TS//SI//REL FVEY We have discovered a way that may be able to remotely
brick network cards. We need someone to perform research and develop a
deployable tool.
---
TS//SI//REL) Currently CASTLECRASHER is the only production quality
Windows execution technique that Payload Persistence techniques have.
Another mechanism to execute DNT payloads is needed. Most pre-boot
Persistence techniques only have the ability to influence an OS through
modifications to the target file system. Work needs to be done to investigate
other ways to get execution inside of Windows
---
(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the
BIOS and runs from SMM. Although the core of the code is stable, there are
always new requirements against which to develop. This includes new
network interface card parasitic drivers as well as applications.
---
(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to
apply industry best practices and agile development processes to internal
projects. To this end, the project is managed via the Scrum process. Test
Driven Development (TDD) practices are used as well in an effort to reduce
code defects. The project also is looking to incorporate ideas from DNT such
as their SCube build environment
[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of funny]
---
(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices
from a particular vendor. We need to port TORNSTEAK from the existing two
firewalls to several more from the same vendor.
>BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM
Yeah that sucks.. the BIOS is never out of the picture thanks to the SMM. Intel should find an alternative solution for the minor functions provided by the SMM (APM, thermal management, etc.).
Also from wiki: "Due to this fact, it is a target for malicious rootkits to reside in,[10][11][12] including NSA's "implants"[13] which have individual code names for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls,[14] SCHOOLMONTANA for J-series routers of the same company,[15] DEITYBOUNCE for DELL,[16] or IRONCHEF for HP Proliant servers."
And using the TPM may not help you:
>TPM Vulnerabilities to Power Analysis and An Exposed Exploit to Bitlocker
"The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft's Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS"
Though it sounds like they need physical access to do this.
You know what the solution to this is? Replace your damn equipment all at the same time :). Just make sure to implement some good hygiene pretty quickly.
Attackers would have to go through the entire process of phishing you again to be able to do any rootkit level stuff again.
The first commercial book on "project SCRUM" was actually just the results of a FOIA request on "psychological techniques against enemies with inferior footwear".
There are great photos of Krushchev appealing to the UN human rights commission after his third stand-up in two days on the corn issue. His bosses replaced him and ultimately it was Gorbachev who had to market baby corn to the Chinese after successfully instituting an open source modeled staged waterfall.
I feel like this is some sort of absurdist joke that I can't even begin to fathom. I understand all the things you mention, but can't make a bit of sense out of it.
I wouldn't make that conclusion. As we know, knowledge is very compartmentalized in the NSA. So, there could be groups in the NSA trying to find attack vectors for Microsoft Windows while other parties in the NSA might have backdoor access to Windows for use in specific circumstances.
Furthermore, Microsoft has universal access to Windows machines which connect to Microsoft servers to download patches. The government can argue with risk to national security and force Microsoft to let them use that update mechanism to spread their malware.
Even if they had a universal back door into Windows, I'd expect them to research other attacks for a number of reasons:
- Backdoors can be discovered; I'd assume it is less likely to be detected if you use it less.
- Esoteric network configurations may make the 'normal' backdoor inaccessable
- Securing their own systems
- Deniability - if an attack in progress is discovered, it's better for the NSA et. al that it looks like a bug being exploited by an unknown third party than a deliberate backdoor (though I suspect any backdoors, should they exist, are designed to look accidental).
Microsoft (MS) began encrypting web-based chat with the introduction of the new outlook.com service. This new Secure Socket Layer (SSL) encryption effectively cut off collection of the new
service for FAA 702 and likely 12333 (to some degree) for the Intelligence Community (IC). MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012.
March 7, 2014
PRISM now collects Microsoft Skydrive data as part of PRISM'S standard Stored Communications collection package for a tasked FISA Amendments Act Section 702 (FAA702) selector. This means that analysts will no longer have to make a special request to SSO for this - a process step that many analysts may not have known about. This new capability will result in a much more complete and timely collection response from SSO for our Enterprise customers. This success is
the result of the FBI working for many months with Microsoft to get this tasking and collection solution established. "SkyDrive is a cloud service that allows users to store and access their files on a variety of devices.
