NSA Laughs at PCs, Prefers Hacking Routers and Switches for bugging

The NSA runs a massive, full-time hacking operation targeting foreign systems, the latest leaks from Edward Snowden show. But unlike conventional cybercriminals, the agency is less interested in hacking PCs and Macs. Instead, America’s spooks have their eyes on the internet routers and switches that form the basic infrastructure of the net, and are largely overlooked as security vulnerabilities.
Under a $652-million program codenamed “Genie,” U.S. intel agencies have hacked into foreign computers and networks to monitor communications crossing them and to establish control over them, according to a secret black budget document leaked to the Washington Post. U.S. intelligence agencies conducted 231 offensive cyber operations in 2011 to penetrate the computer networks of targets abroad.
This included not only installing covert “implants” in foreign desktop computers but also on routers and firewalls — tens of thousands of machines every year in all. According to the Post, the government planned to expand the program to cover millions of additional foreign machines in the future and preferred hacking routers to individual PCs because it gave agencies access to data from entire networks of computers instead of just individual machines.
Most of the hacks targeted the systems and communications of top adversaries like China, Russia, Iran and North Korea and included activities around nuclear proliferation.
The NSA’s focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren’t updated with new software very often or patched in the way that Windows and Linux systems are.
“No on updates their routers,” he says. “If you think people are bad about patching Windows and Linux (which they are) then they are … horrible about updating their networking gear because it is too critical, and usually they don’t have redundancy to be able to do it properly.”
He also notes that routers don’t have security software that can help detect a breach.
“The challenge [with desktop systems] is that while antivirus don’t work well on your desktop, they at least do something [to detect attacks],” he says. “But you don’t even have an integrity check for the most part on routers and other such devices like IP cameras.”
Hijacking routers and switches could allow the NSA to do more than just eavesdrop on all the communications crossing that equipment. It would also let them bring down networks or prevent certain communication, such as military orders, from getting through, though the Post story doesn’t report any such activities. With control of routers, the NSA could re-route traffic to a different location, or even alter it for disinformation campaigns, such as planting information that would have a detrimental political effect or altering orders to re-route troops or supplies in a military operation.
According to the budget document, the CIA’s Tailored Access Programs and NSA’s software engineers possess “templates” for breaking into common brands and models of routers, switches and firewalls.
The article doesn’t say it, but this would likely involve pre-written scripts or backdoor tools and root kits for attacking known but unpatched vulnerabilities in these systems, as well as for attacking zero-day vulnerabilities that are yet unknown to the vendor and customers.
“[Router software is] just an operating system and can be hacked just as Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden them a little bit more [than these other systems], but for folks at a place like the NSA or any other major government intelligence agency, it’s pretty standard fare of having a ready-to-go backdoor for your [off-the-shelf] Cisco or Juniper models.”
Not all of the activity mentioned in the budget document involved remote hacking. In some cases, according to the document, the operations involved clandestine activity by the CIA or military intelligence units to “physically place hardware implants or software modifications” to aid the spying.
“Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO),” the Post writes in its story about the document. “As its name suggests, TAO builds attack tools that are custom-fitted to their targets.”
A handful of security researchers have uncovered vulnerabilities in routers in recent years that could be used to do the kind of hacking described in the budget document.
In 2005, security researcher Mike Lynn found a serious vulnerability in Cisco IOS, the operating system running on millions of Cisco routers around the world.
