Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
GIH: We are led to believe that by installing a certificate, or by other common security practices, we are safe. The following shows that this may not be the case, especially considering the vulnerabilities of HTTPS protocol, the commonly accepted 'safe' way to browse:
In this day and age of well-known NSA spying, everyone keeps saying that the only way to be safe is to use SSL/TLS, commonly known as "browsing with https://".
The sad reality is that HTTPS does virtually nothing to protect you from the prying eyes of alphabet soup agencies - or anybody else with enough knowledge about how these supposedly "secure" connections actually work.
It's true that connecting to web sites with SSL will certainly prevent "script kiddies" and other more winky opponents from eavesdropping on your surfing or otherwise interfering in your affairs. But as for the Real Bad Guys, forget it...
We shall begin by taking a brief dive down the rabbit hole of SSL, hopefully in a way that will make sense to even the least technically inclined among us.
This issue is, after all, so extremely important that I think everyone needs to understand what is really going on, and how web security actually works, without needing a PhD in cryptography, computer science, or engineering!
Our story begins with a little e-mail I received the other day. The basic message can be found here:
Of course, the idea that Microsoft of all companies is warning me about security is kind of laughable, so I didn't pay much attention. Nevertheless, there was this little voice in the back of my mind that kept pestering me, so I decided to dig in and see what all the hoopla was about... or indeed if any hoopla was even warranted.
Boy, is it ever warranted!
From the above link, we read:
Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.
Okay, so that's probably like trying to read a foreign language to most people. Even I didn't understand exactly how these hashing algorithms were used with SSL. So, I started digging. What I found nearly floored me:
Now, if you thought the M$ advisory was confusing, take a peek at the above link.
WOW! That's wild.
In summary, way back in 2008, some smart people figured out a way to make themselves a Fake SSL Certificate Authority, and they accomplished this feat by using a weakness in the MD5 hashing algorithm.
"Eureka! This must be the key to our mystery," I thought.
So, I began to read... and re-read... and think... and re-read. And then it clicked. To paraphrase Inspector Finch:
I suddenly had this feeling that everything was connected. It's like I could see the whole thing, one long chain of events that stretched all the way back before the MD5 hash advisory in 2008. I felt like I could see everything that happened, and everything that is going to happen. It was like a perfect pattern, laid out in front of me. And I realised we're all part of it, and all trapped by it.
"Well, that's stunningly dramatic," you think, "But just... What is going on?!"
First, let's define some terms - hopefully in Plain English:
SSL Web Site Certificate
This is a digital certificate, with a digital signature, that verifies that a website is who they say they are. When you connect to a web site using SSL (HTTPS), your browser says, "Papers, please!" The remote site then sends the SSL Web Site Certificate to your browser. Your browser then verifies the authenticity of this "passport". Once verified, encrypted communications ensue. The point of the SSL Web Site Certificate is that under no circumstances should anyone else be able to create a valid, signed certificate for a web site that they do not own and operate. In order to obtain an SSL Web Site Cert, you must verify by varied means that you are the owner and operator of the web site involved. So, using HTTPS is not only for encryption of communications, but also a way to verify that the site you are communicating with is the Real Thing, and not an imposter. And of course you must pay for the certificate!
Certificate Authority (CA) Root Certificate
This is also a digital certificate, with a digital signature... But in this case, this certificate can be used to create and digitally sign normal SSL Web Site Certificates. This is the kind of certificate that a CA (Certificate Authority) has. These certificates also get passed to browser makers, and are then included in your web browser. This is so that when your browser receives an SSL Web Site cert, it can use the CA Root Certificate to verify that the Web Site Cert is in fact valid.
Certificate Authority (CA)
A CA is the kind of web site from which you would buy a valid, secure SSL Web Site Certificate to use for HTTPS on your site. For example: Verisign.com, RapidSSL.com, Geotrust.com, etc. are Certificate Authorities. They have CA Root Certificates for generating and signing valid SSL Web Site Certificates.
