Entries Tagged "Edward Snowden"

Page 6 of 15

The Equation Group's Sophisticated Hacking and Exploitation Tools

This week, Kaspersky Labs published detailed information on what it calls the Equation Group—almost certainly the NSA—and its abilities to embed spyware deep inside computers, gaining pretty much total control of those computers while maintaining persistence in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested to read the Kaspersky documents, or this very detailed article from Ars Technica.

Kaspersky doesn’t explicitly name the NSA, but talks about similarities between these techniques and Stuxnet, and points to NSA-like codenames. A related Reuters story provides more confirmation: “A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.”

In some ways, this isn’t news. We saw examples of these techniques in 2013, when Der Spiegel published details of the NSA’s 2008 catalog of implants. (Aside: I don’t believe the person who leaked that catalog is Edward Snowden.) In those pages, we saw examples of malware that embedded itself in computers’ BIOS and disk drive firmware. We already know about the NSA’s infection methods using packet injection and hardware interception.

This is targeted surveillance. There’s nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It’s doing it only to networks it wants to monitor. Reuters again: “Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.” A map of the infections Kaspersky found bears this out.

On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities. In the overall scheme of things, this is much less disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure.

On the other hand, the NSA’s definition of “targeted” can be pretty broad. We know that it’s hacked the Belgian telephone company and the Brazilian oil company. We know it’s collected every phone call in the Bahamas and Afghanistan. It hacks system administrators worldwide.

On the other other hand—can I even have three hands?—I remember a line from my latest book: “Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.” Today, the Equation Group is “probably the most sophisticated computer attack group in the world,” but these techniques aren’t magically exclusive to the NSA. We know China uses similar techniques. Companies like Gamma Group sell less sophisticated versions of the same things to Third World governments worldwide. We need to figure out how to maintain security in the face of these sorts of attacks, because we’re all going to be subjected to the criminal versions of them in three to five years.

That’s the real problem. Steve Bellovin wrote about this:

For more than 50 years, all computer security has been based on the separation between the trusted portion and the untrusted portion of the system. Once it was “kernel” (or “supervisor”) versus “user” mode, on a single computer. The Orange Book recognized that the concept had to be broader, since there were all sorts of files executed or relied on by privileged portions of the system. Their newer, larger category was dubbed the “Trusted Computing Base” (TCB). When networking came along, we adopted firewalls; the TCB still existed on single computers, but we trusted “inside” computers and networks more than external ones.

There was a danger sign there, though few people recognized it: our networked systems depended on other systems for critical files….

The National Academies report Trust in Cyberspace recognized that the old TCB concept no longer made sense. (Disclaimer: I was on the committee.) Too many threats, such as Word macro viruses, lived purely at user level. Obviously, one could have arbitrarily classified word processors, spreadsheets, etc., as part of the TCB, but that would have been worse than useless; these things were too large and had no need for privileges.

In the 15+ years since then, no satisfactory replacement for the TCB model has been proposed.

We have a serious computer security problem. Everything depends on everything else, and security vulnerabilities in anything affects the security of everything. We simply don’t have the ability to maintain security in a world where we can’t trust the hardware and software we use.

This article was originally published at the Lawfare blog.

EDITED TO ADD (2/17): Slashdot thread. Hacker News thread. Reddit thread. BoingBoing discussion.

EDITED TO ADD (2/18): Here are are two academic/hacker presentations on exploiting hard drives. And another article.

EDITED TO ADD (2/23): Another excellent article.

Posted on February 17, 2015 at 12:19 PMView Comments

Electronic Surveillance Failures Leading up to the 2008 Mumbai Terrorist Attacks

Long New York Times article based on “former American and Indian officials and classified documents disclosed by Edward J. Snowden” outlining the intelligence failures leading up to the 2008 Mumbai terrorist attacks:

Although electronic eavesdropping often yields valuable data, even tantalizing clues can be missed if the technology is not closely monitored, the intelligence gleaned from it is not linked with other information, or analysis does not sift incriminating activity from the ocean of digital data.

This seems to be the moral:

Although the United States computer arsenal plays a vital role against targets ranging from North Korea’s suspected assault on Sony to Russian cyberthieves and Chinese military hacking units, counterterrorism requires a complex mix of human and technical resources. Some former counterterrorism officials warn against promoting billion-dollar surveillance programs with the narrow argument that they stop attacks.

That monitoring collects valuable information, but large amounts of it are “never meaningfully reviewed or analyzed,” said Charles (Sam) Faddis, a retired C.I.A. counterterrorism chief. “I cannot remember a single instance in my career when we ever stopped a plot based purely on signals intelligence.”

[…]

Intelligence officials say that terror plots are often discernible only in hindsight, when a pattern suddenly emerges from what had been just bits of information. Whatever the reason, no one fully grasped the developing Mumbai conspiracy.

“They either weren’t looking or didn’t understand what it all meant,” said one former American official who had access to the intelligence and would speak only on the condition of anonymity. “There was a lot more noise than signal. There usually is.”

