Entries Tagged "NSA"

Page 34 of 56

SOUFFLETROUGH: NSA Exploit of the Day

One of the top secret NSA documents published by Der Spiegel is a 50-page catalog of “implants” from the NSA’s Tailored Access Group. Because the individual implants are so varied and we saw so many at once, most of them were never discussed in the security community. (Also, the pages were images, which makes them harder to index and search.) To rectify this, I am publishing an exploit a day on my blog.

Today’s implant:

SOUFFLETROUGH

(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 500 and SSG 300 firewalls. It persists DNT’s BANANAGLEE software implant. SOUFFLETROUGH also has an advanced persistent back-door capability.

(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 500 and SSG 300 series firewalls (320M, 350M, 520, 550, 520M, 550M). It persists DNT’s BANANAGLEE software implant and modifies the Juniper firewall’s operating system (ScreenOS) at boot time. If BANANAGLEE support is not available for the booting operating system, it can install a Persistent Backdoor (PBD) designed to work with BANANAGLEE’s communications structure, so that full access can be reacquired at a later time. It takes advantage of Intel’s System Management Mode for enhanced reliability and covertness. The PDB is also able to beacon home, and is fully configurable.

(TS//SI//REL) A typical SOUFFLETROUGH deployment on a target firewall with an exfiltration path to the Remote Operations Center (ROC) is shown above. SOUFFLETROUGH is remotely upgradeable and is also remotely installable provided BANANAGLEE is already on the firewall of interest.

Status: (C//REL) Released. Has been deployed. There are no availability restrictions preventing ongoing deployments.

Unit Cost: $0

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 13, 2014 at 2:45 PMView Comments

How the NSA Threatens National Security

Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President’s Review Group has just released its report and recommendations.

With all this going on, it’s easy to become inured to the breadth and depth of the NSA’s activities. But through the disclosures, we’ve learned an enormous amount about the agency’s capabilities, how it is failing to protect us, and what we need to do to regain security in the Information Age.

First and foremost, the surveillance state is robust. It is robust politically, legally, and technically. I can name three different NSA programs to collect Gmail user data. These programs are based on three different technical eavesdropping capabilities. They rely on three different legal authorities. They involve collaborations with three different companies. And this is just Gmail. The same is true for cell phone call records, Internet chats, cell-phone location data.

Second, the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.” It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.

Third, US government surveillance is not just about the NSA. The Snowden documents have given us extraordinary details about the NSA’s activities, but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance using the same sorts of eavesdropping tools, and that they regularly share information with each other.

The NSA’s collect-everything mentality is largely a hold-over from the Cold War, when a voyeuristic interest in the Soviet Union was the norm. Still, it is unclear how effective targeted surveillance against “enemy” countries really is. Even when we learn actual secrets, as we did regarding Syria’s use of chemical weapons earlier this year, we often can’t do anything with the information.

Ubiquitous surveillance should have died with the fall of Communism, but it got a new—and even more dangerous—life with the intelligence community’s post-9/11 “never again” terrorism mission. This quixotic goal of preventing something from happening forces us to try to know everything that does happen. This pushes the NSA to eavesdrop on online gaming worlds and on every cell phone in the world. But it’s a fool’s errand; there are simply too many ways to communicate.

We have no evidence that any of this surveillance makes us safer. NSA Director General Keith Alexander responded to these stories in June by claiming that he disrupted 54 terrorist plots. In October, he revised that number downward to 13, and then to “one or two.” At this point, the only “plot” prevented was that of a San Diego man sending $8,500 to support a Somali militant group. We have been repeatedly told that these surveillance programs would have been able to stop 9/11, yet the NSA didn’t detect the Boston bombings—even though one of the two terrorists was on the watch list and the other had a sloppy social media trail. Bulk collection of data and metadata is an ineffective counterterrorism tool.

Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don’t mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I’m also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as US computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.

And finally, these systems are susceptible to abuse. This is not just a hypothetical problem. Recent history illustrates many episodes where this information was, or would have been, abused: Hoover and his FBI spying, McCarthy, Martin Luther King Jr. and the civil rights movement, anti-war Vietnam protesters, and—more recently—the Occupy movement. Outside the US, there are even more extreme examples. Building the surveillance state makes it too easy for people and organizations to slip over the line into abuse.

It’s not just domestic abuse we have to worry about; it’s the rest of the world, too. The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn’t between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it’s between a digital world that is vulnerable to all attackers, and one that is secure for all users.