It's helpful to understand that with all these certificates, there is a "chain of command". SSL Web Site Certificates are validated and authenticated using CA Root Certificates. CA Root Certificates are validated with yet higher-authority certificates, all the way up the pyramid to The One Great Root Certificate, which is like the God of Certificates. Thus, each lower-ranking certificate is verified up the chain of command. This all happens behind the scenes, and you have no idea it's occurring.
Piece of cake, right?
Now, where do these hash algorithms like MD5, SHA-1, and SHA-2 come into play?
All certificates contain information, like:
- Web site domain (www.mysite.com)
- Site location (country, state, etc.)
- Site owner info (company name)
- Period of validity
This information is verified before a certificate is issued. Once verified, a hash of the data is generated. This hash acts as the digital signature for the certificate. The only thing you really need to understand about hash algorithms is that what is supposed to happen is this:
- Data of any length (30 characters, 3000 characters, 40MB, whatever) is passed into the hash algorithm
- The hash algorithm chops up the data and mathematically processes it, thereby spitting out a signature - or digital fingerprint - of the data
- The hash of no two chunks of data should ever be the same - just as the fingerprints of no two people should ever be the same
- The hash output is always the same size, regardless of the size of the input data (just like a fingerprint - no matter the size of the person)
Right. There is such a thing as a "hash collision". This is when you have 2 hashes that are identical, but they were generated from different data. That's like if you and your neighbor suddenly had the same thumbprint. OOPS!
Now, think about that for a minute... If the police were using these hashes, or thumbprints, to verify your identity, they might mistake you for your neighbor, or your neighbor for you, if you "had the same thumbprint". If they did no other checking, and just relied on that thumbprint, they might very well "authenticate" your identities completely incorrectly. BIG OOPS!
This is exactly what happened with the MD5 SSL attack outlined at the above link.
These smarty-pants people were able to carefully buy a valid SSL Web Site Certificate from RapidSSL in 2008. Before they did that, they created their own CA Root Certificate in such a way that the hash (fingerprint) of their valid, just-purchased Web Site Cert was identical to the hash of the FAKE CA Root Certificate that they created out of thin air.
Since RapidSSL had just said, "Dudes, this Web Site Certificate fingerprint is valid!", and since this was the same fingerprint on the fake CA Root Cert, the forged CA Root Certificate becomes valid.
Now, recall that a CA Root Certificate - as long as it has a valid hash/fingerpint that will validate up the "chain of authority" - can be used to generate a valid SSL Web Site Certificate for any web site in the world... And neither you, nor RapidSSL, nor your browser will ever know that anything is amiss.
Why is this a problem? For starters, consider a man-in-the-middle attack.
You want to go to https://www.gmail.com. But some "hackers" have used another type of hack to insert their server between you and Gmail. Normally, this would not be possible, because you're using HTTPS! You're SAFE!
As far as anyone knows, you are connected to gmail.com over HTTPS. But in reality, what's happening is this:
- You try to connect to https://www.gmail.com
- The attacker diverts your request (perhaps using DNS cache poisoning or some other such attack) to a fake server
- Since Attacker's Server contains a falsely generated, perfectly valid SSL Web Site Certificate using the tricks outlined above, your browser doesn't know any better. Everything appears to be legit.
- You begin doing e-mail, but all your data is actually going encrypted to Attacker's Server, being decrypted and recorded/modified, and then Attacker's Server then passes the data on to the real https://www.gmail.com (using Gmail's actual, valid SSL cert).
- You have absolutely no clue that your "secure" communications are not secure in the least!
In other words, SSL / HTTPS means that the connection between your browser and the destination server at the URL you're visiting is supposed to be encrypted. But due to the fact the certain types of SSL certificates (which help handle the encryption) can be forged, an attacker could set up their fake server that pretends to the be the real destination server, and thus insert themselves in the middle of the connection. When that is done, the attacker has control over the connection and the data, and can thus decrypt your data, manipulate it, and/or pass it on to the real intended destination server.
Now, isn't that a daisy?
