NSA Full Disclosure

8/12/2019 NSA Full Disclosure

1/60

Full Disclosure

The Internet Dark Age

Removing Governments on-line stranglehold Disabling NSA/GCHQ major capabilities

( !""R!N / #DG#H$""% Restoring on-line privac& - immediatel&

b&

The Adversaries

Update 2

Spread the Word'


2/60

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

n September ) th *+', r.ce Schneier rote in 0he G.ardian1

The NSA also attacks network devices directly: routers , switches , frewalls , etc. Most of these deviceshave surveillance capabilities already built in ; the trick is to s rre!titio sly t rn the" on. This is an

es!ecially fr itf l aven e of attack; ro ters are !dated less fre# ently, tend not to have sec rity softwareinstalled on the", and are generally ignored as a v lnera$ility%.

The NSA also devotes considera$le reso rces to attacking end!oint co"! ters. This kind of thing is done $y its TA& ' Tailored Access &!erations ' gro !. TA& has a "en of e(!loits it can serve ! against yo rco"! ter ' whether yo )re r nning *indows, Mac &S, +in (, i&S, or so"ething else ' and a variety of tricksto get the" on to yo r co"! ter. o r anti-vir s software won)t detect the", and yo )d have tro $le ndingthe" even if yo knew where to look. These are hacker tools designed $y hackers with an essentially

nli"ited $ dget. *hat I took away fro" reading the Snowden doc "ents was that if the NSA wants in toyo r co"! ter, it)s in. /eriod%.

http1// 2theg.ardian2com/ orld/*+',/sep/+)/nsa-ho -to-remain-sec.re-s.rveillance

The evidence provided by this Full-Disclosure is the frst independenttechnical verifable proo that Bruce Schneier's statements are indeedcorrect.

(previo.s readers sho.ld start on page )'%

0his .pdate incl.des '+ pages o3 additional evidence co.rtes& o3 the !2S2 Government2

*
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance


3/60


Full Disclosure

Internet Wire-Tappin

W!"#I#$%BT Broadband

& uipment (ontain#S!)$(*+Bac, Doors

,

NSA/GCHQSources and Methods

Uncovered

We e !"a#n ho$ NSA/GCHQ%

Are Internet wiretapping you

Break into your home network

Perform ' Tailored AccessOperations ' (TAO) in your home

Steal your encryption keys

Can secretly plant anything theylike on your computer

Can secretly steal anything theylike from your computer

ow to STOP this Computer!etwork "#ploitation

Dedicated to the *histle-0lower

Mr Edward J. Snowden.

We e !ose NSA/GCHQ&s 'ostSecret Wea!on - Contro"

and ho$ (ou can de)eat #t*


4/60


Table o (ontents4re3ace2222222222222222222222222222222222222222222222222222222222222222222222222222

Disclos.res222222222222222222222222222222222222222222222222222222222222222222222222So.rce o3 this $n3ormation222222222222222222222222222222222222222222222222222222222222

.r "a s2222222222222222222222222222222222222222222222222222222222222222222222222Companies222222222222222222222222222222222222222222222222222222222222222222222220echnical Nat.re o3 this $n3ormation22222222222222222222222222222222222222222222222222Credibilit& o3 this Research2222222222222222222222222222222222222222222222222222222224rivac& vs Sec.rit&22222222222222222222222222222222222222222222222222222222222222229otivation2222222222222222222222222222222222222222222222222222222222222222222222220erminolog&222222222222222222222222222222222222222222222222222222222222222222222

:o.r Home Net or;22222222222222222222222222222222222222222222222222222222222222222220he Hac;222222222222222222222222222222222222222222222222222222222222222222222222

Ho it


5/60


6/60


re ace

Pre ace


7/60


Source o this n or!ation

1The simple ,no led e that e may be clandestinely observed in our o nhomes provided the determination to fnd the truth2 hich e did.3

0his in3ormation is not the res.lt o3 an& ;no ledge o3 classi=ed doc.ments orlea;s b.t based on in3ormation in the p.blic domain and o.r o n 3act =ndingmission d.e to Borensic and Net or; Anal&sis $nvestigations o3 private S Hnet or;s located in the !>2

As e detail the methods .sed &o. ill see that in3ormation as .ncoveredairly honestly and le ally and on private propert& .sing privatel& o ned

e .ipment24ur 0a s

0here is no la that e are a are o3 that grants to the !> Government theabilit& to install d.al .se s.rveillance technolog& in millions o3 homes andb.sinesses in the !>2

B.rthermore there is no la e are a are o3 that 3.rther grant the !>Government the abilit& to .se s.ch technolog& to sp& on individ.als 3amiliesin their o n homes on the mass scale that this s&stem is deplo&ed2

$3 there are s.ch hidden la s the citi ens o3 the !> are certainl& .na are o3them and sho.ld be arned that s.ch la s eEist and that s.ch activit& isbeing engaged in b& their o n Government2

All o3 the evidence presented is 3.ll& reprod.cible2

It is our belie that this activity is #4T limited to the 56.