Lynn discovered the vulnerability after his employer, Internet Security Systems, asked him to reverse-engineer the Cisco operating system to see if he could find security problems with it. Cisco makes the majority of the routers that operate the backbone of the internet as well as many company networks and critical infrastructure systems. The Cisco IOS is as ubiquitous in the backbone as the Windows operating system is on desktops.
The vulnerability Lynn found, in a new version of the operation system that Cisco planned to release at the time, would have allowed someone to create a router worm that would shut down every Cisco router through which it passed, bringing down a nation’s critical infrastructure. It also would have allowed an attacker to gain complete control of the router to sniff all traffic passing through a network in order to read, record or alter it, or simply prevent traffic from reaching its recipient.
Once Lynn found the vulnerability, it took him six months to develop a working exploit to attack it.
Lynn had planned to discuss the vulnerability at the Black Hat security conference in Las Vegas, until Cisco intervened and forced him to pull the talk under threat of a lawsuit.
But if Lynn knew about the vulnerability, there were likely others who did as well — including intelligence agencies and criminal hackers.
Source code for Cisco’s IOS has been stolen at least twice, either by entities who were interested in studying the software to gain a competitive advantage or to uncover vulnerabilities that would allow someone to hack or control them.
Other researchers have uncovered different vulnerabilities in other Cisco routers that are commonly used in small businesses and home offices.
Every year at computer security conferences around the world — including the Black Hat conference where NSA Director Keith Alexander presented a keynote this year — U.S. intelligence agencies and contractors from around the world attend to discover information about new vulnerabilities that might be exploited and to hire talented researchers and hackers capable of finding more vulnerabilities in systems.
In 2008, a researcher at Core Security Technologies developed a root kit for the Cisco IOS that was designed to give an attacker a persistent foothold on a Cisco router while remaining undetected.
According to the Post story, the NSA designs most of the offensive tools it uses in its Genie operation, but it spent $25.1 million in one year for “additional covert purchases of software vulnerabilities” from private malware vendors who operate on the grey market — closed markets that peddle vulnerabilities and exploits to law enforcement and intelligence agencies, as opposed to the black market that sells them to cyber criminals.
The price of vulnerabilities and exploits varies, depending on a number of factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to more than a million, depending on the exclusivity of the purchase — some vulnerabilities are sold to multiple parties with the understanding that others are using it as well — and their ubiquity. A vulnerability that exists in multiple versions of an operating system is more valuable than a vulnerability that exists in just one version. A class of vulnerability that crosses multiple browser brands is also more valuable that a single vulnerability that just affects the Safari browser or Chrome.
The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel to sabotage centrifuges used in Iran’s uranium enrichment program, used five zero-day exploits to spread itself among systems in Iran, including a rare exploit that attacked the .LNK function in multiple versions of the Windows operating system in order to spread the worm silently via infected USB sticks.
Ubiquitous router vulnerabilities are difficult to find since there are so many different configurations for routers and an attack that works against one router configuration might not work for another. But a vulnerability that affects the core operating system is much more valuable since it is less likely to be dependent on the configuration. Maiffret says there hasn’t been a lot of public research on router vulnerabilities but whenever someone has taken a look at them, they have found security holes in them.
“They’re always successful in finding something,” he says.
Once a vulnerability becomes known to the software maker and is patched, it loses its value. But because many users do not patch their systems, some vulnerabilities can be used effectively for years even after a patch is available. The Conficker worm, for example, continued to infect millions of computers long after Microsoft released a patch that should have stopped the worm from spreading.
Routers in particular often remain patched because system administrators don’t think they will be targeted and because administrators are concerned about network outages that could occur while the patch is applied or if the patch is faulty.