"But wait!" you say. "Isn't it therefore good for Microsoft to recommend changing the hash function to SHA-256 if SHA-1 has the same potential problem as MD5 did back in 2008?"
An excellent question! Unfortunately, yes and no. Even if you, as a web site owner, change your SSL Web Site Certificate from one that is signed using SHA-1 to a new cert that is signed using SHA-2, you are still unsafe.
Because all it takes is for ONE Certificate Authority to use a "weak" hash algorithm, and someone who is up to no good can generate a forged CA Root Certificate. Once they have that, they can generate as many SSL Web Site Certs as they want - using any hashing algorithm they please - including a fake-yet-valid cert that they can use to impersonate your "secure" site!
In other words, the weakness in the hashing algorithm is just the tip of the iceberg. Due to the hierarchical "chain of authority" in the whole certificate system, if anyone manages to create a false CA Root Cert, they are more or less god in terms of creating false SSL Web Site Certs.
Thus, in order for Microsoft's words to have an effect, there must not be ANY Certificate Authority (Web Site Cert issuer) in the whole world that still uses SHA-1. In order for the "security" to actually be more secure, everyone must upgrade right now. But this isn't going to happen.
Now, if that isn't bad enough, think about all the NSA spying. Think about how many people said, "Naw, man, I just surf using HTTPS, and I'm totally safe!"
You think so?
I don't. You know why? Well, you should, by now... But there's more!
Guess who invented the SHA-1 hash algorithm in 1995?
Guess who invented SHA-2 in 2001?
So, why should all the Certificate Authorities switch from the NSA's SHA-1 to the NSA's SHA-2? Why, because the NSA created it the way they did for a reason!
SHA-1 already has been theoretically breached, and there are a few indications that SHA-2 isn't quite as super-duper-safe as everyone thinks.
Imagine you are the NSA. You want to spy on everyone, everyone's grandmother, the grandmothers' cats, and the mice that are currently being digested inside the cats. SSL is kind of a problem... It can use pretty annoying encryption. Well, hell! No problem. Just compromise the "certificate authority chain" by forging one little CA Root Certificate, and blammo! You can eavesdrop and man-in-the-middle anybody you darn well please, SSL or not!
Web sites over SSL? No problem.
E-mail over SSL? No problem.
I have said it before, and I'll say it again: There never was security or privacy on the internet, there is no security or privacy on the internet now, and most likely there never will be. Not unless some very big changes are made...
And do you know why all this (and much, much more) is possible?
Because just like you, I had no knowledge of the gaping holes in SSL. Awareness of this and many other issues - technological, political, psychological, social, etc. - is absolutely essential.
Otherwise, frankly, we're screwed.
Scott Ogrin is an electrical and computer engineer with a BSEE and MSEE. After working in the automotive and telecom industries in hardware and testing, he ended up as a software engineer.
He joined SOTT in 2003 as an editor, and is currently the webmaster and Chief Techie for Sott.net. He is also part-owner of French publishing company Les Editions Pilule Rouge, and a member of the board of directors and engineering consultant for Quantum Future Group, Inc.
Although born in the USA, he became a Slovenian citizen and currently lives in France. He speaks English, French, Slovenian, and Spanish.
In his spare time, he works on his popular blog at ScottiesTech.Info.
GIH: As more information comes out about various spy agencies and their cyber divisions, it seems that those such as the NSA pose a larger threat to internet security than the hackers they are supposedly protecting us from. The following information should make any user of the internet, be it a business or individual or government, reconsider use, policies, protocols, and security.
One presentation outlines how the NSA performs “industrial-scale exploitation” of computer networks across the world.
Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.
The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.
The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.
In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.
The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”
In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines.
Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.
“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”
Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”
“That would definitely not be proportionate,” Hypponen says. “It couldn’t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.”
The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. “As the president made clear on 17 January,” the agency said in a statement, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”
“Owning the Net”
The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secretinternal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.
