Category Archives: NSA

NSA secretly hijacked existing malware to spy on N. Korea, others

A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrate how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Speigel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea's networks—which initially leveraged South Korean "implants" on North Korean systems, but eventually consisted of the NSA's own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out "Tailored Access Operations" on a variety of targets, while also building the capability to do permanent damage to adversaries' information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed for by NSA and possibly other members of the "Five Eyes" intelligence community, was also included in the dump. The code appears to be from the Five Eyes joint program "Warriorpride," a set of tools shared by the NSA, the United Kingdom's GCHQ, The Australian Signals Directorate, Canada's Communications Security Establishment, and New Zealand's Government Communications Security Bureau.

Read 8 remaining paragraphs | Comments

NSA has VPNs in Vulcan death grip—no, really, that’s what they call it

The National Security Agency’s Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP’s VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

OTP’s VPN exploit team had members assigned to branches focused on specific regional teams, as well as a “Cross-Target Support Branch” and a custom development team for building specialized VPN exploits. At the regional level, the VPN team representatives acted as liaisons to analysts, providing information on new VPN attacks and gathering requirements for specific targets to be used in developing new ones.

While some VPN technologies—specifically, those based on the Point-to-Point Protocol (PPTP)—have previously been identified as being vulnerable because of the way they exchange keys at the beginning of a VPN session, others have generally been assumed to be safer from scrutiny. But in 2010, the NSA had already developed tools to attack the most commonly used VPN encryption schemes: Secure Shell (SSH), Internet Protocol Security (IPSec), and Secure Socket Layer (SSL) encryption.

Read 6 remaining paragraphs | Comments

Newly published NSA documents show agency could grab all Skype traffic

A National Security Agency document published this week by the German news magazine Der Spiegel from the trove provided by former NSA contractor Edward Snowden shows that the agency had full access to voice, video, text messaging, and file sharing from targeted individuals over Microsoft’s Skype service. The access, mandated by a Foreign Intelligence Surveillance Court warrant, was part of the NSA’s PRISM program and allowed “sustained Skype collection” in real time from specific users identified by their Skype user names.

The nature of the Skype data collection was spelled out in an NSA document dated August 2012 entitled “User’s Guide for PRISM Skype Collection.” The document details how to “task” the capture of voice communications from Skype by NSA’s NUCLEON system, which allows for text searches against captured voice communications. It also discusses how to find text chat and other data sent between clients in NSA’s PINWALE “digital network intelligence” database.

The full capture of voice traffic began in February of 2011 for “Skype in” and “Skype out” calls—calls between a Skype user and a land line or cellphone through a gateway to the public switched telephone network (PSTN), captured through warranted taps into Microsoft’s gateways. But in July of 2011, the NSA added the capability of capturing peer-to-peer Skype communications—meaning that the NSA gained the ability to capture peer-to-peer traffic and decrypt it using keys provided by Microsoft through the PRISM warrant request.

Read 7 remaining paragraphs | Comments

NSA’s “Core Secrets” suggests agents inside firms in US, abroad

The U.S. National Security Agency has worked with companies to weaken encryption products at the same time it infiltrated firms to gain access to sensitive systems, according to a purportedly leaked classified document outlined in an article on The Intercept.

The document, allegedly leaked by former NSA contractor Edward Snowden, appears to be a highly classified summary intended for a very small group of vetted national security officials according to details included in The Intercept article, which was published this weekend. The document outlines six programs at the core of the NSA's mission, collected under the name Sentry Eagle.

The Intercept claims the document states "The facts contained in [the Sentry Eagle] program constitute a combination of the greatest number of highly sensitive facts related to NSA/CSS’s overall cryptologic mission."

Read 7 remaining paragraphs | Comments

Snowden: The NSA, not Assad, took Syria off the Internet in 2012

An Arbor Networks graphic showing the sudden drop-off in network traffic from Syria on November 29, 2012 as the country was essentially erased from network routing tables.

In a Wired interview with well-known National Security Agency journalist James Bamford that was published today, Edward Snowden claimed that the US accidentally took most of Syria off the Internet while attempting to bug the country's traffic. Snowden said that back in 2013 when he was still working with the US government, he was told by a US intelligence officer that NSA hackers—not the Assad regime—had been responsible for Syria’s sudden disconnect from the Internet in November and December of 2012.

The NSA's Tailored Access Office (TAO), Snowden said, had been attempting to exploit a vulnerability in the router of a “major Internet service provider in Syria.” The exploit would have allowed the NSA to redirect traffic from the router through systems tapped by the agency’s Turmoil packet capture system and the Xkeyscore packet processing system, giving the NSA access to enclosures in e-mails that would otherwise not have been accessible to its broad Internet surveillance.

Instead, the TAO’s hackers “bricked” the router, Snowden said. He described the event as an “oh shit” moment, as the TAO operations center team tried to repair the router and cover their tracks, to no avail.

Read 3 remaining paragraphs | Comments

The NSA thinks Linux Journal is an “extremist forum”?

The National Security Agency’s attempts to keep track of people outside the US who use encryption and anonymization software from the Tor Project also apparently captured the traffic of anyone reading a wide range of articles on Linux Journal, according to documents published by the German public television broadcaster ARD and provided by security researchers (and Tor contributors) Jacob Appelbaum, Aaron Gibsom, and Leif Ryge. The documents—which include what appears to be search rules for the NSA’s XKeyscore Internet surveillance system, indicate that the NSA also gathered up data on visitors to articles on the Linux Journal website.

In the Das Erste article, Appelbaum et al wrote that the rule “records details about visits to a popular Internet journal for Linux operating system users called ‘The Linux Journal—the Original Magazine of the Linux Community’" and called it an "extremist forum."

Included in the code is the following block of instructions:

Read 2 remaining paragraphs | Comments

Copyright © 2015. Powered by WordPress & Romangie Theme.