March 15, 2013
SSO's PRISM program began tasking all Microsoft PRISM selectors to Skype because Skype allows users to log in using account identifiers in addition to Skype usernames. Until now, PRISM would not collect any Skype data when a user logged in using anything other than the Skype username which resulted in missing collection; this action will mitigate that. In fact, a user can create a Skype account using any e-mail address with any domain in the world. UTT does not currently allow analysts to task these non-Microsoft e-mail addresses to PRISM, however,
> MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012.
And there it is. They claim ignorance to NSA data tapping of their servers but are in fact entirely complicit as we suspected.
They worked with the FBI not the NSA. Plausible denial and all that.
They can help implement PRISM for the government without being told what PRISM is. When asked if they are participating in PRISM, they can deny knowledge of it existing. Because it's technically true.
It's not at all contradicted by the document. The document references Section 702 of the FISA Amendment Act, and the Stored Communications Act. Section 702 allows targeted access to non-U.S. persons and Section 2703 of the Stored Communications Act allows the government to compel disclosure of stored communications with a warrant, or notice to the customer plus a subpoena or court order. 18 U.S.C. 2703(b)(1).
Nothing about the document suggests blanket or direct access.
Wording is probably important: "blanket or direct access" Seems it would lack foresight if MS denied something that they new would be uncovered in the leaked documents.
No. Companies use the term "customer" for internal requests a lot. "Enterprise" would probably be large divisions within the NSA - i.e. groups working Middle Eastern intelligence, for example.
Windows now broadcasts and collects information about what you type in when you search for programs (in charm/modern shell).
That doesn't mean it goes 'upstream'. But it is startling how far we've come. I remember the days when nobody trusted the internet - not even with their credit card.
Now its hard to trust your Operating System to run a program.
TS//SI//REL) Currently CASTLECRASHER is the only production quality Windows execution technique that Payload Persistence techniques have. Another mechanism to execute DNT payloads is needed. Most pre-boot Persistence techniques only have the ability to influence an OS through modifications to the target file system. Work needs to be done to investigate other ways to get execution inside of Windows
There's evidence[0] of other, possibly currently active, whistleblowers leaking documents from inside NSA. This database includes those leaked documents as well, as it mentions XKEYSCORE, which Snowden has said he did not leak.
He had access to the NSA servers even after he fled using credentials from other employees.
Sorry I can't find a citation but I read about it about 6 months after the initial leak.
• (TS//SI//REL) SODAPRESSED - Linux application persistence. Given a
running installation of Linux, install some application or inject
something into memory which will. This currently works on certain
versions of Linux without SELinux enabled. [1]
They seem to define "persistence" variously, though I think they're talking about a rootkit in general (as opposed to checkpoint/restore). Emphasis on hypervisors, HDD and SSD firmware and, of course, the SMM.
Given that they talk about "Linux application persistence", I'd assume it's some kernel module rootkit. In which case, it's not that cool. The in-kernel ABI changes a lot and basic techniques like hooking the IDT vary.
I'm most excited about the collection of documents in their GitHub repo. I've casually tried to build my own collection, but most media organizations aren't very good about consistently providing the source documents in an easily downloadable format.
"Yeah, that pretty much makes sense, but how are you 'just gonna get CNE access' on an admin?"
(S/SI//REL) Good question, thanks for asking. Most of the time I'm going to rely on QUANTUM to get
access to their account (yeah, you could try spam, but people have been getting smarter over
the last 5-10 years... it's not as reliable anymore). So, inorderto work our QUANTUM-magic on an
admin, we'll need some sort of webmail/facebook selector for them.
"You know, you could just look up the 'point of contact' in the registry information associated
with their IP space/domain names..."