To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency’s term for the interception of electronic communications. Instead, it sought to broaden “active” surveillance methods – tactics designed to directly infiltrate a target’s computers or network devices.
In the documents, the agency describes such techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations.
But the NSA recognized that managing a massive network of implants is too big a job for humans alone.
“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”
The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”
TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”
In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations.
The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)
Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.
Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.
The intelligence community’s top-secret “Black Budget” for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named “Owning the Net.”
The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”
The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.
One implant, codenamed UNITEDRAKE, can be used with a variety of “plug-ins” that enable the agency to gain total control of an infected computer.
An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.
The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.
It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.
Previous reports have alleged that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East.
According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as “extremist.” But the mandate of the NSA’s hackers is not limited to invading the systems of those who pose a threat to national security.
In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.
The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”
Similar tactics have been adopted by Government Communications Headquarters, the NSA’s British counterpart. As the German newspaper Der Spiegel reported in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider.
The mission, codenamed “Operation Socialist,” was designed to enable GCHQ to monitor mobile phones connected to Belgacom’s network. The secret files deem the mission a “success,” and indicate that the agency had the ability to covertly access Belgacom’s systems since at least 2010.
Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers – the devices that connect computer networks and transport data packets across the Internet – the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications.
Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through aVirtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session.
The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted “Real-time Transport Protocol” packets, the implants can covertly record the audio data and then return it to the NSA for analysis.
But not all of the NSA’s implants are used to gather intelligence, the secret files show. Sometimes, the agency’s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target’s file downloads. These two “attack” techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for “defensive” purposes – to protect U.S. government networks against intrusions.
“Mass exploitation potential”
Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network.
According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a “back-door implant” infects their computers within eight seconds.
There’s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious.
Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called “man-in-the-middle” and “man-on-the-side” attacks, which covertly force a user’s internet browser to route to NSA computer servers that try to infect them with an implant.
To perform a man-on-the-side attack, the NSA observes a target’s Internet traffic using its global network of covert “accesses” to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency’s surveillance sensors alert the TURBINE system, which then “shoots” data packets at the targeted computer’s IP address within a fraction of a second.
In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.
The documents show that QUANTUMHAND became operational in October 2010, after being successfully tested by the NSA against about a dozen targets.
According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA’s automated TURBINE system.
“As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that’s terrifying,” Blaze says.
“Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?”
In an email statement to The Intercept, Facebook spokesman Jay Nancarrow said the company had “no evidence of this alleged activity.” He added that Facebook implemented HTTPS encryption for users last year, making browsing sessions less vulnerable to malware attacks.
Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. “If government agencies indeed have privileged access to network service providers,” he said, “any site running only [unencrypted] HTTP could conceivably have its traffic misdirected.”
A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other.
This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers.
The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers to defraud people.
A top-secret NSA presentation from 2012 reveals that the agency developed a man-in-the-middle capability called SECONDDATE to “influence real-time communications between client and server” and to “quietly redirect web-browsers” to NSA malware servers called FOXACID. In October, details about the FOXACID system were reported by the Guardian, which revealed its links to attacks against users of the Internet anonymity service Tor.
But SECONDDATE is tailored not only for “surgical” surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers.
According to the 2012 presentation, the tactic has “mass exploitation potential for clients passing through network choke points.”
Blaze, the University of Pennsylvania surveillance expert, says the potential use of man-in-the-middle attacks on such a scale “seems very disturbing.” Such an approach would involve indiscriminately monitoring entire networks as opposed to targeting individual suspects.
“The thing that raises a red flag for me is the reference to ‘network choke points,’” he says. “That’s the last place that we should be allowing intelligence agencies to compromise the infrastructure – because that is by definition a mass surveillance technique.”
To deploy some of its malware implants, the NSA exploits security vulnerabilities in commonly used Internet browsers such as Mozilla Firefox and Internet Explorer.
The agency’s hackers also exploit security weaknesses in network routers and in popular software plugins such as Flash and Java to deliver malicious code onto targeted machines.