6


8/60


(ompanies

0 are directl& responsible 3or covertl& embedding secret sp& e .ipment inmillions o3 homes and b.sinesses ithin the !> as o.r evidence ill

demonstrate2

0 have directl& enabled (omputer #et or, &/ploitation (CN#% o3 all itshome and b.siness c.stomers2

Technical #ature o this In ormation

0he in3ormation described here is technical this is beca.se in order tos.bvert technolog& the attac;ers need to be able to 3ool and con3.se eEpertsin the =eld and ;eep them b.s& slowing the" down b.t regardless theimpact and e ect can be .nderstood b& ever&bod&2

:o.r main ta;e a a& 3rom this disclos.re is to .nderstand concept.all& hothese attac;s or; &o. can then p.t sec.rit& meas.res in place to prevents.ch attac;s2

7


9/60


(redibility o this "esearch


10/60


rivacy vs Security

"oss o3 privac& is a breach o3 personal sec.rit& and the legal violation o3privac& is p.rel& a conse .ence o3 that sec.rit& loss2


11/60


8otivation8otivationA3ter st.d&ing in detail the revelations b& the #d ard Sno den e reali edthere as a large "issing !art of the ! 22le 2

0here has been little to nothing p.blished on speci=call& ho the attac;erstechnicall& achieve their goals2 9ost in3ormation p.blished is based ontheoretical sit.ations2

$3 e donFt ;no ho hac;ers act.all& achieve these sec.rit& breaches ecannot de3end against s.ch breaches 2

Bor eEample a slide similar to the 3ollo ing as p.blished o3 all the slidesreleased itFs .ninteresting and easil& dismissed as it simpl& describes hat iscommonl& ;no n as a theoretical 9 an- $n- 0 he- 9 iddle attac;2

0he media 3oc.s o3 the slide is o3 co.rse the $oo le's Servers and &o.r =rsttho.ght might be F this is 3oogle)s !ro$le" to solve F b.t hat i3 F$oo le

Server F as F8y Ban,s Servers F &o. o.ld probabl& be more concernedbeca.se that ma& directl& e ect &o.2But e thou ht2 hat i 2 '$oo le Server'2 as '!ny Server2 !ny here9'

''


12/60


.r investigation led to .s .ncover and .nderstand ho this attac; realls in practice ho it is implemented and the hair-raising realit& o3 its tr.e

nat.re and that is this not j.st a bac; door b.t an entire attac; plat3orm anddistrib.ted architect.re2

Terminolo y 0o ease eEplanation e are going to .se standard sec.rit& terms 3rom hereon2

!ttac,er - GCHQ NSA 0 Gro.p or an& combination2

The *ac, L 0he technical method .sed b& the attac;ers to illegall& brea; into&o.r home net or; comp.ters and phones2

'*


13/60


Basic Security "our #o!e $etwor%$n order to eEplain ho these Comp.ter Net or; #Eploitation attac;s or;and ho this a ects &o. personall& e m.st =rst loo; at the architect.re o3 at&pical home or o ce net or;2 "oo; 3amiliar to &o.

9ost $nternet connections consists o3 an DS" t&pe modem and one or more#thernet ports attached to the modem that &o. connect &o.r comp.tersdevices and add-on s itches etc2

0here are t o sec.rit& 3actors in operation here1

a % NA0 based net or;ing meaning that &o.r home comp.ters arehidden and all share a single p.blic $4 address

b % :o.r modem has a b.ilt-in =re all hich is bloc;s inbo.nd tra c2 The

inherent sec rity ass "!tion is that data cannot !ass fro" the in$o nd DS+ line to a +AN switch !ort witho t rst $eing acce!ted or re4ected $y the $ ilt-in rewall

',


14/60


Bor the technical minded these sec.rit& ass.mptions are 3.rther re-enforced i3 the modems so3t are is open so.rce e2g2 .sing "in.E and that its so.rcecode is 3reel& and openl& available as per the GN! G4" re .irements2

Given that the above is the most common architect.re on the $nternet as itapplies to almost ever& home and o ce ever& here lets no revisit that =rstslide b.t this time e as, one simple uestion 1

*o do the attac,ers et bet een :ou and $oo le or some otherservice9

n closer inspection o3 the diagram &o. ill notice that I $oo le "e uest Jand the !ttac,er ( +og into 5o ter % share the same router hen this slide

as released e all ass.med that this ro.ter as either GoogleFs o n ro.teror some .pstream ro.ter that a& the attac,er co.ld intercept pac;ets andper3orm a 8an-In-The-8iddle (9$09% attac;2

Ho ever this o.ld not or; 3or ever& ebsite or service on the $nternet20he attac,er o.ld need to be .pstream everywhere M

So here does the attac,er hide9 Where is this (ommon"outer 9 a ain e as, %

*o do the attac,ers et bet een :ou and $oo le orsome other service9

"ets eEamine the diagram one last time2

'?


15/60


16/60


The *ac,

The *ac, 0his eEample is based on the !> version o3 hat e are calling The *ac, .sing BT $nternet services2 $3 &o. are not in the !> and regardless o3 theservice &o. should al ays ass.me that the eEact same principles detailedhere are al ays being .sed against &o. regardless o3 &o.r co.ntr& or $S42

The *ac, is based on the act that a second secret/hidden net or; and

second $4 address is assigned to &o.r modem2 !nder normal .se &o. cannotdetect or see this 3rom &o.r "AN b.t the attac,er has direct access to &o.rmodem and "AN in &o.r ho.se 3rom the $nternet2

*o it Wor,s

? b.tother vendors modems ma& ell .se di erent @"ANs2 0he original slide has astrange n.mber @A@ ith gre& bac;gro.nd e thin; this represents the@"AN n.mber/@endor n.mber so 0 o.ld be =>? 2

0his hidden net or; is not visible 3rom &o.r Mode")s *e$ Interface andnot sub ect to your fre all rules also not s.bject to an& limitations as 3aras the s itch portion o3 &o.r modem is concerned and the hidden net or;also has all ports open 3or the attac%er 2

ther tools and services are permanentl& enabled inside the modem hichgreatl& aid the attac,er s.ch as 6e$ra 7 5i!d ro ting dae"ons, i!ta$les

rewall, SS8 re"ote shell server, along with a dhc! client.