Fixing this problem is going to be hard. We are long past the point where simple legal interventions can help. The bill in Congress to limit NSA surveillance won’t actually do much to limit NSA surveillance. Maybe the NSA will figure out an interpretation of the law that will allow it to do what it wants anyway. Maybe it’ll do it another way, using another justification. Maybe the FBI will do it and give it a copy. And when asked, it’ll lie about it.

NSA-level surveillance is like the Maginot Line was in the years before World War II: ineffective and wasteful. We need to openly disclose what surveillance we have been doing, and the known insecurities that make it possible. We need to work toward security, even if other countries like China continue to use the Internet as a giant surveillance platform. We need to build a coalition of free-world nations dedicated to a secure global Internet, and we need to continually push back against bad actors—both state and non-state—that work against that goal.

Securing the Internet requires both laws and technology. It requires Internet technology that secures data wherever it is and however it travels. It requires broad laws that put security ahead of both domestic and international surveillance. It requires additional technology to enforce those laws, and a worldwide enforcement regime to deal with bad actors. It’s not easy, and has all the problems that other international issues have: nuclear, chemical, and biological weapon non-proliferation; small arms trafficking; human trafficking; money laundering; intellectual property. Global information security and anti-surveillance needs to join those difficult global problems, so we can start making progress.

The President’s Review Group recommendations are largely positive, but they don’t go nearly far enough. We need to recognize that security is more important than surveillance, and work towards that goal.

This essay previously appeared on TheAtlantic.com.

Posted on January 13, 2014 at 6:28 AMView Comments

JETPLOW: NSA Exploit of the Day

Today’s implant from the NSA’s Tailored Access Operations (TAO) group implant catalog:

JETPLOW

(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT’s BANANAGLEE software implant. JETPLOW also has a persistent back-door capability.

(TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT’s BANANAGLEE software implant and modifies the Cisco firewall’s operating system (OS) at boot time. If BANANAGLEE support is not available for the booting operating system, it can install a Persistent Backdoor (PDB) designed to work with BANANAGLEE’S communications structure, so that full access can be reacquired at a later time. JETPLOW works on Cisco’s 500-series PIX firewalls, as well as most ASA firewalls (5505, 5510, 5520, 5540, 5550).

(TS//SI//REL) A typical JETPLOW deployment on a target firewall with an exfiltration path to the Remote Operations Center (ROC) is shown above. JETPLOW is remotely upgradable and is also remotely installable provided BANANAGLEE is already on the firewall of interest.

Status: (C//REL) Released. Has been widely deployed. Current availability restricted based on OS version (inquire for details).

Unit Cost: $0

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 9, 2014 at 1:02 PMView Comments

HALLUXWATER: NSA Exploit of the Day

Today’s implant from the NSA’s Tailored Access Operations (TAO) group implant catalog:

HALLUXWATER

(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.

Once installed, HALLUXWATER communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.

HALLUXWATER provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS upgrades and automatic bootROM upgrades.

Status: (U//FOUO) On the shelf, and has been deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

This one is a big deal politically. For years we have been telling the Chinese not to install hardware back doors into Hauwei switches. Meanwhile, we have been doing exactly that. I wouldn’t want to have been the State Department employee to receive that phone call.

Posted on January 8, 2014 at 1:48 PMView Comments

GOURMETTROUGH: NSA Exploit of the Day

Continuing our walk through the NSA’s Tailored Access Operations (TAO) group implant catalog:

GOURMETTROUGH

(TS//SI//REL) GOURMETTROUGH is a user configurable implant for certain Juniper firewalls. It persists DNT’s BANANAGLEE implant across reboots and OS upgrades. For some platforms, it supports a minimal implant with beaconing for OS’s unsupported by BANANAGLEE.

(TS//SI//REL) For supported platforms, DNT may configure without ANT involvement. Except for limited platforms, they may also configure PBD for minimal implant in the case where an OS unsupported by BANANAGLEE is booted.

Status: GOURMETTROUGH is on the shelf and has been deployed on many target platforms. It supports nsg5t, ns50, ns25, isg1000(limited). Soon- ssg140, ssg5, ssg20

Unit Cost: $0

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on. It’s interesting how many of these implants are designed to allow other implants to survive attempts to remove them.

I think it’s important to discuss these implants individually. Because the whole catalog was released at once, it’s easy to focus on the catalog as a whole instead of the individual implants. Blogging them once per day brings back focus.

