Your Source for Leaks Around the World!

Archive for December 30th, 2013|Daily archive page

To Protect and Infect: The Militarization of the Internet – Claudio Guarnieri, Morgan Marquis-Boire, Jacob Appelbaum @ 30c3

In 30c3, ANT, Archive, Malware, NSA, NSA Files, Surveillance, TAO, Technology on December 30, 2013 at 6:33 PM

12/29/2013

2013 will be remembered as the year that the Internet lost its innocence for nearly everyone as light was shed on the widespread use of dragnet surveillance by the NSA and intelligence agencies globally. With the uprisings of the Arab Spring where people raided the offices of their regimes to bring evidence to light, we’ve seen a tremendous phenomenon: a large numbers of whistleblowers have taken action to inform the public about important details. The WikiLeaks SpyFiles series also shows us important details to corroborate these claims. There is ample evidence about the use and abuses of a multi-billion dollar industry that have now come to light. This evidence includes increasing use of targeted attacks to establish even more invasive control over corporate, government or other so-called legitimate targets.

Everything transiting our network connections is under surveillance to some degree. It’s also common for law enforcement and intelligence agencies to use exploits and malware to infect and monitor computers, mobile devices and to spy on networks. They’re able to bug our rooms with our own telephones, read encrypted emails, log keystrokes – they invade the most personal spaces in the very core of a person’s life with minimal economic impact to their budget.

In this talk Claudio Guarnieri and Morgan Marquis-Boire discuss the nature of targeted and untargeted surveillance, exploitation and intelligence gathering. This active surveillance is produced and operated not only by governments but by corporations and mercenaries that provide their intrusion services to the highest bidders who often have the lowest respect for human rights.

We’ll introduce you to the players in the business of active, passive, tactical and strategic surveillance and the products they provide. We’ll also discuss examples of specific attacks on journalists and human rights activists worldwide in the last couple of years. Surprises won’t be missing.

Related Links:

WikiLeaks Spy Files

Eyes Wide Open: Privacy International Special Report on the Five Eyes Alliance

Telecomix Blue Cabinet Wiki

12/30/2013

Security researcher Jacob Appelbaum revealed what he calls “wrist-slitting depressing” details about the National Security Agency’s spy programs at a computer conference in Germany on Monday where he presented previously unpublished NSA files.

Appelbaum is among the small group of experts, activists and journalists who have seen classified United States intelligence documents taken earlier this year by former contractor Edward Snowden, and previously he represented transparency group WikiLeaks at an American hacker conference in 2010. Those conditions alone should suffice in proving to most anybody that Appelbaum has been around more than his fair share of sensitive information, and during his presentation at the thirtieth annual Chaos Communication Congress in Hamburg on Monday he spilled his guts about some of the shadiest spy tactics seen yet through leaked documents.

Presenting in-tandem with the publishing of an article in Germany’s Der Spiegel magazine, Appelbaum explained to the audience of his hour-long “To Protect and Infect” address early Monday that the NSA has secretly sabotaged US businesses by covertly — and perhaps sometimes with the cooperation of the tech industry — coming up with ways to exploit vulnerabilities in the products sold by major American companies, including Dell and Apple, among others.

That was only the main theme of many covered throughout the presentation, during which Appelbaum repeatedly revealed previously unpublished top-secret NSA documents detailing the tactics and techniques used by the NSA to intercept the communications of seemingly anyone on Earth.

Related Link: NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware

Slide Presentation via Cryptome

NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware

In ANT, Archive, Hacking, Malware, NSA, NSA Files, Surveillance, TAO, Technology on December 30, 2013 at 3:17 AM

nsa-ant

12/29/2013

SPIEGEL:

After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.

When it comes to modern firewalls for corporate computer networks, the world’s second largest network equipment manufacturer doesn’t skimp on praising its own work. According to Juniper Networks’ online PR copy, the company’s products are “ideal” for protecting large companies and computing centers from unwanted access from outside. They claim the performance of the company’s special computers is “unmatched” and their firewalls are the “best-in-class.” Despite these assurances, though, there is one attacker none of these products can fend off — the United States’ National Security Agency.