These tools allow the attac,er to control 9 of the "ode" f nctionality3rom the $nternet and in an .ndetectable manner2 e2g2 the attac,er can

'5


17/60


3or ard all &o.r DNS re .ests to their private net or; the& can selectivel&ro.te speci=c protocols ports or net or;s or ever&thing to their net or; andb& de3a.lt the& do2

Altho.gh the hidden net or; is o ned b& 5.S. D.4.D. it is located ithin the!> as the ping time to the attac,er's $4 gate a& is O 7ms 3rom ithin the!>2

0his clearl& demonstrates that the !> Government !2S2 Government !2S29ilitar& and 0 are co-operating together to secretl& iretap all $nternet.sers in their o n homes ( with few e(ce!tions %2 0he modems are provided b&

0 and loc%ed down 2 $3 &o. cannot con=rm other ise &o. m.st ass.me thatall $S4s in the !> b& polic& have the same techni .es deplo&ed2

:o.r home net or; act.all& loo;s something li;e the 3ollo ing diagram2 0othe right is the


18/60


right into &o.r modems =rm are hich can also be .pdated remotel& asre .ired b& the attac,er .sing the b.ilt-in BT! ent 2

The *ac, attac; is t.rned on b& de3a.lt b.t is selectivel& t.rned o 3orspecial p.rposes or specifc dan erous customers 3or eEample 3or certainso3t are =rm are and hard are developers/engineers ( which "ay incl deyo % so that these people donFt discover The *ac, 2

0he attac,er identi=es these speci=c I threats J and mar;s their $nternetconnections as IN DHC4J s.ch that the same dhcpc re .ests 3rom theirtelephone lines are ignored and hile these re .ests are ignored the hiddennet or; ill not appear inside their modem and is m.ch harder to discover2

Birm are engineers .s.all& ant to ;no i3 the modems are .sing penSo.rce so3t are s.ch as "in.E and .s&boE in hich case the& are s.bject tothe terms o3 the GN! 4.blic "icense2

0hese engineers as ell as tech savv& .sers ma& ish to p.t their o nso3t are (e2g2 pen


19/60


20/60


:our "eal #et or, :our "eal #et or, 0he 3ollo ing is a more realistic vie o3 &o.r home net or; and hat is nopossible given the attac,er no has secret access to &o.r home "AN2

$t is no a simple matter to .se other tools and methods available to theattac,er to penetrate &o.r internal comp.ters this incl.des1

*+

Steal private @4N/SSH/SS"/4G4 ;e&s $n3ect machines ith vir.ses $nstall ;e& loggers $nstall screen loggers Clone/destro& hard drives !pload/destro& content as re .ired

Steal content as re .ired Access Corporate @4Ns Clean .p a3ter operations Ro.te tra c on demand (e2g2 9$09% Censorship and >ill S itch 4assive observation


21/60


The !ttac,s

The !ttac,s0his section lists the attac;s on &o. that are no possible b& the NSA/GCHQ2

"ater e sho ho &o. can de3end against these attac;s and it o.ld be iseto implement o.r de3enses ith immediate e ect2

!nli;e the reval.ations so 3ar b& Sno den here the attac;s occ.r o.t theresome here on the $nternet these attac,s happen in your home)o7ce 2

0he attac;s listed are the most obvio.s attac;s some are mentioned in#d ard Sno den revelations and re3erred to as 'o!puter $etwor%E)ploitation (CN#%2

Internal #et or, !ccess0he attac;er has direct access to &o.r "AN and is inside &o.r =re all2

:o.r modem acts as a server it listens on lots o3 ports s.ch as SSH (**% and0#"N#0 (*,% so the attac;er can j.st hop on to it (b.t &o. cannot%2

0his is possible beca.se another hidden bridged inter3ace eEists ith its o n@"AN2 Bire all r.les do not appl& to this inter3ace so the attac,er can see&o.r entire "AN and is not s.bject to your =re all r.les beca.se those r.lesappl& to the 0 lin; ( blac, line % not the attac,ers lin; ( red lines %2


22/60


possible abo.t all the devices attached to &o.r net or;2

All &o.r hard are can be identi=ed b& the speci=c 9AC addresses and then=ngerprinted 3or speci=c protocols and so3t are versions2 All this cannot bedetected .nless &o. are logged into &o.r loc%ed modem2

0he above is j.st the base plat3orm o3 the NSA/GCHQ 3rom hich h.ndreds o3 t&pes o3 attac;s are no possible hich no incl.de all o3 the 3ollo ing1

8an-In-The-8iddle !ttac, 0he attac,er controls all o.tbo.nd routes he can easil& per3orm an H004S9an-$n-0he-9iddle attac; b& 3or arding speci=c tra c 3or port ??, ordestination net or; to a dedicated 9$09 net or; hich he controls ( as !er!revio s slides %2

0he onl& thing re .ired is a valid SS" certi=cates P ;e&s 3or a speci=c domain( hich he already has2 see belo % 0he attac,er is bet een &o. and an&site &o. visit or an& service &o. .se ( not 4 st we$sites %2 e2g2 S;&pe @ $4 SSHetc2

0he attac,er simpl& creates a static ro.te or more easil& p.blishes a Ro.ting$n3ormation 4rotocol Re .est (R$4% re .est to the ebra daemon r.nning inthe ro.ter 3or the target net or; address and &o.r tra c 3or that net or;

ill then be ro.ted to the attac,ers net or; .ndetectable b& &o.2

0he attac,er can then .se as&mmetric ro.ting and .pon eEamination o3 there .ests he can =lter speci=c re .ests he is interested in and respond tothose b.t let the target ebsite server or service respond to ever&thing else2

0he ;e& here is tra c 3rom the target ebsite bac; to the .ser does notthen have to go via the attac%ers hidden network it can go directl& bac; to.sers p.blic $4 ( hich o.ld be logged b& the $S4%2

8IT8 can be on an& port or protocol not j.st H004S (??,% 3or eEample &o.rSSH connections all !D4 or GR# 4404 $4Sec etc2 or an& combination o3an&thing2