The implants can circumvent anti-virus programs, and the NSA has gone to extreme lengths to ensure that its clandestine technology is extremely difficult to detect. An implant named VALIDATOR, used by the NSA to upload and download data to and from an infected machine, can be set to self-destruct – deleting itself from an infected computer after a set time expires.
In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency’s hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. “If we can get the target to visit us in some sort of web browser, we can probably own them,” an agency hacker boasts in one secret document. “The only limitation is the ‘how.’”
The TURBINE implants system does not operate in isolation.
It is linked to, and relies upon, a large network of clandestine surveillance “sensors” that the agency has installed at locations across the world.
The NSA’s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England.
The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet.
When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or “tips” to TURBINE, enabling the initiation of a malware attack.
The NSA identifies surveillance targets based on a series of data “selectors” as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique “cookies” containing a username or other identifying information that are sent to a user’s computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter.
Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.
What’s more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks.
Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance – the United Kingdom, Canada, New Zealand, and Australia.
GCHQ, the British agency, has taken on a particularly important role in helping to develop the malware tactics. The Menwith Hill satellite eavesdropping base that is part of the TURMOIL network, located in a rural part of Northern England, is operated by the NSA in close cooperation with GCHQ.
Top-secret documents show that the British base – referred to by the NSA as “MHS” for Menwith Hill Station – is an integral component of the TURBINE malware infrastructure and has been used to experiment with implant “exploitation” attacks against users of Yahoo and Hotmail.
In one document dated 2010, at least five variants of the QUANTUM hacking method were listed as being “operational” at Menwith Hill. The same document also reveals that GCHQ helped integrate three of the QUANTUM malware capabilities – and test two others – as part of a surveillance system it operates codenamed INSENSER.
GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to “legal/policy restrictions.” A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing “active” hacking attacks for surveillance “may be illegal” under British law.
In response to questions from The Intercept, GCHQ refused to comment on its involvement in the covert hacking operations. Citing its boilerplate response to inquiries, the agency said in a statement that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”
Whatever the legalities of the United Kingdom and United States infiltrating computer networks, the Snowden files bring into sharp focus the broader implications. Under cover of secrecy and without public debate, there has been an unprecedented proliferation of aggressive surveillance techniques. One of the NSA’s primary concerns, in fact, appears to be that its clandestine tactics are now being adopted by foreign rivals, too.
“Hacking routers has been good business for us and our 5-eyes partners for some time,” notes one NSA analyst in a top-secret document dated December 2012. “But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene.”
Documents published with this article:
- Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail
- Five Eyes Hacking Large Routers
- NSA Technology Directorate Analysis of Converged Data
- Selector Types
- There Is More Than One Way to Quantum
- NSA Phishing Tactics and Man in the Middle Attacks
- Quantum Insert Diagrams
- The NSA and GCHQ’s QUANTUMTHEORY Hacking Tactics
- TURBINE and TURMOIL
- VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN
- Industrial-Scale Exploitation
- Thousands of Implants
Advances in technology have led to more sophisticated crimes by exploiting security vulnerabilities of new technologies. This is exacerbated by the fact that understanding of these technologies and their use is only by a few, while the majority of end-users are unaware. Generally speaking, following standard security practices will thwart 95% of electronic crimes such as phishing, hacking, etc. This includes using complex passwords (Sf9$fpq%f82bsS), using network firewalls, encrypted emails, etc. But the new POS RAM scraper is dangerous because the vendors are not the victims of their bad security, and you may never know where your credit card or other information was scraped from.
A look at Point of Sale RAM scraper malware and how it works
A special kind of malware has been hitting the headlines recently - that which attacks the RAM of Point of Sale (PoS) systems.
Although it's been getting quite a bit of publicity recently, we actually first identified it as a threat back in December 2009 and wrote about it in an article on Naked Security entitled Will RAM scraping loosen the sky and make it fall?.
Answering that question today, it just might!
Actually, the situation isn't that bad - yet - but this malware family has definitely become more complex and far-reaching. In this article, we take a step back from the technical details and look at the evolution of PoS RAM scrapers.