UN to act over US hacking claims

The United Nations is to contact the United States about reports that America's National Security Agency (NSA) hacked the world body's internal communications.

 

The UN emphasised that international treaties protected its offices and all diplomatic missions from interference, spying and eavesdropping.
Its spokesman Farhan Haq said the UN would "reach out" to US officials about the reports of eavesdropping, as it has in the past when such allegations have been raised.
Mr Haq added that "the inviolability of diplomatic missions, including the United Nations and other international organisations, whose functions are protected by the relevant international conventions like the Vienna Convention, has been well-established international law."
The German magazine Der Spiegel reported that documents it obtained from American leaker Edward Snowden showed the NSA secretly monitored the UN's internal video conferencing system by decrypting it last year.
Der Spiegel also said the NSA installed bugs in the European Union's office building in Washington and infiltrated the EU's computer network.
The 1961 Vienna Convention regulates diplomatic issues and status among nations and international organisations. Among other things, it says a host country cannot search diplomatic premises or seize its documents or property. It also says the host government must permit and protect free communication between the diplomats of the mission and their home country.
But wiretapping and eavesdropping have been rampant for decades, most dramatically between the United States and the Soviet Union during the Cold War.

 

Why do American spy agencies want a Malayalam translators at exorbitant salary ?

 

Yet conversations with current and former employees of Booz Allen and U.S. intelligence officials suggest that these contractors aren’t going anywhere soon. Even if Snowden ends up costing his former employer business, the work will probably just go to its rivals. Although Booz Allen and the rest of the shadow intelligence community arose as stopgap solutions—meant to buy time as shrunken, post-Cold War agencies tried to rebuild after Sept. 11—they’ve become the vine that supports the wall. As much as contractors such as Booz Allen have come to rely on the federal government, the government relies on them even more.


Edward Snowden was not hired as a spy. He’s a mostly self-taught computer technician who never completed high school, and his first intelligence job was as a security guard at an NSA facility. In an interview in the Guardian, he says he was hired by the Central Intelligence Agency for his computer skills to work on network security. In 2009 he left for the private sector, eventually ending up at Booz Allen. The job he did as a contractor for the NSA appears to have been basic tech support and troubleshooting. He was the IT guy.

People in intelligence tend to divide contract work into three tiers. In the first tier are the least sensitive and most menial jobs: cutting the grass at intelligence facilities, emptying the trash, sorting the mail. In classified facilities even the janitors need security clearances—the wastebaskets they’re emptying might contain national secrets. That makes these jobs particularly hard to fill, since most people with security clearances are almost by definition overqualified for janitorial work.
Snowden, with his computer expertise, fit in the middle tier: people with specialized skills. When the U.S. military first began ramping up its use of contractors during the Vietnam War, these jobs made up much of the hiring—the Pentagon was desperate for repairmen for its increasingly complex weapons and transport systems. Also in this tier are translators, interrogators, and investigators who handle background checks for government security clearances. Firms such as CSC (CSC) and L-3 Communications (LLL) specialize in this tier. Booz Allen competes for some of that work, but it tends to focus on the highest tier: big contracts that can involve everything from developing strategies to defeat al-Qaeda in the Islamic Maghreb to designing software systems to writing speeches for senior officials. Tier three contractors often are, for all intents and purposes, spies—and sometimes spymasters.

BLOG:

Spying for the NSA Is Bad for U.S. Business

William Golden heads a recruiting and job placement company for intelligence professionals. In mid-June, he’s trying to fill three slots for contractors at the Defense Intelligence Agency. As it happens, Booz Allen isn’t involved, but these are the sort of jobs the firm has filled in thousands of other instances, Golden says. Two postings are for senior counter-intelligence analyst openings in Fort Devens, Mass., one focusing on the threat to federal installations in Massachusetts, the other on Southwest Asia. The contractors would be trawling through streams of intelligence, from digital intercepts and human sources alike, writing reports and briefings just like the DIA analysts they would be sitting next to. Both postings require top-secret clearances, and one would require extensive travel. The third job is for a senior linguist fluent in Malayalam, spoken mostly in the Indian state of Kerala, where there’s a growing Maoist insurgency. That the Pentagon is looking for someone who speaks the language suggests American intelligence assets are there. The listing specifies “austere conditions.”
Golden says he constantly sees openings at Booz Allen and other contractors for “collection managers” in posts around the world. “A collection manager is someone at the highest level of intelligence who decides what assets get used, how they get used, what goes where,” he says. “They provide thought, direction, and management. They basically have full status, as if they were a government employee. The only thing they can’t do is spend and approve money or hire and fire government workers.”
The pay fluctuates widely, depending on the candidates’ skills and experience. “This money comes from the intelligence budget, so there isn’t much oversight,” Golden says. He estimates that the Malayalam translator job, for example, will pay between $180,000 and $225,000 a year. That’s partly to compensate for the austere conditions as well as insurgents’ tendency, unmentioned in the posting, to target translators first. The pay is also a reflection that the past 10 years have been boom times for private spies.

Who helped NSA to build Prism?

Palantir Technologies is considered the principal company behind the design of software used for PRISM program, think of it as the work of a single company is truly an understatement.

Palantir Technologies, this is the most popular company name referred when discussing those who have supported the U.S. Government in the development of massive surveillance project Prism. The company, exactly like the principal IT firms involved in the program denied any implication but majority of security analysts are convinced that the truth is different.