**


23/60


!ll SS0 (ertifcates (ompromised in "eal-Time

0he sec.rit& o3 4.blic >e& $n3rastr.ct.re (4>$% is based primaril& on thesec.rit& o3 the o ners private ;e&s2 0hese private ;e&s are not necessaril&re .ired in order to per3orm a 9$09 attac;2

All that is re .ired is an act.al d.plicate signed certi=cate .sing NSA/GCHQo n private ;e&s2 0he 9$09 attac; can be as simple as r.nning a transparentproE& and &o. ill al a&s see a valid certi=cate b.t .nable to detect theattac;2

At the point o3 the proE& all &o.r tra c is decr&pted in real-time at hichpoint targeted pac;et injection can occ.r or simpl& monitored2

$t ma;es per3ect sense that the tr.sted Certi=cate A.thorit& (CA% act.all&ma;e a second d.plicate SS" certi=cate ith a separate set NSA providedprivate ;e&s as the CA never sees the real certi=cate o ners private ;e&s2


24/60


The t o rivate 6eysHome net or;s are .s.all& ver& insec.re mainl& beca.se onl& &o. or 3amil&.se them &o.r g.ard is do n and &o.r SSH @4N 4G4 SS" ;e&s are allv.lnerable to the3t b& the attac,er and his available methods2

The *ac, is the ;e& mechanism that enables these the3ts2

As an eEample o3 the above i3 &o. .se the modems b.ilt-in @4N 3eat.re &o..s.all& add &o.r certi=cate and private ;e& to the modem or generate themboth via its eb inter3ace at some later time the attac,er can j.st cop&these ;e&s to the IC#S 4airing databaseJ via his private net or; the datacollected 3rom S$G$N0 can later be decr&pted o -line or in real-time2

$n the case o3 ;e&s eEtracted 3rom the modems b.ilt-in @4N the IC#S 4aringdatabaseJ no contains the real ;e&/cert pair meaning the attac;er can noattac; the @4N server environment directl& hen that server o.ld have notbeing eEploitable other ise2

0he attac,er can also mas; as the gen.ine .ser b& per3orming the serverattac; 3rom ithin the .sers modem ( sing the correct so rce I/ address %this a& nothing .n.s.al ill appear in the @4Ns logs2 nce inside theparameter o3 the @4N server the c&cles repeats2

:o. sho.ld assume that all I ig rand J @4Ns and ro.ters .se the eEact sameattac; strateg& and architect.re ith variances in the speci=c implementatione2g2 ig rand s.pports $4Sec "ittle rand s.pports 44042

0he NSA .llr.n G.ide states1

I0he 3act that Cr&ptanal&sis and #Eploitation Services (C#S% or;s ithNSA/CSS Commercial Sol.tions Center (NCSC% to leverage sensitivecooperative relationships ith speci=c ind.str& partners J2

Speci=c implementations ma& be identi=ed b& speci3&ing # .ipment9an.3act.rer ( 0ig 0rand


25/60


cable modems2

B.rther evidence o3 the mass global distrib.tion o3 this technolog& to at leastthe '? #&es1 !SA G R CAN A!S N " BRA D#! DN> N"D N R #S4$0A #" S


26/60


The 6ill S itch

Act.al capabilities .ncovered here incl.de the act.al abilit& to appl& ph&sicalcensorship on the $nternet b& governments directed at individ.als gro.pscompanies entire co.ntries or the majorit& o3 the .sers o3 the $nternet at

once (given a coordinated govern"ent agree"ent %2 0his is something that canbe t.rned on globall& ithin min.tes2

0his I ;ill s itch J is onl& a small portion o3 the total capabilities available thatare in place right no 2 #ssentiall& an& operation that can be applied .sing asingle =re all or R$4 ro.ter can be applied to ever& c.stomer at once2

5ploadin )Do nload (ontent

0he attac;er can .pload or do nload content via either &o.r p.blic $S4snet or; or via his private hidden net or; 2 0he di erences is that &o.r $S4co.ld con=rm or den& 3rom their logs the .ser did or did not .pload/do nloadcontent 3rom/to a partic.lar so.rce2

$n other ords the possibilities and abilit& to 3rame someone cannot ever beoverloo;ed2


27/60


Tor 5ser)(ontent Discovery!sers o3 the 0or net or; can easil& be discovered b& "AN pac;et=ngerprinting b.t also b& those ho do nload the 0or client2 0he attac;ercan stain pac;ets leaving &o.r net or; and be3ore entering the 0or net or;ma;ing tra c anal&sis m.ch easier than as previo.sl& ;no n2

All 0or tra c can be redirected to a dedicated private Tor net or,controlled b& the attac,er in this a& the attac;er controls A"" 0or nodesand so can see ever&thing &o. do 3rom end-to-end2

0his is not something the 0or project can =E it can onl& be =Eed b& the .ser3ollo ing o.r methods2

0or hidden services sho.ld drop all tra c 3rom .n-tr.sted 0or nodes this a&clients r.nning in the sim.lated 0or net or; ill 3ail to connect to theirdestination2

&ncrypted (ontent

0he attac,er is in &o.r net or; and has all the tools necessar& (s.ch asoperating s&stem bac; doors% or ero da& v.lnerabilities to hac; into &o.rcomp.ters and steal &o.r @4N 4G4 SSH ;e&s as ell as an& other ;e&s the&desire2 Also content that is encr&pted can be capt.red be3ore encr&ption viaan& n.mber o3 methods hen the attac;er is alread& inside &o.r net or;2

(overt International Tra7c "outin0he attac,er can secretl& ro.te &o.r tra c to the !2S2 itho.t &o.rpermission consent or ;no ledge th.s b& passing an& #.ropean dataprotection or privac& la s2

!ctivistsno ing the victims $S4 o.ld indicate hich $S4s are involved2

Destroy SystemsReleased doc.ments state that the !2S2 C&ber Command have the abilit& todisable or completel& destro& an adversaries net or; and s&stems the =rst

step to this o.ld be to penetrate the adversaries net or; =re all ma;ingsecondar& steps m.ch easier2