(S/SI//REL) Yeah, you could do that. Personally, I haven't had a huge amount of luck with it,
because most of the time I end up running across their ♦official* e-mail address that's hosted on
their own network. That's generally not a recipe for success in the QUANTUM world, what we'd
really like is a personal webmail or facebook account to target. There's a couple ways you could
try' this: dumpster-dive for alternate selectors in the big SIGINT trash can, or pull out your wicked
Google-fu to see if they've posted on any forums and list both their official and non-official e-mails
in a signature block...but what if there was another way to do it?
(S/SI//REL) If a target that I care about is on a network that I don't have access to. in this post I
described that I will try to get access to that network by targeting the sys admin. In order to
target the sys admin, it's easiest if I know what their personal webmail/facebook username is so
that I can target it with QUANTUM. The hardest part is identifying that admin's personal account
to target in the first place.
Now, fade off with me into dream-land. Pretend that we had some master list. This master list
contained tons of networks around the world, and the personal accounts of admins for each of
those networks. And any time you wanted to target a new network, you could just find the admin
associated with it, queue his accounts up for QUANTUM, get access to his box and proceed to pwn
the network. Wouldn't that be swell?
Yes I reading this too. Very interesting. Earlier in the doc, he says:
"...our ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!
(S/SI//REL) One of the coolest things about it is how much data we have at our fingertips. If we only collected the data we knew we wanted...yeah, we'd fill some of our requirements, but this is a whole world of possibilities we'd be missing! It would be like going on a road-trip, but wearing a blindfold the entire time, and only removing it when you're at one of your destinations...yeah, you'll still see stuff, but you'll be missing out on the entire journey!"
They really do have a different view of privacy. Only being giving what you're specifically seeking is like going on a trip with a blindfold on! Well, yes, yes it is!
This, I think, is single most damning piece of evidence regarding NSA culture. From the horse's mouth: they collect as much data as they can, not because they need to, but because it's interesting.
As previously reported, the BULLRUN document is very interesting. One line stands out to me:
"Cryptanalytic capabilities
- Are extremely difficult and costly to acquire
- Require a long lead time "
There is a tie-in with the export law. Look at 740.17:
"(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end-user” located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR."
They do not like "non-standard cryptography." I take from this that while it is true that well known algorithms are the safest in terms of receiving the most scrutiny, new less scrutinized algorithms may still offer a practical defense.
Of course they don't like unknown cryptography. It easily makes automatic decryption impossible. That means that the NSA needed scarce expert-time for each customly secured communications. No agency in the world has the ressources to pull that off for many connections. That is the reason why they love Google and Facebook, and why I stay away from these services.
But here on HN, many folks like their mantra of "security by obscurity is bad" too much. Personally, I think many of those who repeat that didn't think for themselves.
Using unknown cryptography is not security through obscurity. If the encryption is legit, then it's good. The problem is when you are relying solely on obscurity without the encryption.
It's the ivory tower problem. I agree with you and the parent post.
Parent said:
"new less scrutinized algorithms may still offer a practical defense"
But in my experience that P word there is unknown to ivory tower dwellers. And so the practical peasants end up getting unrealistic (but theoretically correct) advice.
This is very cool. It would be awesome if the site itself had a bit more functionality to grow in future. Rather than be static it could be linked to other media articles, discussions etc. For example, new stuff being found by XYZ virus vendor could then be linked and discussed to the original source documents. Similarly patents which are declassified, data found about people who operated these systems on Linkedin or other leaks, suspicions could be incorporated.
Interestingly, this collection of documents doesn't seem to include the list of targeted IP addresses in Hong Kong and China that he handed over to the South China Morning Post when he was in Hong Kong[1].
Curious about the legalities of downloading these materials. (Not that it's going to stop me.)
Are they technically still "classified"? Or have they been declassified? I remember hearing threats of prosecuting NSA folks who had these materials and weren't supposed to, even though they were already released.
The United States does not have an Official Secrets Act (UK does).