Specialists at the intelligence organization succeeded years ago in penetrating the company’s digital firewalls. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell and Apple’s iPhone.

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets’ data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA’s department for Tailored Access Operations (TAO). In cases where TAO’s usual hacking and data-skimming methods don’t suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such “implants,” as they are referred to in NSA parlance, have played a considerable role in the intelligence agency’s ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows “TAO personnel to see what is displayed on the targeted monitor,” for example, is available for just $30. But an “active GSM base station” — a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones — costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn’t just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are “remotely installable” — in other words, over the Internet. Others require a direct attack on an end-user device — an “interdiction,” as it is known in NSA jargon — in order to install malware or bugging equipment.

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. “Cisco does not work with any government to modify our equipment, nor to implement any so-called security ‘back doors’ in our products,” the company said in a statement. Contacted by SPIEGEL reporters, officials at Western Digital, Juniper Networks and Huawei also said they had no knowledge of any such modifications. Meanwhile, Dell officials said the company “respects and complies with the laws of all countries in which it operates.”

Many of the items in the software solutions catalog date from 2008, and some of the target server systems that are listed are no longer on the market today. At the same time, it’s not as if the hackers within the ANT division have been sleeping on the job. They have continued to develop their arsenal. Some pages in the 2008 catalog, for example, list new systems for which no tools yet exist. However, the authors promise they are already hard at work developing new tools and that they will be “pursued for a future release”.

nsa-ant-deitybounce

nsa-ant-ironchef

nsa-ant-feedthrough

nsa-ant-gourmettrough

nsa-ant-halluxwater

nsa-ant-jetplow

nsa-ant-souffletrough

nsa-ant-headwater

nsa-ant-schoolmontana

nsa-ant-sierramontana

nsa-ant-stuccomontana

nsa-ant-ctx4000

nsa-ant-loudauto

nsa-ant-nightstand

nsa-ant-nightwatch

nsa-ant-photoanglo

nsa-ant-sparrow-ii

nsa-ant-tawdryyard

nsa-ant-ginsu

nsa-ant-howlermonkey

nsa-ant-iratemonk

nsa-ant-juniormint

nsa-ant-maestro-ii

nsa-ant-somberknave

nsa-ant-swap

nsa-ant-trinity

nsa-ant-wistfultoll

nsa-ant-surlyspawn

nsa-ant-dropoutjeep

nsa-ant-gopherset

nsa-ant-monkeycalendar

nsa-ant-picasso

nsa-ant-totechaser

nsa-ant-toteghostly-2.0

nsa-ant-candygram

nsa-ant-crossbeam

nsa-ant-cyclone-hx9

nsa-ant-ebsr

nsa-ant-entourage

nsa-ant-genesis

nsa-ant-nebula

nsa-ant-typhon-hx

nsa-ant-waterwitch

nsa-ant-cottonmouth-i

nsa-ant-cottonmouth-ii

nsa-ant-cottonomouth-iii

nsa-ant-firewalk

nsa-ant-ragemaster

Related Links:

American Companies Respond to New NSA Hacking Claims

To Protect and Infect: The Militarization of the Internet – Claudio Guarnieri, Morgan Marquis-Boire, Jacob Appelbaum @ 30c3

Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years

NSA Can Hack WiFi Devices From Eight Miles Away

The NSA Has a Backdoor Called “DROPOUTJEEP” for Nearly Complete Access to the Apple iPhone

U.S. to China: We Hacked Your Internet Gear We Told You Not to Hack

The NSA Product Generator

NSA Technology Transfer Program (TTP) Catalog for Licensing Products to U.S. Companies

NSA Intercepts Computer Shipping Deliveries of Targets to Install Malware/Backdoors

In Archive, Cisco, Hacking, Malware, NSA, NSA Files, Surveillance, TAO, Technology on December 30, 2013 at 2:33 AM

ACHTUNG SPERRFRIST 30.12.2013 Texas-Biga #01

12/29/2013

SPIEGEL:

Sometimes it appears that the world’s most modern spies are just as reliant on conventional methods of reconnaissance as their predecessors.