*6


28/60


(ensorship0he attac,er has control o3 the hidden =re all it is eas& 3or the attac,er tosimpl& bloc; tra c based on speci=c ports or based on destination address ornet or; ro.te 3or eEample the government can bloc; port 7,,, at so.rceand there3ore bloc; all itcoin transactions2

A coordinated attac; on the itcoin net or; is possible b& bloc;ing ports o39inors aro.nd the orld2 Red.cing the hash rate and bloc;ing transactions2

8obile WIFI !ttac,s 9obile devices phones/tablets etc are as easil& accessible once the& connectto &o.r #:SC R#database so the& can be .sed to identit& speci=c devices and speci=clocations allo ing the attac;er to trac; &o. itho.t the aid o3 G4S or hereno G4S signal eEists2

Document Trac,in9icroso3t embeds the ph&sical 9AC addresses o3 the comp.ter insidedoc.ments it creates2 0his allo s the so.rce o3 a doc.ment to be identi=edeasil&2 0he 3ollo ing is 3rom the >#:SC R# 4o er4oint2

*7


29/60


The 8obile *ac,

@$)=$)A$ 8obile !ttac,sGiven the NSA/GCHQ plan to sp& on 1any phone2 any here2 any time3 2The *ac, detailed in this doc.ment is a carrier independent method toachieve that goal that or;s ver& ell2 0he attac,er ill almost certainl& re-.se the same strateg& 3or all 9obile phones or ireless broadband devices2

:o.r mobile phone (*G/,G/?G% is almost certainl& s.bject to this same attac;

architect.re beca.se 3rom the attac,ers perspective his side o3 thein3rastr.ct.re o.ld remain the same regardless o3 device being attac;ed2

A mobile phone these da&s is simpl& a ireless broadband modem P phoneso an& encr&pted messaging s&stem 3or eEample can be capt.red be3oreencr&ption2 0here3ore mobile phones are s.bject to all the same and "any"ore attac;s as per The *ac, 2

This wo ld "ean that "o$ile !hone "akers "ay well $e in coll sion with the

NSA $eca se they wo ld need to i"!le"ent the e# ivalent ro tingand rewall a$ility in each "o$ile !hone as !art of the &S if it was to re"ainhidden.

0he mobile phone version o3 The *ac, is also m.ch more di c.lt to detectthan the broadband version2 9obile phones ma;e more .se o3 $4v5 and theoverall compleEit& o3 $4v5 means that even eEperts ma& not ;no hat the&are loo;ing at in the ro.ting tables even i3 the& co.ld see them2 Carriers o3tenhave m.ltiple $4s 3or di erent services the& provide2

#ven top-.p mobile phones itho.t an& credit can be accessed 3or eEamplethe mobiles phones top-.p services are al a&s available and their DNSservers are al a&s accessible regardless o3 &o.r top-credit state2

9odern ;ernels .se m.ltiple ro.ting tables (e2g2 ip r.le sho % 3or polic& basedro.ting so again .nless &o. con=rm ho o ns a speci=c $45 range it ill bedi c.lt to spot especiall& as =rm are hac;ers are not even loo;ing 3or s.chbac; doors2 9a&be no the& ill2


30/60


Basic De ense

Basic De ense>no ing ho &o. are being attac;ed is hal3 the battle b.t in this case d.e tothe attac,ers ab.se o3 a privileged position and the 3act that the attac,er is&o.r o n government and its 3oreign partners de3ense is m.ch more di c.ltcompared to a common vir.s orms or hac;ers2

ne o3 the best de3enses is to ta;e "egal action against 0 or &o.r $S42

$3 &o. are serio.s abo.t &o.r privac& donFt eEpect an& help 3rom &o.rattac,ers (as attac;ers never help their victims%2 :o. m.st ens.re &o.r o nprivac&2 e3ore e eEplain practical de3enses here are some good tips2

Secure your end*points

Never ever tr.st $S4 s.pplied e .ipment (e2g2 ro.ter =re all S0 s%al a&s consider s.ch devices as hostile and position them in &o.rnet or; architect.re accordingl& i2e2 in the 9ilitari ed one (9 %

Do not .se an& b.ilt-in 3eat.res o3 $S4 e .ipment (e2g2 Bire alls @4Ns% Never ever tr.st a device that has an& closed so.rce =rm are or other

elements regardless o3 the eEc.ses the &o.r attac,er gives &o. Never tr.st a device that &o. cannot change the =rm are &o.rsel3

regardless o3 Ibig brandJ names Disable all protocols that &o. donFt .se or donFt .nderstand especiall&

0R-+58 and an& other Remote 9anagement 3eat.res these are all part o3 the s.rveillance control s&stem ( e.g. 0TAgent r"ware !date %

Al a&s .se a second "in.E =re all hich &o. control that &o. have b.ilt Control all &o.r NA0 on &o.r second "in.E =re all not the $S4s s.pplied

ro.ter 9a;e s.re &o. control all end-points henever possible #ns.re that '++ o3 pac;ets !D4/0C4 ( e.g. incl ding DNS % are

encr&pted leaving &o.r second =re all ( this is the %ey to end*pointsecurity % this re .ires .sing 4utbound De ense method describedlater

Al a&s .se a @4N and remote proE& that &o. control or tr.st disablelogging altogether to protect privac&2 0his re .ires .sing 4utboundDe ense method described later

,+


31/60


Inbound De ense

Inbound De ense0his de3ense method against most NSA/GCHQ Inbound attac;s is 3airl& eas&to implement and not too technical ever&bod& at a minim.m sho.ld incl.dethis method in their de3ense strateg&2