What do PoS RAM scrapers do?
In a nutshell, PoS RAM scrapers steal payment data - such as credit card track one and track two data - from the RAM of PoS systems.
The payment card industry has a set of data security standards known asPCI-DSS. These standards require end-to-end encryption of sensitive payment data when it is transmitted, received or stored.
This payment data is decrypted in the PoS's RAM for processing, and the RAM is where the scraper strikes. Using regular expression searches, they harvest the clear-text payment data and send that information to rogue callhome servers.
Why do we care about PoS RAM scrapers? How does it hurt me?
I believe this malware family has a higher probability of burning a hole in your pocket compared to other prevalent malware families.
In today's plastic money economy people are carrying cash a lot less than before. Aside from a handful of stores, the majority of retailers accept debit or credit cards. Payment cards are convenient, quick, supposedly-secure, and you don't have change jingling around in your pockets.
PoS RAM scrapers target the systems which process debit and credit card transactions and steal the sensitive payment information. Your home computer might be super secure, but there is no guarantee the PoS system at your neighborhood grocery store has the same level of security. You might end up losing your credit card data buying a candy bar!
How have PoS RAM scrapers evolved?
Sophos detects PoS RAM scraper malware under the family name Trackr(e.g. Troj/Trackr-Gen, Troj/Trackr-A) Other AV vendors detect this malware family with a variety of names, the most common name being Alina.
Some of the earliest variants of Trackr had simple functionality that worked like this:
- Install as a service
- Use a legitimate-looking name
- Scan RAM for credit card track one and track two data
- Dump the results into a text file. This text file was then probably accessed remotely or manually.
Over the years Trackr has become more industrialized, with some cosmetic changes and added bot and network functionality.
Till now we have observed the following types of Trackr:
- Basic version (not packed, scrapes RAM for credit card information)
- Complex version (added socially-engineered filenames, bot and network functionality)
- Installed DLL version (the DLL is registered as a service and performs the RAM scraping)
- Versions one and two packed with a commercially-available packer
- Versions one and two packed with a custom packer
Most recently, SophosLabs discovered the highly-prevalent Citadel crimeware targeting PoS systems.
The Citadel malware uses screen captures and keylogging instead of the RAM-scraping technique used by Trackr. Citadel's focus on PoS systems demonstrates that this avenue is fast becoming a point of serious concern.
Who do PoS RAM scrapers target?
One of the earliest serious PoS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their PoS systems compromised. Later we saw varied targets including an auto dealership in Australia infected with Trackr.
To better understand the threat we gathered statistics about the various industries targeted by Trackr during the past 6 months (as observed using Sophos Live Protection):
It doesn't come as a surprise that the biggest targeted industries are:
- Food services
- Hotel and tourism
In these industries there's a high volume of credit and debit card transactions taking place, meaning they have goldmines of payment data that can be harvested.
Compromising a single PoS system (e.g. in a fast food outlet) may yield thousands of credit cards per week, cheaply - much easier to gather 10,000 credit card details from one PoS system then attempt to infect 10,000 PCs, hoping to grab the data from there.
If not protected properly, PoS systems become easy targets - a single point of failure that can affect thousands of people.
In addition to the breakdown of industries targeted, we also looked at the countries where we saw Trackr infections over the same time period:
Again, no surprises that the developed countries top this chart with the US, where credit cards are abundant, taking the #1 spot.
In fact, the Trackr infection numbers match up closely with the credit card country usage statistics published by Visa.
So how does Trackr get on a PoS system?
We have used the term PoS quite generally throughout this article. PoS is the place where a retail transaction is completed. So a PoS could be some custom hardware/software solution, a regular PC running PoS software, a credit card transaction server, or something similar.
Big box retailers and chain stores have security-hardened PoS systems, and we have not seen any major evidence of these large organizations getting compromised with Trackr.
The victims tend to be mostly small to medium sized organizations who will typically have less investment in defensive counter-measures.