Posted on February 12, 2015 at 6:57 AMView Comments

NSA Using Hacker Research and Results

In the latest article based on the Snowden documents, the Intercept is reporting that the NSA and GCHQ are piggy-backing on the work of hackers:

In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets…by collecting the hackers’ ‘take,’ we…get access to the emails themselves,” reads one top secret 2010 National Security Agency document.

Not surprising.

Posted on February 6, 2015 at 9:39 AMView Comments

Canada Spies on Internet Downloads

Another story from the Snowden documents:

According to the documents, the LEVITATION program can monitor downloads in several countries across Europe, the Middle East, North Africa, and North America. It is led by the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA. (The Canadian agency was formerly known as “CSEC” until a recent name change.)

[…]

CSE finds some 350 “interesting” downloads each month, the presentation notes, a number that amounts to less than 0.0001 per cent of the total collected data.

The agency stores details about downloads and uploads to and from 102 different popular file-sharing websites, according to the 2012 document, which describes the collected records as “free file upload,” or FFU, “events.”

EDITED TO ADD (1/30): News article.

EDITED TO ADD (2/1): More news articles.

Posted on January 29, 2015 at 6:26 AMView Comments

New NSA Documents on Offensive Cyberoperations

Appelbaum, Poitras, and others have another NSA article with an enormous Snowden document dump on Der Spiegel, giving details on a variety of offensive NSA cyberoperations to infiltrate and exploit networks around the world. There’s a lot here: 199 pages. (Here they are in one compressed archive.)

Paired with the 666 pages released in conjunction with the December 28 Spiegel article (compressed archive here) on NSA cryptanalytic capabilities, we’ve seen a huge amount of Snowden documents in the past few weeks. According to one tally, it runs 3,560 pages in all.

Hacker News thread. Slashdot thread.

EDITED TO ADD (1/19): In related news, the New York Times is reporting that the NSA has infiltrated North Korea’s networks, and provided evidence to blame the country for the Sony hacks.

EDITED TO ADD (1/19): Also related, the Guardian has an article based on the Snowden documents that GCHQ has been spying on journalists. Another article.

Posted on January 18, 2015 at 7:34 AMView Comments

New Documents on NSA's Cryptanalysis Capabilities

Der Spiegel published a long article today on the NSA’s analysis capabilities against encrypted systems, with a lot of new documents from the Snowden archive.

I’m not going to have time to look at this for a few days. Describe anything interesting you find—with links to the documents—in the comments.

EDITED TO ADD (10/28): This is in conjunction with a presentation by Laura Poitras and Jake Appelbaum at the Chaos Communication Congress.

EDITED TO ADD (1/14): Matthew Green’s comments on the documents. And the Poitras/Appelbaum talk is on YouTube.

Posted on December 28, 2014 at 5:06 PMView Comments

Merry Christmas from the NSA

On Christmas Eve, the NSA released a bunch of audit reports on illegal spying using EO 12333 from 2001 to 2013.

Bloomberg article.

The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. They were posted on the NSA’s website at around 1:30 p.m. on Christmas Eve.

In a 2012 case, for example, an NSA analyst “searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting,” according to one report. The analyst “has been advised to cease her activities,” it said.

The documents were released in response to an ACLU lawsuit.

Another article.

EDITED TO ADD (12/27): Remember Edward Snowden’s comment that he could eavesdrop on anybody? “I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email.” Lots of people have accused him of lying. Here’s former NSA General Counsel Stewart Baker: “All that makes Snowden’s claim about being able to wiretap anyone extremely unlikely—and certainly not demonstrated by the latest disclosures, despite Glenn Greenwald’s claims to the contrary.”

These documents demonstrate that Snowden is probably correct. In these documents, NSA agents target all sorts of random Americans.

Posted on December 26, 2014 at 6:29 AMView Comments

Over 700 Million People Taking Steps to Avoid NSA Surveillance

There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”

The press is mostly spinning this as evidence that Snowden has not had an effect: “merely 39%,” “only 39%,” and so on. (Note that these articles are completely misunderstanding the data. It’s not 39% of people who are taking steps to protect their privacy post-Snowden, it’s 39% of the 60% of Internet users—which is not everybody—who have heard of him. So it’s much less than 39%.)

Even so, I disagree with the “Edward Snowden Revelations Not Having Much Impact on Internet Users” headline. He’s having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that’s an additional 46 million people around the world.

It’s probably true that most of those people took steps that didn’t make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It’s probably even true that some of those people didn’t take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

Name another news story that has caused over ten percent of the world’s population to change their behavior in the past year? Cory Doctorow is right: we have reached “peak indifference to surveillance.” From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.

Related: a recent Pew Research Internet Project survey on Americans’ perceptions of privacy, commented on by Ben Wittes.

This essay previously appeared on Lawfare.

EDITED TO ADD (12/15): Reddit thread.

EDITED TO ADD (12/16): Slashdot thread.

EDITED TO ADD (1/23): This essay has been translated into German.

Posted on December 15, 2014 at 6:07 AMView Comments

1 4 5 6 7 8 15

Sidebar photo of Bruce Schneier by Joe MacInnis.