0he strateg& ill only prevent NSA/GCHQ 3rom hacking into &o.r home/o ce"AN2 $t cannot prevent other direct attac;s beca.se the attac,er can still

intercept and ro.te all pac;ets leaving &o.r propert&2

A second "in.E =re all device ( blue % that you control and mana e isplaced in 3ront o3 the $S4 ro.ter e ectivel& placing the $S4s ro.ter in the9ilitari ed one (9 % i2e2 the $nternet2 A single cable ( red % is .sed to lin; the"AN o3 the $S4 ro.ter to the $nternet "AN port o3 the "in.E =re all2

loc; all inbo.nd access incl.ding m.lticast pac;ets 3rom the $S4 ro.ter r.nDHC4 and NA0 on &o.r "in.E =re all2

:o.r second =re all can then iss.e 444 # re .ests via its $nternet port andcreate a local ppp+ device hich ill be its ne $nternet connection2 Allpac;ets leaving the =re all ill no be 444 # encaps.lated2

,'


32/60


4utbound De ense

4utbound De ense0his de3ense method sho.ld be .sed against all NSA/GCHQ Inbound and4utbound attac;s2 0his is the onl& s.re =re method to protect 0or clients2

0his de3ense re .ires that &o. (control/ own


33/60


An alternative short-term de3ense is to .se 4penW"T ro.ter so3t are that&o. install into the modem &o.rsel3 so that &o. can con=rm no hiddennet or;s or $4 addresses eEists and that the =re all act.all& 3.nctions2

Ho ever this is technicall& impossible 3or m.st .sers2

Bor open so.rce ro.ter so3t are visit https1//open rt2org/

8ore De ense Tips

$solate &o.r


34/60


8IT8 De ense

8IT8 De ense!ntil no it as not 3.ll& .nderstood ho a 9$09 act.all& or;ed ithregard to ho the attac,er co.ld get in the middle o3 any connection2

No e ;no ith '++ con=dence that the man is not in the middle b.t inthe modem and thatFs ho any individ.al can be s.bjected to 9$09 attac;2


35/60


T( (": T

T( (": T0cpCr&pt is a ver& sec.re approach to man& o3 the problems posed b& theNSA/GCHQ beca.se its tr.e native end-to-end encr&ption and does notre .ire a certi=cate a.thorit& and is 3ree open so.rce so3t are2

0he NSA have tried to ;ill this project a n.mber o3 times and ill contin.e todo so or limit its .se &o. m.st not let that happen2

$3 &o. o.ld li;e to see ho NSA and GCHQ agents tr& to ;ill projects li;ethis in p.blic vie the video http1// 2tcpcr&pt2org/tal;2php and go to*51** and hear the voice o3 the NSA and then GCHQ2

,)

0et's et all T( connections&ncrypted by de ault

Available no 3ree open so.rce 3or "in.E ernel Developers - please s.pport

Tcp(rypt 6ernel 8odule
http://www.tcpcrypt.org/talk.phphttp://www.tcpcrypt.org/http://www.tcpcrypt.org/http://www.tcpcrypt.org/talk.php


36/60


+re(uently As% ,uestions

Why Full Disclosure9 the& have gone .ndetected .ntil no ( since

99, as evidenced $y the date of the r"ware % &o. sho.ld ass.me that the!2S2 is doing the same to all !mericans and &o. sho.ld .se the de3enses asdetailed herein as a preca.tion2


37/60


Will stoppin BT! ent so t are stop these !ttac,s#o 2 BT! ent is j.st misdirection2 $t is not re .ired or directl& .sed in theattac;s2 $t can be .sed to .pdate the =rm are o3 a target modem sho.ld theattac,er need speci=c 3.nctionalit& on the modem b.t this o.ld be.n.s.al2 So ;illing BT! ent is does not help ( yo sho ld kill it anyway %2

Is it possible that BT is una are o this#o this is their =rm are controlled b& 0 p.blish b& 0 .pdated b& 0the& also loc; the modems2

8y e uipment is completely diEerent9The *ac, is an #S!)$(*+ $lobal Strate y and its architect.re is

independent o3 a speci=c ma;e or model o3 modem or mobile phone it is alsoindependent o3 the method transport e2g2 dial-.p vs2 ADS" D CS$S @DS"Cable modem etc22 $t sits at the top o3 the stac; (0C4/!D4 etc% so ho ever&o. connect it connects2 #ach implementation ill var& and improve itheach generation2

:o. sho.ld onl& .se 3.ll& open so.rce =rm are that is p.blicl& veri=ed2

I've never done anythin ron

:es &o. have &o. have allo ed hac;ers to enter &o.r home net or; and plantmal are that in3ects &o.r comp.ters hich ma& no have become part o3 a

ombie arm& ith tentacles controlled b& the NSA/GCHQ2 0his is orst thanan& vir.s or orm &o. can imagine2

*o can I veri y this mysel Bollo ing the instr.ctions in the 3ollo ing sections &o. can also createsim.lations o -line b.t that is more technical2

I ould li,e to donate and support your or, 0han; &o. please see the last page o3 this doc.ment 3or details2

,6


38/60


#ow you can veri y

0he 3ollo ing section eEplains ho &o. can con=rm that &o.r modem has theGCHQ/NSA bac; door2

$n these eEamples e .se t o BT 4pen"each hite modems ( $ t "oreacc rately descri$ed as -T ver/each % models1

*ua ei &cho0i e *$ ?@ and &(I B-F4(uS CDS0@ modem.

0hese t o loo; almost identical2 0he HG5'* is an earlier model2

0he process o3 con=rmation is slightl& di erent 3or each modem2


39/60


&asy (onfrmation

Step ?. Remove 4o er 3rom the modem and disconnect the telephone line2

Step @. n &o.r 4C (ass.med "in.E% add an $4 address '8*2'572'2'++ i2e1

U i conf eth>%? ?G@.? H.?.?>> up

Step =. Start to ping '8*2'572'2' 3rom &o.r 4C i2e1 U pin ?G@.? H.?.?

