- June 10, 2015
- Posted by: atlantadmin
- Category: Blog
It is yet unknown which of these ‘leaks’ were planted as misinformation and which are real. From the technical details of them and trusting the collective intelligence of the global infosec community it can be concluded they are legitimate.
From the German Spiegel, at http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html we can see the following categorized attacks:
Attacks against Crypto
- Guide for Analysts on how to use the PRISM Skype Collection
- GCHQ Briefing on the BULLRUN Program
- GCHQ Presentation on the BULLRUN Programs Decryption Capabilities
- NSA LONGHAUL program for end-to-end attack orchestration and key recovery service
- BLUESNORT program on “Net Defense” from Encrypted Communications
- Presentation from the SIGDEV Conference 2012 explaining which encryption protocols and techniques can be attacked and which not
- NSA program SCARLETFEVER explaining how attacks on encrypted connections are orchestrated
- Description of VOIP Telephony Encryption methods and cryptanalytic and other ways to attack
Attacks on SSL/TLS
- NSA Experiment for massive SSL/TLS Decryption
- Canadian Document from CES on TLS Trends
- Details on how NSA uses the SCARLETFEVER program to attack Scure Sockets Layer (SSL)/Transport Layer Scurity (TLS)
- Analysis from SSL/TLS Connections through GCHQ in the flying pig database
Attacks on VPN
- NSA High Level Description on TURMOIL / APEX Programs on Attacking VPN
- Explanation of the GALLANTWAVE that decrypts VPN Traffic within LONGHAUL
- Intro to the VPN Exploitation Process mentioning the protocols attacked – PPTP, IPSEC, SSL, SSH)
- Analytic Challenges from Active-Passive Integration when NSA attacks IPSEC VPNs
- Overview of the capabilities of the VALIANTSURF program
- MALIBU Architecture Overview to exploit VPN Communication
- POISENNUT Virtual Private Network Attack Orchestrator (VAO)
- NSA Presentation on the development of Attacks on VPN
- NSA Presentation on the Analysis and Contextualisation of data from VPN
- Description of existing projects on VPN decryption
- Explanation of the Transform Engine Emulator when attacking VPN
- Explanation of the POISENNUT Product and its role when attacking VPN
- Explanation of the TURMOIL GALLANTWAVE Program and its role when attacking VPN
- Processing of data from exploited VPN in the TURMOIL program
- Decryption of VPN Connections within the VALIANTSURF program
- Description on the processing of VPN data packets within the TURMOIL program
- Explanation on the SPIN9 program on end-to-end attacks on VPN
- Explanation of a potential technique to deanonymise users of the TOR network
- Analytics on security of TOR hidden services
- Overview on Internet Anonymization Services on how they work
- TOR deanonymisation research
- TOR Overview of Existing Techniques
- A potential technique to deanonymise users of the TOR network
- General Description how NSA handles encrypted traffic
- Intercept with PGP encrypted message
- Classification Guide for Cryptanalysis
- Procedural GCHQ Document on how analysts are to handle encrypted traffic
- NSA / GCHQ Crypt Discovery Joint Collaboration Activity
- NSA Cryptographic Modernization (CryptoMod) Classification Guide
- “National Information Assurance Research Laboratory (NIARL)”: Newsletter, Keyword TUNDRA
- What Your Mother Never Told You About the development of Signal Intelligence
- Intercept with OTR encrypted chat
We can also consider that every nation partnering or being part of NATO is using the same or similar techniques. Just as well they could be used by any other sufficiently advanced nation.
But wait, there’s more. According to http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html – intelligence agencies are planting malware into websites their victims are using without the need to compromise the actual website. All they need is a way to plug between the user and any point on the Internet on their path to the target site. Then a fake webpage, just as the one the user expects is being inserted into their browser – with a little ‘present’ inside in the form of an exploit.
Going through the documents above leaves the impression no technology is spared and any technology capable of providing privacy and confidentiality to the people is being actively researched and attacked.
To top that off, seems NSA has been planting backdoors even in hard drive firmware, for years. Nothing guarantees the same from not being valid for BIOS / other devices. More details here: http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group
All this leads to the conclusion that there are just a few methods we could employ to stay safe from exploitation. Some of them were mentioned above, but I will try to summarize them here and detail them in the chapters following this one.
- Usage of common software which could be easily exploited should be avoided. That includes operating systems.
- Usage of common network equipment should be avoided. Building your own router / firewall appliances has never been more justified, especially with the abundance of open source projects for that purpose
- Mass distributed mobile phone (smartphone & tablets) usage should be careful and restricted to situations when it is ok to know your device is being fully monitored – content, location and code execution at will by an adversary. In all other cases tightly controlled devices should be used – with enforced encryption, enforced browsing whitelisting by an external proxy, enforced application sandboxing and constant VPN networking turned on. Communication on non-encrypted channels (GSM/4G) in the clear (using only the encryption provided by the mobile operator) should be avoided where and when privacy is concerned.
- VPN is to be trusted only when both endpoints can be trusted as well and when the protocol used is implemented properly. Some of the leaks mentioned above indicate that a simple misconfiguration on the part of a system admin can leave gaping holes in the security of a VPN connection. The definition of a proper VPN configuration can be found, luckily, in documents and configuration guides posted by IASE DISA (SRG/STIGs), mentioned later in this book.
- Get your equipment only from trusted vendors. Remember that certain vendors were proven to have planted (willingly or unwillingly) hardware and software backdoors into their appliances. If you can’t find a trusted vendor, try to build the server/network service yourself. Buy from countries where the Five Eyes Alliance has no control over vendors – you could buy directly from China and deliver the equipment yourself from the factory, if the situation requires utmost certainty that nobody has tampered with it on its way to you.
You could read even more and use a search engine to search through ‘leaked’ documents on https://www.eff.org/nsa-spying
Please don’t get me wrong – I am all for the fight against terrorism and combating the criminal underground through legal surveillance. But this has already gone too far and we need to at least return the balance of power to the people – remembering that the government exists (by definition) to serve its people – it is not the opposite.
In present times our communications and data must travel through de-facto compromised networks from source to destination – compromised by various actors for their own agenda. Sending data across the globe means it may be intercepted and possibly an attempt to decrypt it will be made. There is a solid chance that it may as well be modified and an exploit – inserted so that it compromises the target on arrival.
Malware is no longer using files (the one written by APTs) – now it’s being stored in the BIOS, in GPUs (for a good example, check out https://github.com/x0r1/jellyfish), in RAM, in the registry, in HDD firmware… if you’re looking to detect malicious code planted in your system after an exploitation by an APT, you will fail. Malware written in 2008 was detected in the end of 2014 – we can expect malware written by intelligence agencies written in 2015 to be discovered in 2020 or later, if ever, following the same logic that their knowledge is X years ahead of the general public experts.
So we must strive to harden our endpoints and de-centralize our infrastructure elements in order to prevent exploitation. We must also up our game – what was enough to maintain the security of our data 10 years ago is merely a speck of what is needed in terms of equipment, knowledge and experience today. This book will not provide them for you completely – but it will give you very good starting points in the various topics it touches.