NSA in the News
Posted by Charles II on October 4, 2013
The Guardian had almost a dozen articles relevant to the wiretapping of Americans by NSA.
There were several slide shows on how the NSA has been attacking TOR. A non-technical summary of what they say is given by James Ball, Bruce Schneier, and Glenn Greenwald here. A more technical summary by Bruce Schneier is linked below.
One slide show reviews how Tor works. Briefly, the user’s computer passes multiply-encrypted data to other computers on the network to create a series of cutouts (layers). Someone trying to monitor the traffic can to some degree monitor certificates.
As of 2012, NSA was finding Tor to be a difficult nut to crack. It was able to de-anonymize some users, but not on-demand. They had access to some nodes, but not enough to routinely get the data as it passed through entry, exit, and relay nodes. With access to a node, one may be able to match a user to the communication by the time; the British version of this is a program called QUICKANT. Some cookies survive Tor. Such cookie leakage, or identifying a user when they are not using Tor using QFD, can de-anonymize the user. The NSA is working on a version of QFD called Great Expectations, that would combine cookies with QFD to de-anonymize. There is also some effort by the British GCHQ and Germany’s DSD to detect Tor’s hidden services through ONIONBREATH. Tor nodes are identified through RONIN. QUANTUM is being used to degrade/deny/disrupt Tor service and QUANTUMCOOKIE to seize cookies. If the NSA has access to the target computer, they can stain the traffic or direct it to a node the NSA controls.
Egotistical Giraffe was a 2007 program to attack privacy in Tor, an anonymizing system used by dissidents in places like China and Iran, some criminals, and a lot of people who would just like some privacy. Tor relies on Firefox. The NSA uses TorButton to identify Tor users, winnowing the universe down to a few hundred thousand people. They can get a partial fingerprint based on the build time of the browser. The NSA can also use some exploits, especially if the user fails to activate NoScript.ERIN (Erroneous Ingenuity) was capable of penetrating Firefox 13-16.02. EGGO (Egotistical Goat) attacked a vulnerability in versions 10, and 11-16.02. They were able to use callbacks to gain control of a target.
Bruce Schneier summarizes the slide shows:
After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user’s computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.
Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.
To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target’s browser to visit a Foxacid server.
FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.
The NSA also uses phishing attacks to induce users to click on FoxAcid tags.
TAO additionally uses FoxAcid to exploit callbacks – which is the general term for a computer infected by some automatic means – calling back to the NSA for more instructions and possibly to upload data from the target computer.
According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install “implants” designed to exfiltrate data.
Bruce Schneier explains why the NSA’s attacks must be made public:
Finding a vulnerability – or creating one – and keeping it secret to attack the bad guys necessarily leaves the good guys more vulnerable.
Far better would be for the NSA to take those vulnerabilities back to the vendors to patch. Yes, it would make it harder to eavesdrop on the bad guys, but it would make everyone on the internet safer.
Seymour Hersh is clear that the documents leaked by Edward Snowden have changed the debate.
Snowden was significant because he provided documentary evidence – although he is sceptical about whether the revelations will change the US government’s policy.
“Editors love documents. Chicken-shit editors who wouldn’t touch stories like that, they love documents, so he changed the whole ball game,” he adds, before qualifying his remarks.
John Lanchester discusses the dangers of a surveillance state and suggests how to guard against it. He’s far too sanguine about either the merits of the surveillance and the ability to mitigate the dangers. I suspect that the worst revelations are yet to come.
The EU is investigating the GCHQ hack of the Belgian telecomm, Belgacom:
The executives added that the company believed it had comprehensive security systems in place to counter cyber-attacks, but had been rendered helpless by the scale of the infiltration of 124 Belgacom IT systems.
The Belgian PM, Elio Di Rupo, last month complained that the attacks amounted to an assault on the country’s integrity and promised a strong response if the perpetrators were identified.