Step A. Connect a net or; cable to "AN'

Step . 4l.g-in the po er cable to the modem and ait 3or abo.t ,+ seconds3or the device to boot &o. ill then notice1

A bytes rom ?G@.? H.?.?% icmpJse K?? ttlK A timeK>.G@= msA bytes rom ?G@.? H.?.?% icmpJse K?? ttlK A timeK>.AG@ msA bytes rom ?G@.? H.?.?% icmpJse K??L ttlK A timeK>. ?A ms

:o. ma& notice .p to ten responses then it ill stop2


40/60


*ard (onfrmation

8ethod ?% ;no frm are modifcation re uiredill the 3ollo ing processes1U ,illall Oebra ripd dnsmas t tpd sshd 8idServer

>ill the pids o3 the )bin)sh )BT! ent)ro)start 1U ,ill L

No >ill all o3 the 0Agent processes1U ,illall bta ent

!nmo.nt the 0Agent partition1U umount )usr)BT! ent

Remove the attac;ers @"AN ,+'1U vconf rem ptm?.=>?

>ill the rog.e dhcpc process ith 3orce (-8% or it ill re-spa nU ,illall -G dhcpc

Remove all hidden =re all r.lesU iptables -F -t man leU iptables -F -t natU iptables -F

Step @. 4l.gin the telephone cable and the DS" ill connect to 0 ( itho.tthe NSA/GCHQ listening%2

Step =. No start &o.r 444 # session 3rom &o.r second "in.E =re all

machine as per the instr.ctions 3or Inbound De ense and 4utboundDe ense as applicable and &n oy your privacy 2

?)


46/60


Special ! entBTSpecial ! entBT

0his I special I so3t are installed on all modems provided b& 0 calledBT! ent 2

0his so3t are listens on port '5' hich is the $ANA assigned port 3or SimpleNet or; 9anagement 4rotocol (SN94% an&one loo;ing at this process o.lda.tomaticall& ass.me this to be the case2 SN94 t&pe programs are o3tenre3erred to as SN94 Agents2

0he primar& p.rpose o3 BT! ent is .np.blished b.t a version has beenpartiall& reverse engineered and the so3t are does do nload =rm are and.pdate the modems Tash2

0 responses to .eries abo.t their BT! ent is to claim that the& need tore"otely "anage "ode"s for sec rity ! r!oses%.

!ser concerns ith 0Agent1

9. It)s closed so rce

. @sers cannot t rn it oE

F. The secretive nat re and res!onses fro" 0T

?2 !sers cannot .pgrade the =rm are .sing 0Agent)2 4ort '5' is open to the p.blic internet

0he second (special% p.rpose o3 the BT! ent is p.rel& reverse reverseps&cholog& and designed to ;eep &o. ondering abo.t it to ca.se &o. toaste &o.r time reverse engineering it hen it ma& ell be hat it sa&s on

the tin and hile &o.r thin;ing abo.t BT! ent &o.Fre not thin;ing abo.t theother net or; inter3aces s.ch as ptm?.=>? and the dhcpc re .ests hich allloo; innocent b.t act.all& per3orm the dirt& deeds right in the open2


47/60


sycholo ical andhysical Barriers

Barriers0he NSA/GCHQ ill do an&thing and ever&thing to stop the The *ac, beingdiscovered2 0he =rst step is to deal ith the majorit& o3 .sers and preventthem 3rom even thin;ing abo.t opening it .p or even to.ching the modem2

Some o3 the s.ggestions listed here ma& seem eEtreme b.t the less interestcreated in this boE the less attention it receives 3rom cons.mers2

'2 $tFs a hite boE ps&chologicall& itFs not a Iblac; boEJ so it sho.ld be sa3e*2 $t comes in a plain bro n cardboard boE hich contain no ords or

graphics hatsoever ith a single hite bar-code label ith ma;e/modelo3 the modem

,2 0he 0 engineer personall& carries and installs it in &o.r home hileother components s.ch as 0 Home H.b the more eEpensive componentare sent thro.gh the postal s&stem2 0 cannot leave this shin& hitemodem hanging aro.nd 3or a ee; hile the& allocate &o.r connection

&o. ma& tr& to open it or do research abo.t it online and the& ant to

;no ho is researching it?2 0he telephone soc;et (RK''% is designed s.ch that hen &o. pl.g in thetelephone cable it becomes ver& di c.lt to remove it m.ch more sothan a standard telephone RK''2 $ts not j.st a case o3 pinching the lever

&o. have to pinch and p.sh 3.rther in then remove2 0his is s.btle b.t itill prevent a lot o3 people 3rom even attempting to disconnect the

telephone cable j.st in case the& brea; it)2 0he older model as eas& to open j.st a 3e scre s the ne er models

is almost impossible to open beca.se it is clip loc;ed closed meaning

that &o. ill damage it i3 &o. attempt to open it52 Red


48/60


Social !ttac,s on&n ineers

Social !ttac,s on &n ineersHaving discovered the attac; architect.re and disabled it e decided to visitsome 3or.ms online e ere interested to see i3 an&one an& here is closeto .ncovering The *ac, and ho the NSA/GCHQ react to s.ch iss.es2

Generall& there are engineers chatting and sharing pict.res o3 their modemsand ho the& solder ires on to the (.s.all& hidden% serial ports thedisc.ssions .s.all& leads to login and gaining root access o3 the modem orreplacing the =rm are altogether2


49/60


(ounter-Intelli ence

'ounter* ntelli3ence

0he NSA/GCHQ et al2 have being atching and attac;ing .s itFs abo.t timee t.rned the tables started de3ending o.rselves and also atching them2

0his section is not going to detail speci=c techni .es b.t rather s.ggestoverall approaches some o3 hich e have done over a period o3 months2

#S! *oneypots

No e .nderstand the attac; architect.re e can sim.late the modem in a9$4S @irt.al 9achine ( 0TAgent is not re# iredB.