Based on our analysis there were two main methods of infection:
Someone with active knowledge of the payment processing setup installs a RAM scraper to gather data. The early Trackr samples dropped their harvested data in a plain text file which we suspect was manually retrieved or remotely accessed.
The malware had no network functionality and we found no evidence of a top-level dropper/installer.
These are the common infection vectors with the more complex versions of Trackr. The socially engineered filenames we have observed include
adobeflash.exe. This suggests that the files were delivered as part of a phishing campaign, or social engineering tricks were used to infect the system.
Importantly however, Trackr is not seen regularly in the mass-spammed malware campaigns that we observe daily. Rather it is highly targeted towards a group of relevant businesses.
To conclude, it is not always a safe solution to pay for everything with cards.
Everyone should follow computer security best practices and consumers should proactively sign-up for credit monitoring services so they don't becomes victims of credit or identity theft.
Businesses big and small need to make investments to protect their critical PoS infrastructure. Just like they wouldn't keep their cash registers unlocked for someone to grab money out of them, PoS systems need proper protection.
It’s no fun being a cynic, thinking that everything is bad and getting worse. It’s easy–especially in the security community–but it’s not fun. But, in light of the latest in the interminable string of revelations about the NSA’s efforts to eat away at the foundation of the security industry, the only alternative available is the equivalent of believing in unicorn-riding leprechauns.
The security community didn’t invent the concept of fear, uncertainty and doubt, but it has perfected it and raised it to the level of religion. It’s the way that security products are marketed and sold, but it’s also the way that the intelligence community justifies its extra-legal and, in some cases, unconstitutional, data-gathering practices. Just as vendors use the specter of catastrophic hacks, data loss and public embarrassment to push their wares, the NSA and its allies have used the dark shadow of 9/11 and global terrorism to justify their increasingly aggressive practices, some of which have now been shown to have deliberately weakened some of the fundamental building blocks of security.
The most damning bit of string in this ball is the news that the NSA likely inserted a back door into a key cryptographic algorithm known as DUAL EC DRBG. That’s bad. What’s worse is that RSA on Thursday sent a warning to its developer customers warning them to immediately stop using the company’s BSAFE library because it uses the compromised random number generator. That means that untold numbers of products that include the BSAFE crypto libraries are compromised.
While this is the most recent, and probably the worst, piece in all of this, the steady accumulation of evidence over the last three months makes it difficult to come to any conclusion other than this: nothing can be trusted.
More to the point, we don’t know whether anything can be trusted. And that’s actually far worse than knowing that products X, Y and Z are compromised. If you know that, you can avoid those products. But now that we have direct evidence that the NSA is in fact actively working to undermine certain cryptographic protocols and partnering with technology vendors to produce certified pre-owned software and hardware, the big question is, what’s not broken?
Unfortunately, the answer is, we just don’t know.
In a much simpler and less cynical time–say, May–we thought that our intelligence agencies were in the business of spying on our enemies. Then came the first Edward Snowden leaks, and we discovered that the NSA was collecting all of our phone records. You know, just in case. Then we hear that the agency also vacuuming up much of the Internet traffic flowing through U.S. pipes because BOO! terrorism. But we still have encryption. As long as we can encrypt our email and Internet traffic, we’re safe from snooping, right? Oops. Turns out the NSA is in that henhouse too, working to weaken standards and crypto algorithms and also has some capabilities to circumvent things such as SSL.
And now, into this environment of accusation and innuendo comes the news that the attack on Belgian telco Belgacom revealed earlier this week reportedly was the work of the British spy agency GCHQ. The connection to NSA? GCHQ apparently used exploit technology developed by the NSA.
And on and on and on.
So we’ve come to the point now where the most paranoid and conspiracy minded among us are the reasonable ones. Now the crazy ones are the people saying that it’s not as bad as you think, calm down, the sky isn’t falling. In one sense, they’re right. The sky isn’t falling. It’s already fallen.
To read articles like this and more, Signup to Global Intel Hub