I wrote on Palantir in a post just after the publication of mail stolen during the hack to Stratfor firm, in one email published Palantir is expressly indicated as a possible financier of Facebook.  The email between two Stratfor’s analysts states:

“I think Palantir is involved in things less clear, including the financing of Facebook.”

The Palantir is a California company that designs platforms for complex information analysis. It was founded in 2004 and currently offers various solutions for integrating, visualizing, and analyzing the world’s information.

Palantir was founded by Peter Thiel, Alex Karp, Joe Lonsdale,  Stephen Cohen, and Nathan Gettings, the company received investments for $2 million from the CIA’s venture arm In-Q-Tel and $30 million from Thiel and his firm, Founders Fund.
The name of Palantir appeared for the first time during the hacking of HBGary Federal company, when documents were some stolen detailing the involvement of the Palantir to attack and destroy WikiLeaks.
By coincidence Palantir commercialize a product dubbed PRISM that “that lets you quickly integrate external databases into Palantir. Specifically, it lets you build high-performance Data Engine based providers without writing any code. Instead, you define simple configuration files and then Palantir automatically constructs the data provider and database code for you.”
Palantir Prism is a data mining software for banks, that’s the version provided by legal representatives of the company:

“Palantir’s Prism platform is completely unrelated to any US government program of the same name. Prism is Palantir’s name for a data integration technology used in the Palantir Metropolis platform (formerly branded as Palantir Finance). This software has been licensed to banks and hedge funds for quantitative analysis and research,”

Y Combinator partner Garry Tan commented Palantir’s disclaimers with following tweet:

It is still not clear how PRISM works, the slides presented could be not accurate enough to explain how PRISM platform access to the data of IT companies, some specialists sustain that the companies provided direct access to their servers others speculate the companies feed a sort of Dropbox-like system that is accessed by PRISM for surveillance purpose.
In this second scenario it could be involved also Amazon as hosting provided for temporary storage for information provided by companies, Amazon Web Services in fact recently announced that it is set to build a massive cloud for the CIA. IBM.
Despite various hypothesis on PRISM architecture, it is still a mystery I suggest you the post proposed by Robert Graham of Errata Security that tried to propose an original idea of the Debated surveillance program.
In reality the complex machine that in a simplistic way was dubbed PRISM is probably fueled by much more information from various sources, not only IT giants are involved, Digital Net Agency Chief Strategy Officer Skip Graham believes the advertising industry is complicit inducing internet users to provide personal information online.
Who and how manage this data?

“How our industry works has absolutely no correlation to the efforts of the government. Or does it? How much of the data the NSA is using is data we convinced people it was safe to have stored? I’m afraid it’s going to turn out to be most of it,” Graham told ZDNet.

It must be also considered that many other data can concur to profile US citizens, let’s think of information related to their medical history, rather any kind of financial information acquired from banking and other financial institutions.
We are all  under continuous control, think of it as the work of a single company is truly an understatement …. how many other Palantir are operating in the US and elsewhere?
What data handling and on behalf of whom?
Pierluigi Paganini