50/60


About the Authors

0he a.thors o3 this doc.ment ish to remain anon&mo.s2 Ho ever e are3.ll& prepared to stand in a co.rt o3 la and present o.r evidence2


51/60


UP&ATE 2

Doc.ments released b& Der Spiegel have con=rmed o.r o n =ndings originalso.rces can be 3o.nd here1

http1// 2spiegel2de/international/topic/.nitedV;ingdom/http1// 2spiegel2de/international/topic/.nitedVstates/

0he ver& 3act that e reported these bac;-doors eEactl& as described in thesene lea;s proves that o.r claims are legitimate and tr.e2 0his is eEactl& hat

e .ncovered in 0Fs modems the architect.re design and attac,ers net or;s are eEactl& as e ill.strated in o.r diagrams and descriptions andlist o3 capabilities2


52/60


5.S. D4D I !ddresses


53/60


$4 tra c is not act.all& ro.ted 3rom the !2S2 to the !2> or vice versa beca.sethe latenc& ( ro nd tri! delay % o.ld be too high2 .t .sing $4 bloc;s 3rompartner co.ntries allo these Governments to claim that the& do not sp& ontheir o n citi ens 3or eEample GCHQ o.ld not attac; a p.blic !2>2 $4address b.t ma& attac; a !2S2 $4 address 2 0he opposite is also tr.e the !2S2can claim that the& do not attac; !2S2 $4 addresses b.t ma& attac; !2>2 $4addresses L get the pict.reM

0he Governments proo3 it does not sp& on its o n citi ens ill be that the&.se ind.str& standard tools s.ch as 9aE9ind $4 geo-location databases etc2 tocon=rm 3oreign j.risdiction $4 addresses knowing f ll well that Americantargets have been assigned 3oreign $4 addresses allo ing the NSA/C$A tolegitimatel& target Americans 2

0ocations o !ttac,er #et or,s


54/60


$n the 3ollo ing NSA diagram1

'2 :ello Dots depict compromised =re alls ro.ters i2e2 &o.r modem*2 Red Dots are the location o3 the attac;ers net or;s as per SCS Global,2 Red Dashed "ines represent hidden net or; paths?2 lac; Solid "ines represent Bibre ptic Cables

0he above diagram is 3rom *+'* and states that Z)+ +++ implants b.t thislist does not incl.de the !> CAN N " and A!S (the other #&es%2 Given 0 etal2 is the largest provider o3 compromised =re all/ro.ter modems in the !>the act.al n.mber is in the millions2

As a side note e stated1I .t orse is the 3act that this architecture is designed 3orC&ber Attac;ing in addition to passive monitoring as e illdetail neEt2 J

No e discover the& even have a logo 3orthisM

)?


55/60


NeEt e see

'2 DoD #et or, - :o. ;no the one thatFs .n.sed &ep that one2*2 Green Dots L 4assive S$G$N0 (Real-0ime Active 0ra c 9onitors%,2 Red Dots L Active De3ense L i.e. Attac%: B?2 l.e Dots - Compromised ro.ter/=re all/modems I$mplants (0A %J beingremotel& controlled b& the attac,ers 2

0itled1 I4rovides Centrali ed a.tomated command/control o3 large net or; o3active implantsJ2

No do &o. believe o.r claims abo.t &o.r second hidden net or, no ellread on2

))


56/60


0he 3ollo ing diagram is ithin the attac,ers net or; directl& attached to&o.r 0 ( or other IS/ % modem2?. 0op le3t corner is the !ttac,ers gate a& ( i.e. 0T "ode"s defa lt ro te %

@. 0hic; l.e "ines are the !ttac,ers net or; located in SCS SC$B siteoperating ithin local #mbassies and Cons.lates=. 0he virt.al machines (@9'-@9?% is the command and control logic thissends re .ests to &o.r 0 modem via the hidden net or, to inject ro.tes oriss.e other re .ests to ro.te speci=c or all tra c 3or 9$09 attac;s2 $t sho.ldbe noted that the attac;er can also simpl& telnet/ssh to &o.r modem as ell2


57/60


5nclassifed T!4 (overt #et or, CovertWhidden

Remember 0 C0!# =>? $t goes 3rom &o.rhome ro.ter to 0 to GCHQ ( or yo r localNSA S=S % as sho n in previo.s and rightdiagrams2

0he ' st generation modems donFt .se a @4Nhich is h& e did not mention it2 Ho ever

the *nd

generation do have a $4Sec @4N b.ilt-in (and other interesting st. %2

0he .se o3 a @4N is to hide the attac,ersactivities 3rom co.nter s.rveillance2

0he same doc.ment also re3ers to the T!4 (overt #et or, as (ov#et a2;2a28IDD0&8!# (8 an I n T he 8 iddle %2

S.rel& &o.r convinced no no read on2

)6


58/60


$n this diagram e see &o.r 0 9odemM (bottom right%

"e3t hand side is the !ttac,er net or; in3rastr.ct.re2 0he I Internet 4ption! J is almost certainl& .sed eEcl.sivel& 3or GS9 t&pe (RBWRadio Bre .enc&%mobile phones and GS9 based control devices2

4ption ! devices can onl& receive commands the& cannot ret.rn datadirectl& the& can do things li;e T rn on Micro!hone 0a;e 4ict.re 0ransmitS9S protected data via S9S etc2 As; &o.r mobile phone provider/ma;er 3or acomplete list o3 3eat.res in &o.r phone ( good case for &SS 3SM "od le %2

4ption B concerns ro.ters/=re alls/modems no ta;e a close loo; &o. illsee


59/60



60/60

Date post:	03-Jun-2018
Category:	Documents
Upload:	sdunja
View:	218 times
Download:	0 times

NSA Full Disclosure

Documents