Again, obviously. But, sometimes people don't want to stick to a good thing.

There are defensive moves government makes, and have made for years. There are boxes to put phones in for important meetings. And, the practice of taking out the batteries have been around for decades now for important meetings. But, the fact that attacks are so rarely seen or caught does mean that probably people tend to not take such procedures as seriously and consistently as they should.

And this means nothing for many important organizations which are not government security, military, or intelligence.

Also, little else has changed, in many ways: rfid is staying in place and has only grown in complexity. There are significant potential attacks there, of course. Against both the verifying systems and against the chips themselves.

Problems are with the protocols, tend to be, that they are created at a very low level requiring sophisticated tools and highly specialized hardware and software people. You invent some good systems, they become widespread. But, security is skimped in that whole process. And because they tend to be difficult to examine for amateurs and researchers with limited funds, security vulnerabilities are not splashed routinely (yet) across the front pages.

We saw this in router systems, ATM systems, medical devices, and so on, and seeing the same trend stay.

It is far easier to download some c# or java web app code and white, black, grey box it to find security vulnerabilities. Zero cost, and many tools to help do so. For instance. Then to figure out some sophisticated band hopping protocol that implements encryption and requires expensive hardware tools to really plow into... where the source code is in firmware, in assembly, and very closed source.

Much, much easier.

But, this not only raises, significantly, the bar for security vulnerability researchers, but also for those who would create and sell good defensive products for attacks. Never even mind, without vulnerabilities, and considering the sophistication of the protocols, the *sale* part of that job is near impossible. Hard enough to sell cutting edge, sophisticated technical products.

The mentionable caveat here is: this is all prime playground area for government funded attack groups, or for the very unusual and rare researchers. Some of whom may be funded by organized criminal money.

NOBUS... scenarios galore.


X-RayFebruary 2, 2016 2:44 PM

@Spooky

I'd even go so far as to say that this man--while clearly intelligent, well-spoken and likely on the NSA payroll--is probably not the actual head of TAO. Pause to consider that. If you were the NSA, what possible justification could you have for placing the name and face of the man (currently) behind every U.S. covert computer espionage operation on the planet in front of an unscreened public audience and a bank of television cameras? Every foreign intelligence operative in the area is going to be targeting this guy. So, I'd wager that he's a proxy, and--besides making for good PR--is probably also acting as bait, on behalf of the counter-intelligence folks. And they're not particularly nice...

I like the way you think, lol.

I thought that, and thought I wrote it, but looking about, I see I just wrote, "From the breakdown, I do not see anything there which is not already known. I think it is a goodwill package. It certainly could have diversionary elements to it."

Albeit, I do think they would steep so as to use the real deal for a walking honeypot.

Plenty of undercover, but it is also hard to hide the real identities of big names. If you were trained somewhere, work somewhere, live somewhere, you probably are a known entity. At least to the sort of adversary being considered: foreign intelligence would be forced to use their best against such a target, and being aware that there likely was significant, covert counter-surveillance around them.

But, then again, human beings are exceedingly cognitively biased. We have such signifigant "change blindness", someone can change faces with you in mid-conversation, and you - or I - or anybody - would be very unlikely even to notice. We take paper and computer records at face value. And the mantra of "sources" ultimately ends up being entirely meaningless when the sources look and sound good, but aren't.

Foreign intelligence would be forced to put people on him, and that alone would be of significant value. Only way to win that game is not to play it, and they have to play it. It is their job.


If there are not other diversionary elements in the speech, then what is the value? And even if there are other diversionary elements, the value is high.


X-RayFebruary 2, 2016 3:16 PM

@Nicholas Weaver

Thank you for speaking up on the subject, and contributing to several of the articles.

Since also I think it IS true that defense is starting to win in equities, talking about this is really important for the general defense side so that is also why they did it.

That has been a conundrum I have pondered over, as have others here. Their right hand is opposed to their left in these dealings. And it would seem like the offensive hand certainly must find funding far more easily. That for multiple reasons. Have on the President's daily paper key intelligence, they love that stuff, as do all politicians. But, the daily grind of securing the vast network of systems, that does not make headlines.

It is interesting you posit it this way: there is significant evidence their defensive mandates have, all along, offensive attributes. Beyond just, for instance, the encryption debacles, the NSA also has been rumored to hold back critical, 'hard to find' vulnerabilities in the massive reams of code they scour as part of their official mandate. Any system which touches DoD systems has to have NSA code audits. So that engages everything from Microsoft Windows to infrastructure power, water, and communications.