NSA Implementing 'Two-Person' Rule To Stop The Next Edward Snowden

The next Edward Snowden may need a partner on the inside.
On Tuesday, National Security Agency Director Keith Alexander told a congressional hearing of the Intelligence Committee that the agency is implementing a “two-person” system to prevent future leaks of classified information like the one pulled off by 29-year-old Booz Allen contractor Edward Snowden, who exfiltrated “thousands” of files according to the Guardian, to whom he has given several of the secret documents.
We have to learn from these mistakes when they occur,” Representative Charlies Ruppersberger said to Alexander in the hearing. “What system are you or the director of national intelligence administration putting into place to make sure that if another person were to turn against his or her country we would have an alarm system that would not put us in this position?”
“Working with the director of national intelligence what we’re doing is working to come up with a two-person rule and oversight for those and ensure we have a way of blocking people from taking information out of our system.”
That “two-person rule,” it would seem, will be something similar to the one implemented in some cases by the military after Army private Bradley Manning was able to write hundreds of thousands of secret files to CDs and leak them to WikiLeaks. The rule required that anyone copying data from a secure network onto portable storage media does so with a second person who ensures he or she isn’t also collecting unauthorized data.
It may come as a surprise that the NSA doesn’t already have that rule in place, especially for young outside contractor employees like Snowden. But Alexander emphasized that Snowden was one of close to a thousand systems administrator–mostly outside contractors–who may have had the ability to set privileges and audit conditions on networks.”This is a very difficult question when that person is a systems administrator,” Alexander responded. “When one of those persons misuses their authority it’s a huge problem.”
Alexander added that the system is still a work in progress, and that the NSA is working with the FBI to collect more facts from the Snowden case and to implement new security measures in other parts of the U.S. intelligence community.
When asked how Snowden had gained such broad access to the NSA’s networks despite only working for Booz Allen for three months, Alexander said that he had in fact held a position at the NSA for the twelve months prior to taking that private contractor job.
The questions about the NSA’s lack of leak protections came in the midst of a conversation that largely focused on the NSA’s justification for the broad surveillance those leaks revealed. In the hearing, Alexander claimed that more than 50 attacks have been foiled with some help from the NSA’s surveillance programs such the collection of millions of Americans’ cell phone records and the collection of foreigners’ Google-, Facebook-, Microsoft- and Apple-held data known as “PRISM,” both disclosed in Snowden’s documents. One newly-revealed bombing plot targeted the New York Stock Exchange, and another involved an American donating money to a Somalian terrorist group.
Of those more than 50 total cases, ten of those plots involved domestic collection of phone records, according to Alexander. But when Representative Jim Himes questioned in how many cases that collection was “essential,” his question went unanswered.
Alexander also fended off criticisms that the Foreign Intelligence Surveillance Act court system, which oversees the NSA’s requests to use data it’s collected–often from Americans–is a “rubber stamp process” that approves nearly all of the NSA’s actions. That court reported  in April that it had received 1,789 applications for electronic surveillance in an annual report to Congress. One request was withdrawn, and forty were approved with some changes. The other 1,748 others were approved without changes.
“I believe the federal judges on that court are superb,” Alexander told Congress. “There is, from my perspective, no rubber stamp.”
But a significant portion of the hearing also focused on the NSA’s security vulnerabilities highlighted by Snowden’s leaks, rather than its surveillance. Representative Michelle Bachmann emphasized that the NSA should answer “how a traitor could do something like this to the American people,” and how to “prevent this from ever happening again.” She asked Alexander how damaging the leaks were to the NSA’s mission, and he responded that they were “significant and irreversible.”
Snowden has taken refuge in Hong Kong, where he conducted a live Q&A on the Guardian’s website Monday. In that conversation, he wrote that “the consent of governed is not consent if it is not informed,” and that “truth is coming, and it cannot be stopped.”
At the hearing, a member of the committee ended with a personal question about that young leaker’s fate: What’s next for Snowden?

FBI deputy director Sean Joyce answered, simply, “Justice.”
–

Google challenges US surveillance court on 1st Amendment grounds

SEATTLE (Reuters) - Google Inc asked the U.S. Foreign Intelligence Surveillance Court on Tuesday to allow it to publish aggregate numbers of national security requests it receives separately from criminal requests, on First Amendment grounds.

In its filing, Google requested the court to allow it to publish the aggregate number of national security requests it receives, including disclosures under the Foreign Intelligence Surveillance Act (FISA), claiming it as part of its First Amendment right to free speech.

"In light of the intense public interest generated by the Guardian's and Post's erroneous articles, and others that have followed them, Google seeks to increase its transparency with users and the public regarding its receipt of national security requests, if any," the Google filing said.

Google's move comes after other tech companies, including Microsoft Corp, Facebook Inc and Apple Inc released limited information about the number of surveillance requests they receive under an agreement they struck with the U.S. government last week.