Posted on January 7, 2014 at 1:16 PMView Comments

Matt Blaze on TAO's Methods

Matt Blaze makes a point that I have been saying for a while now:

Don’t get me wrong, as a security specialist, the NSA’s Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we’ve learned recently about what the NSA has been doing.

TAO is retail rather than wholesale.

That is, as well as TAO works (and it appears to work quite well indeed), they can’t deploy it against all of us – or even most of us. They must be installed on each individual target’s own equipment, sometimes remotely but sometimes through “supply chain interdiction” or “black bag jobs”. By their nature, targeted exploits must be used selectively. Of course, “selectively” at the scale of NSA might still be quite large, but it is still a tiny fraction of what they collect through mass collection.

This is important. As scarily impressive as TAO’s implant catalog is, it’s targeted. We can argue about how it should be targeted—who counts as a “bad guy” and who doesn’t—but it’s much better than the NSA’s collecting cell phone location data on everyone on the planet. The more we can deny the NSA the ability to do broad wholesale surveillance on everyone, and force them to do targeted surveillance in individuals and organizations, the safer we all are.

Me speaking at the LISA conference last year:

What the NSA leaks show is that “we have made surveillance too cheap. We have to make surveillance expensive again,” Schneier said. “The goal should be to force the NSA , and all similar adversaries, to abandon wholesale collection in favor of targeted collection.”

Blaze’s essay is good throughout, and worth reading.

EDITED TO ADD (1/20): A related essay.

Posted on January 7, 2014 at 8:22 AMView Comments

FEEDTROUGH: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

FEEDTROUGH

(TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT’s BANANAGLEE and CES’s ZESTYLEAK used against Juniper Netscreen firewalls.

(TS//SI//REL) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or BANANAGLEE across reboots and software upgrades on known and covered OS’s for the following Netscreen firewalls, ns5xt, ns25, ns50, ns200, ns500 and ISG 1000. There is no direct communication to or from FEEDTROUGH, but if present, the BANANAGLEE implant can receive and transmit covert channel comms, and for certain platforms, BANANAGLEE can also update FEEDTROUGH. FEEDTROUGH however can only persist OS’s included in its databases. Therefore this is best employed with known OS’s and if a new OS comes out, then the customer would need to add this OS to the FEEDTROUGH database for that particular firewall.

(TS//SI//REL) FEEDTROUGH operates every time the particular Juniper firewall boots. The first hook takes it to the code which checks to see if the OS is in the database, if it is, then a chain of events ensures the installation of either one or both implants. Otherwise the firewall boots normally. If the OS is one modified by DNT, it is not recognized, which gives the customer freedom to field new software.

Status: (S//SI//REL) FEEDTROUGH has on the shelf solutions for all of the listed platforms. It has been deployed on many target platforms.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

The plan is to post one of these a day for the next couple of months.

Posted on January 6, 2014 at 1:28 PMView Comments

NSA Documents from the Spiegel Story

There are more source documents from the recent Spiegel story on the NSA than I realized. Here is what I think is the complete list:

Here are the news articles: Three English articles. Spy catalog interactive graphic. Two articles in German.

This is all really important information for those of us trying to defend against adversaries with these sorts of capabilities.

Posted on January 3, 2014 at 2:23 PMView Comments

IRONCHEF: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog is IRONCHEF:

IRONCHEF

(TS//SI//REL) IRONCHEF provides access persistence to target systems by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to communicate with a hardware implant that provides two-way RF communication.

(TS//SI//REL) This technique supports the HP Proliant 380DL G5 server, onto which a hardware implant has been installed that communicates over the I2C Interface (WAGONBED).

(TS//SI//REL) Through interdiction, IRONCHEF, a software CNE implant and the hardware implant are installed onto the system. If the software CNE implant is removed from the target machine, IRONCHEF is used to access the machine, determine the reason for removal of the software, and then reinstall the software from a listening post to the target system.

Status: Ready for Immediate Delivery

Unit Cost: $0

Page, with graphics, is here. General information about TAO and the catalog is here.

“CNE” stands for Computer Network Exfiltration. “Through interdiction” presumably means that the NSA has to physically intercept the computer while in transit to insert the hardware/software implant.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

The plan is to post one of these a day for the next couple of months.

Posted on January 3, 2014 at 12:20 PMView Comments

1 32 33 34 35 36 56

Sidebar photo of Bruce Schneier by Joe MacInnis.