Finding security vulnerabilities with source code is certainly easier, and significantly so. Having lines to force massive rivers of source code to them, certainly must be of value.

Even beyond having the source code - RASP technology has long been in place and is only getting better - simply being informed of the existence of a lot of code which otherwise would not even be known for the obscurity of it also, certainly, has value.

But hard to carry out that mandate, and others, when your name is ridden through the mud.

Hard to go about spying when suspicion is very high.

One would think there is a ratio there, suspicion and spying. And high suspicion is a bad thing for the quality of the spying. :-) Lol.

Still, devil's advocate:

a) That an IDS on a one-way tap really gives them headaches, because that way after the fact a defender can go back, see what happened, remove beachheads, etc etc etc.

Could be. We certainly saw the capacity of Russia's Kaspersky in this recent consideration. They were able to provide significant forensic information, so they could tie back the discovery to the points of infiltration. Pretty good for a simple AV firm.

And that is one of the few 'proof positive' examples the everyday folks do have, that "Equation Group" set to study of the NSA's handiwork. Very unlikely to have been disinformation, even though it is only highly theoretical the NSA could have any disinformation work, at all.

There I am pointing out where Kaspersky likely had numerous systems, some touching the wire, some detectable - had the NSA looked - some purely one way. Few probably kept truly excessive logging. After all, they were not designing their company's infrastructure to be a honeypot.

b) The real emphasis that the secret sauce for APT is the P, persistence. They will just keep trying, trying, trying. After all, they do have an army of monkeys, err, Air Force Lieutenants, to keep pounding away...

This could be a diversionary element they introduced. Networks produce enormous noise. Ramping up the potential value of any and all noise, therefore, could put people on edge. Kind of like telling a ghost story late at night.

Was the Equation Groups systems persistent, 'like that'? Was Stuxnet persistent 'like that'?

Hard to be scientific when true data sets are so small. For the general public, anyway.

Taking a biased source at face value, unfortunately, is of some value, but has to be significantly tempered.

Both Stuxnet and Equation Group relied very heavily on zero day software vulnerabilities.

More noise, more activity, certainly does mean a louder attack.

More functionality, means more chance for detection.

Certainly, no truisms, but there are surely some manner of ratios there difficult to overcome?

c) TRUST them when they attribute an attack (like Sony) on the record. I agree, but it is good to have someone like the TAO head say that.


It is hard to imagine North Korea would be good at playing head games with significant surveillance. But, if the NSA were wrong, then North Korea would not be the actor playing such head games.

The whole matter certainly stinks of North Korea, and there is little reason to doubt the NSA or even the readily evident facts. Not that facts matter, because people do believe what they want to believe. That is a fact. One hard to want to believe.

That said, personally, I would remain skeptical of attribution claims by any intelligence agency. We saw multiple wars started over just the past hundred years by false intelligence.

We have seen many severe intelligence gaps, and certainly innumerable which have not been seen.

Both technical and human intelligence are extremely fallible [subject to reverse attacks of wide varieties (eg, the Nazis fooling the brits via technical and human intelligence, while the Brits fooled the Nazis, etc)], and actually meaningfully parsing - analyzing that intelligence - is something else altogether.

A significant problem with intelligence sources is once it has been validated, it is believed. And that is often used against spies.

Imagine a salesperson with the magical power to get their potential customer to believe anything they say. They could literally sell ice to eskimos. The sky would be the limit.

Intelligence sources can do that. Spies can do it to themselves. When they covertly prove their source, they increase the credibility of that source for their selves. So they put themselves as the victim in that 'salesperson' anecdote as part of their job.

In spying, the customer is not inert and benign. The customer may be the confidence artist. That is routine and a major attack point. That is the real difference.


rFebruary 2, 2016 7:51 PM

I see why you guys ignored me on the EPR stuff, I forgot it's supposedly /no-communications/. I searched high and low for high/room temperature qubits and stuff and struck out, so thanks for not hazing me...

@x-ray,
On the topic of difficulty for total r/e you mention channel hoping, encryption, access(rom?) and assembly.
I would like to state that of all the things you list the tools vs closed source assembler only code are vastly improved over anything hand coders could've predicted and will only get better. Not having the source code for unencrypted (non-drm?) executables where the operands are KNOWN is quickly becoming moot - emulators tracing decompiler are all improving and will continue to improve as processor power and ram increase.