Take, for example, when they intercept shipping deliveries. If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called “load stations,” agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

nsa-tao-interdiction

These minor disruptions in the parcel shipping business rank among the “most productive operations” conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks “around the world.”

Even in the Internet Age, some traditional spying methods continue to live on.

——————————————————————————————————————————————————————————————

Declan McCullagh: “If NSA ‘can divert the shipping delivery to its own secret workshops,’ it’s time to pose some pointed questions to Post Office, UPS, FedEx. Seems like NSA would require not only broad access to USPS/Fedex/UPS databases, but active participation in diverting packages.”

Shipping Companies Largely Silent on NSA Intercepting Packages

UPDATE 03/18/2015 Cisco Using Dead Drops for Sensitive Customers to Avoid NSA Interdiction

Related Link: NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware

NSA Spying on Europe/Asia SEA-ME-WE-4 Undersea Telecom Cables

In Archive, Hacking, NSA, NSA Files, Surveillance, TAO on December 30, 2013 at 2:25 AM

SEA-ME-WE-4

12/29/2013

SPIEGEL:

It is in no way true to say that the NSA has its sights set exclusively on select individuals. Of even greater interest are entire networks and network providers, such as the fiber optic cables that direct a large share of global Internet traffic along the world’s ocean floors.

One document labeled “top secret” and “not for foreigners” describes the NSA’s success in spying on the “SEA-ME-WE-4” cable system. This massive underwater cable bundle connects Europe with North Africa and the Gulf states and then continues on through Pakistan and India, all the way to Malaysia and Thailand. The cable system originates in southern France, near Marseille. Among the companies that hold ownership stakes in it are France Telecom, now known as Orange and still partly government-owned, and Telecom Italia Sparkle.

The document proudly announces that, on Feb. 13, 2013, TAO “successfully collected network management information for the SEA-Me-We Undersea Cable Systems (SMW-4).” With the help of a “website masquerade operation,” the agency was able to “gain access to the consortium’s management website and collected Layer 2 network information that shows the circuit mapping for significant portions of the network.”

It appears the government hackers succeeded here once again using the QUANTUMINSERT method.

The document states that the TAO team hacked an internal website of the operator consortium and copied documents stored there pertaining to technical infrastructure. But that was only the first step. “More operations are planned in the future to collect more information about this and other cable systems,” it continues.

UPDATE: Orange to Take Legal Action After Report of Spying via Its Cable

nsa-cne-map

NSA document: “20 major accesses” to undersea cables worldwide

Related Links:

US Hacked Pacnet, Asia Pacific Fibre-Optic Network Operator, in 2009

NSA Asked Japan for Help Tapping Asia-Pacific Fiber-Optic Cables in 2011, Request Denied

Glimmerglass Intercepts Undersea Cable Traffic for Spy Agencies / NSA Contracts with Glimmerglass Networks

The Creepy, Long-Standing Practice of Undersea Cable Tapping

NSA QUANTUM Files

In Archive, Hacking, Internet, Malware, NSA, NSA Files, Surveillance, TAO on December 30, 2013 at 1:49 AM

NSA-Programm Quantumtheory

12/29/2013

SPIEGEL:

One of NSA’s Tailored Access Operations (TAO)  key tasks is the offensive infiltration of target computers with so-called implants or with large numbers of Trojans. They’ve bestowed their spying tools with illustrious monikers like “ANGRY NEIGHBOR,” “HOWLERMONKEY” or “WATERWITCH.” These names may sound cute, but the tools they describe are both aggressive and effective. See: NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware

According to details in Washington’s current budget plan for the US intelligence services, around 85,000 computers worldwide are projected to be infiltrated by the NSA specialists by the end of this year. By far the majority of these “implants” are conducted by TAO teams via the Internet.