Outside of the Intelligence Identities Protection Act of 1982, if you were never granted a clearance or read in to specific programs (you'd know; you have to sign an NDA and such), you have no obligation to keep classified information secret. Arguably if you gave information/support/etc. to enemies of the US, it might be treason, but there's no need for that information to be classified in the first place for it to be treason.
If you have had a clearance, even for unrelated stuff, you don't want to touch these -- it can be a violation of your NDA for the other materials.
I am not a lawyer; I am not your lawyer; this is not legal advice.
Or if you're an artist, you can stuff a sd card with the documents into a stuffed animal already stuffed with the documents in shredded form and then put them in some of the worlds most treasured art galleries and museums. no problem.
USG has a serious generational split problem. I wonder if they will ever resolve it or if they'll let this go on long enough to turn their snowden's, manning's, appelbaum's into modern Trotsky's
Classification aside, these documents are still stolen, aren't they? Couldn't a reasonable case be made that downloading them constitutes handling stolen property?
"Usually, a work receives copyright protection as soon as pen hits paper. However, a work created by an NSA employee, or any USG employee, as a part of the employee's official duties is not entitled to copyright protection"[1]
Just because something is public or leaked does not automatically make it declassified. This material is still classified until officially declassified by appropriate classification authorities. Persons with a US security clearance should avoid viewing this material. I don't know what the NSA is telling its people. When I was a fed, before the Snowden leaks, we were already warned about not visiting Wikileaks, and to avoid viewing classified material outside of the proper facilities established for doing so (that meant the internet, for one).
Of course, if the government had its way, no one would view this material. But that's another discussion.
Only the government can declassify a document, even if it's available through other means. These are still classified documents, you should at minimum treat them with respect.
IANAL: Not unlike copyrighted material, if you are found to be distributing classified documents, you are definitely at more risk for prosecution. Holding classified documents in your personal possession, however, won't likely cause any real means for prosecution.
Read the documents, be informed as to what they mean, then act on them through legal means -- in the voting booth or through the courts.
Some of this looks fake. I've been reading through the documents, and there's little or no detail there that indicates any inside information. It's mostly plausible management-level PowerPoint presentations.
Some not so plausible.The picture of a "network operations center"[1] is actually a power station control room; the picture was lifted from a site for industrial generating plants.[2] That presentation is supposedly by "Head of GCHQ NAC", but whoever picked that picture has never been in a network operations center.
Also, some of of the "classified codewords" seem related to the subject matter. Real NSA codewords are chosen randomly, to avoid that.
> [S]ome of of the "classified codewords" seem related to the subject matter.
1) I'm aware of not-really-important projects that have an obvious connection between their code words and the thing described by the code word.
2) Many, but not all projects have randomly generated names. It's really up to the discretion of the -for lack of a better term- project manager and his supervisor whether they use the random name or use a more evocative one. DESERT SHIELD and DESERT STORM were two high-profile classified projects from the early 1990s whose names were not randomly generated.
---
TS//SI//REL FVEY We have discovered a way that may be able to remotely brick network cards. We need someone to perform research and develop a deployable tool.
---
TS//SI//REL) Currently CASTLECRASHER is the only production quality Windows execution technique that Payload Persistence techniques have. Another mechanism to execute DNT payloads is needed. Most pre-boot Persistence techniques only have the ability to influence an OS through modifications to the target file system. Work needs to be done to investigate other ways to get execution inside of Windows
---
(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM. Although the core of the code is stable, there are always new requirements against which to develop. This includes new network interface card parasitic drivers as well as applications.
---
(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to apply industry best practices and agile development processes to internal projects. To this end, the project is managed via the Scrum process. Test Driven Development (TDD) practices are used as well in an effort to reduce code defects. The project also is looking to incorporate ideas from DNT such as their SCube build environment
[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of funny]
---
(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices from a particular vendor. We need to port TORNSTEAK from the existing two firewalls to several more from the same vendor.
---