Something else, on the topic of Mr. Ossmann: prior to hackrf, I invested in his ubertooth project - at my level of funding I received a free lan tap. :)

X-RayFebruary 2, 2016 9:41 PM

@r

"You guys", "ignore on EPR stuff"? I would have thought that comment was not towards me at all as you 'at' me afterwards. But i do a ctrl f and see you mention it in a response to me.

I simply do not know whar "epr" is.

On the rest, I can speak, and yes, the tools are much better. More importantly, the open knowledge shared is online. But there are continuing problems, and it is like the old problems.

Grey box rasp solutions were hand created fifteen years ago, and at least some contractors were using them ten years ago.

Now that tech is hitting the consumer market hard, and that on top of a very mature and sophisticated sast market.

That stuff I know, "epr" I do not. Feel free to explain.

Green SquirrelFebruary 3, 2016 2:47 AM

Trust them when they attribute an attack (e,g: Sony) on the record. Attribution is hard, but when they can attribute they know for sure -- and they don't attribute lightly.

No.

No I wont trust them. Attribution is hard but that doesnt mean that when they attribute they are doing it correctly. In the source material there are references to the armies of lawyers and "other sources" but none of this means it is more believable. None of it means that they wont make a political attribution if they think that they can get away with it.

So, sorry, no I wont trust them when they make an attribution and I am amazed at how many people do.

rFebruary 3, 2016 4:14 PM

@green squirrel,

It's hard for sure, look at the fbi and it'd contractors forging dna evidence that wss uncovered recently. Activities like that kind've remind me how the insurance and medical community are working to inflate billing - it's most definitely NOT trustworthy.

@x-ray,
EPR is related to qubits, changing one entangled end changes the other over a variable distance immediately - it's not the fuzzy action of QC but the spooky action eluded to when it was initially discovered. But the reading I did after that post days thermal and inertial saturation apparently can disrupt those machines. I was worried about embedding one end of an entangled multitude/group to reset a key/rng. I figured EPR would rend EM obsolete because it's not LOS in the least? Might even still be possible if a state diff is all that's required but the no communication clause says that even a fraction of a bit can't be transferred so that probably defeats spin/color diffs and/or modulation.

X-RayFebruary 3, 2016 10:21 PM

@r

I like physics, was into advanced classes (and books) early, but not anywhere near the field where I work.

Not very interested beyond sometimes scoping out if it looks like anyone is getting anywhere, or has.

I like finding security vulnerabilities enough to do it day in and day out year after year. Or clever protections. But it is just a job. At best, some form of art, self expression of much more important matters.

EjwFebruary 11, 2016 6:34 PM

Why did they send the head of TAO?

Can it be that simple that the audience will realky listen intently and the word will spread.

Back at work:
Boss - We cannot afford any kind of security budget, we have never had any issues before.

Staff - The head of TAO recommends doing this and that. So you take full responsibility if something happens?

Boss - Well, maybe we can use some of our earnings to fund some security.

Robert GFebruary 11, 2016 7:26 PM

@Ejw

Doing a public conference really is not such a big deal. He may have just wanted to and asked. It does appear to be defense oriented, and you may be correct. It is good to hear 'how attackers do things'. But, do expect while the information is useful, they would never be able to give out critical details.

Kind of like a thief telling everything but what they do. Magicians revealing other people's secrets, but they keep their best to themselves. It eliminates the competition.

If you are trying to respond to defend their "morality", I do not think that is necessary. That is what they do for a job. Morally inert activity, if not even beneficial.

Geoffrey NicolettiJune 20, 2016 7:04 AM

Transactional Memory with her atomic states has holes in which automated algorithms launched by defense conrtactors required to protect what is, ultimately, classified material, can send out offensive weapons such as a Shimomuro attack (destroy physically a HDD or a CPU). Given that there is no "human freedom" to defend inside nanoseconds---only security--and that the above is terribly insecure, we need to ask what defense do we have in a cyberwar where we don't attack first. Terrifed? Mr. Rob Joyce needs to address such fundamental issues and how "engineering" attacks transcend defenses, how data protection is minor league, how the cloud makes many domains vulnerable to going down and how the TAO should look for eternal vulnerabilities that can't be patched; servers beating servers means we must launch first. Scary.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.