See Also: Digital “Sleeper Cells”: NSA Infects More Than 50,000 Computer Networks Worldwide With Malware “Implants”

Until just a few years ago, NSA agents relied on the same methods employed by cyber criminals to conduct these implants on computers. They sent targeted attack emails disguised as spam containing links directing users to virus-infected websites. With sufficient knowledge of an Internet browser’s security holes — Microsoft’s Internet Explorer, for example, is especially popular with the NSA hackers — all that is needed to plant NSA malware on a person’s computer is for that individual to open a website that has been specially crafted to compromise the user’s computer. Spamming has one key drawback though: It doesn’t work very often.

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 NSA

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 GCHQ

Nevertheless, TAO has dramatically improved the tools at its disposal. It maintains a sophisticated toolbox known internally by the name “QUANTUMTHEORY.” “Certain QUANTUM missions have a success rate of as high as 80%, where spam is less than 1%,” one internal NSA presentation states.

A comprehensive internal presentation titled “QUANTUM CAPABILITIES,” which SPIEGEL has viewed, lists virtually every popular Internet service provider as a target, including Facebook, Yahoo, Twitter and YouTube. “NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses,” it states. The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain’s GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.

A favored tool of intelligence service hackers is “QUANTUMINSERT.” GCHQ workers used this method to attack the computers of employees at partly government-held Belgian telecommunications company Belgacom, in order to use their computers to penetrate even further into the company’s networks. The NSA, meanwhile, used the same technology to target high-ranking members of the Organization of the Petroleum Exporting Countries (OPEC) at the organization’s Vienna headquarters. In both cases, the trans-Atlantic spying consortium gained unhindered access to valuable economic data using these tools.

The insert method and other variants of QUANTUM are closely linked to a shadow network operated by the NSA alongside the Internet, with its own, well-hidden infrastructure comprised of “covert” routers and servers. It appears the NSA also incorporates routers and servers from non-NSA networks into its covert network by infecting these networks with “implants” that then allow the government hackers to control the computers remotely.

In this way, the intelligence service seeks to identify and track its targets based on their digital footprints. These identifiers could include certain email addresses or website cookies set on a person’s computer. Of course, a cookie doesn’t automatically identify a person, but it can if it includes additional information like an email address. In that case, a cookie becomes something like the web equivalent of a fingerprint.

Related: NSA Using Advertising Data for Surveillance: Cookies to Identify Hacking Targets, Mobile Apps to Track Locations

Once TAO teams have gathered sufficient data on their targets’ habits, they can shift into attack mode, programming the QUANTUM systems to perform this work in a largely automated way. If a data packet featuring the email address or cookie of a target passes through a cable or router monitored by the NSA, the system sounds the alarm. It determines what website the target person is trying to access and then activates one of the intelligence service’s covert servers, known by the codename FOXACID.

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid

This NSA server coerces the user into connecting to NSA covert systems rather than the intended sites. In the case of Belgacom engineers, instead of reaching the LinkedIn page they were actually trying to visit, they were also directed to FOXACID servers housed on NSA networks. Undetected by the user, the manipulated page transferred malware already custom tailored to match security holes on the target person’s computer.

The technique can literally be a race between servers, one that is described in internal intelligence agency jargon with phrases like: “Wait for client to initiate new connection,” “Shoot!” and “Hope to beat server-to-client response.” Like any competition, at times the covert network’s surveillance tools are “too slow to win the race.” Often enough, though, they are effective. Implants with QUANTUMINSERT, especially when used in conjunction with LinkedIn, now have a success rate of over 50 percent, according to one internal document.

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #01

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #02

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #03

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #01

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #02

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #03

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #04

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #05

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #06

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #07

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Foxacid #08

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #06

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #07

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #08

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #09

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #10

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #11

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #12

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #13

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #14

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #16

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #17

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #18

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #19

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #20

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #02 #21

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Validator

ACHTUNG SPERRFRIST 30.12.2013 Quantum-Biga #01 Olympus

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #01

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #02

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #03

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #08

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #09

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #10

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #11

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #13

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #14

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #15

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #16

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #17

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #19

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #20

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #21

ACHTUNG SPERRFRIST 30.12.2013 Feuer-Biga #22

%d bloggers like this: