Intelligence operations against technologies we use every day

It is yet unknown which of these ‘leaks’ were planted as misinformation and which are real. From the technical details of them and trusting the collective intelligence of the global infosec community it can be concluded they are legitimate.

From the German Spiegel, at http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html we can see the following categorized attacks:

Attacks against Crypto

Attacks on SSL/TLS

Attacks on VPN

Deanonymizing

  1. Explanation of a potential technique to deanonymise users of the TOR network
  2. Analytics on security of TOR hidden services
  3. Overview on Internet Anonymization Services on how they work
  4. TOR deanonymisation research
  5. TOR Overview of Existing Techniques
  6. A potential technique to deanonymise users of the TOR network

Cryptanalytics

We can also consider that every nation partnering or being part of NATO is using the same or similar techniques. Just as well they could be used by any other sufficiently advanced nation.

But wait, there’s more. According to http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html – intelligence agencies are planting malware into websites their victims are using without the need to compromise the actual website. All they need is a way to plug between the user and any point on the Internet on their path to the target site. Then a fake webpage, just as the one the user expects is being inserted into their browser – with a little ‘present’ inside in the form of an exploit.

Going through the documents above leaves the impression no technology is spared and any technology capable of providing privacy and confidentiality to the people is being actively researched and attacked.

To top that off, seems NSA has been planting backdoors even in hard drive firmware, for years. Nothing guarantees the same from not being valid for BIOS / other devices. More details here: http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group

All this leads to the conclusion that there are just a few methods we could employ to stay safe from exploitation. Some of them were mentioned above, but I will try to summarize them here and detail them in the chapters following this one.

  1. Usage of common software which could be easily exploited should be avoided. That includes operating systems.
  2. Usage of common network equipment should be avoided. Building your own router / firewall appliances has never been more justified, especially with the abundance of open source projects for that purpose
  3. Mass distributed mobile phone (smartphone & tablets) usage should be careful and restricted to situations when it is ok to know your device is being fully monitored – content, location and code execution at will by an adversary. In all other cases tightly controlled devices should be used – with enforced encryption, enforced browsing whitelisting by an external proxy, enforced application sandboxing and constant VPN networking turned on. Communication on non-encrypted channels (GSM/4G) in the clear (using only the encryption provided by the mobile operator) should be avoided where and when privacy is concerned.
  4. VPN is to be trusted only when both endpoints can be trusted as well and when the protocol used is implemented properly. Some of the leaks mentioned above indicate that a simple misconfiguration on the part of a system admin can leave gaping holes in the security of a VPN connection. The definition of a proper VPN configuration can be found, luckily, in documents and configuration guides posted by IASE DISA (SRG/STIGs), mentioned later in this book.
  5. Get your equipment only from trusted vendors. Remember that certain vendors were proven to have planted (willingly or unwillingly) hardware and software backdoors into their appliances. If you can’t find a trusted vendor, try to build the server/network service yourself. Buy from countries where the Five Eyes Alliance has no control over vendors – you could buy directly from China and deliver the equipment yourself from the factory, if the situation requires utmost certainty that nobody has tampered with it on its way to you.

You could read even more and use a search engine to search through ‘leaked’ documents on https://www.eff.org/nsa-spying

Please don’t get me wrong – I am all for the fight against terrorism and combating the criminal underground through legal surveillance. But this has already gone too far and we need to at least return the balance of power to the people – remembering that the government exists (by definition) to serve its people – it is not the opposite.

In present times our communications and data must travel through de-facto compromised networks from source to destination – compromised by various actors for their own agenda. Sending data across the globe means it may be intercepted and possibly an attempt to decrypt it will be made. There is a solid chance that it may as well be modified and an exploit – inserted so that it compromises the target on arrival.

Malware is no longer using files (the one written by APTs) – now it’s being stored in the BIOS, in GPUs (for a good example, check out https://github.com/x0r1/jellyfish), in RAM, in the registry, in HDD firmware… if you’re looking to detect malicious code planted in your system after an exploitation by an APT, you will fail. Malware written in 2008 was detected in the end of 2014 – we can expect malware written by intelligence agencies written in 2015 to be discovered in 2020 or later, if ever, following the same logic that their knowledge is X years ahead of the general public experts.

So we must strive to harden our endpoints and de-centralize our infrastructure elements in order to prevent exploitation. We must also up our game – what was enough to maintain the security of our data 10 years ago is merely a speck of what is needed in terms of equipment, knowledge and experience today. This book will not provide them for you completely – but it will give you very good starting points in the various topics it touches.



This website uses cookies. To use it, please accept this notice.