Under that agreement, the companies were only allowed to disclose aggregate requests for data made by government agencies without showing the split between surveillance and criminal requests, and only for a six-month period.
The companies are scrambling to assert their independence after documents leaked to the Washington Post and the Guardian newspapers suggested they had given the U.S. government "direct access" to their computers as part of a National Security Agency program called Prism.
The disclosures about Prism, and related revelations about broad-based collection of telephone records, have triggered widespread concern and congressional hearings about the scope and extent of the information-gathering.
Google said it asked the U.S. Department of Justice and Federal Bureau of Investigation on June 11 to publish the aggregate number of national security requests, but said it was told such an act would be unlawful.
(Reporting by Bill Rigby; Editing by Richard Chang and Leslie Gevirtz)

NSA director describes surveillance as 'limited, focused' in House hearing

Keith Alexander testifies to Congress that programs revealed by Edward Snowden have stopped 'more than 50' attacks

Some of the most senior intelligence and law enforcement officials in the United States strongly defended the National Security Agency's broad surveillance efforts on Tuesday, saying they had disrupted more than 50 terrorist plots around the world.
General Keith Alexander, the director of the NSA, told a rare public hearing of the House intelligence committee in Washington that the programs were "critical" to the ability of the intelligence community to protect the US.
Offering the most extensive defence yet on the efficacy of secret surveillance programs reported by the Guardian and the Washington Post, Alexander said they were "limited, focused and subject to rigorous oversight".
During the hearing, members of Congress criticised the source of the leaks, Edward Snowden, who remains free in Hong Kong. On Tuesday, Iceland said it had received an informal approach from an intermediary claiming that Snowden, a 29-year-old former NSA contractor, wanted to seek asylum there. Asked at the congressional hearing about what was next for Snowden, Alexander said: "justice".
Flanked by senior officials from the FBI, Justice Department and the Office of the Director of National Intelligence, Alexander said that two surveillance programs revealed by the Guardian and the Washington Post had "helped prevent more than 50" terrorist attacks in over 20 countries.
Most of those prevention efforts, Alexander said, came from the NSA's monitoring of foreigners' internet communications under a program known as Prism. He conceded that only 10 related to domestic terror plots.
The Obama administration officials gave more details about four cases in which information taken from the NSA's databases of foreign internet communications and millions of Americans' phone records had contributed to stopping attacks. Two of them have been previously disclosed, especially that of the 2009 arrest of would-be New York subway bomber Najibullah Zazi. That case has been sharply challenged thanks to court records as more attributable to traditional police surveillance.
Referring to the statutory authority for Prism, known as Section 702 of the 2008 Fisa Amendments Act, FBI deputy director Sean Joyce said: "Without the 702 tool, we would not have identified Najibullah Zazi."
Joyce identified two previously unknown cases that he said the surveillance efforts helped unravel. In one, a Kansas City, Missouri, man named Khalid Ouazzani was found communicating with a "known extremist" in Yemen, information that helped detect what Joyce called "nascent plotting" to bomb the New York Stock Exchange. The other, described more vaguely, allowed the US government, using the NSA's phone-records database of Americans, to revisit a case closed shortly after 9/11 for lack of evidence.
Ouazzani, however, was never convicted of plotting to bomb the stock exchange. Andrew Ames, a Justice Department spokesman, later clarified that he was convicted of "sending funds" to al-Qaida. The other case, Joyce said, involved an American who provided "financial support" to extremists in Somalia.
Two members of the Senate intelligence committee, Ron Wyden and Mark Udall, said last week that they had not seen any evidence to show that the "NSA's dragnet collection of Americans' phone records has produced any uniquely valuable intelligence".
The intelligence and law enforcement officials as subject to "checks and balances". But they clarified, in the most detail provided publicly thus far, that most of those checks are internal.
James Cole, the deputy attorney general, said that the NSA needs "reasonable, articulable suspicion" of involvement in terrorism before searching the millions of Americans' phone records that it collects. But, Cole said: "We do not have to get separate court approval for each query."
Instead, the NSA sends an "aggregate number" of times it has searched the database every 30 days to the secret Fisa court that oversees surveillance, while also sending a separate report each time NSA analysts inappropriately search the database. Alexander's deputy, Chris Ingliss, said NSA analysts searched the database 300 times in 2012 in total.
Representative Adam Schiff, Democrat of California, said that "it may be valuable to have court review prospectively".
Alexander pledged to send the House and Senate intelligence committees greater detail on the surveillance programmes' role in preventing the 50-plus plots in secret on Wednesday. But he insisted the NSA took great care internally to balance civil liberties and national security.
"I would much rather today be here to debate this point than try to explain why we failed to prevent another 9/11," he said.