NSA installed backdoor spyware on computers, hard drives, routers, etc.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
December 30, 2013
Based on several internal NSA documents, the German newspaper Der Spiegel reports that the National Security Agency installed multiple backdoors to access personal and corporate computers, hard drives, routers, switches and several other electronic devices from companies such as Cisco, Dell, HP, Western Digital, Seagate, Maxtor, Sony and Samsung.
Specifically, the TAO (Office of Tailored Access Operations) is described as a "squad of digital plumbers" that deals with hard targets-- systems that are very difficult to infiltrate.
The TAO has reportedly been responsible for accessing the protected networks of heads of state worldwide. The agency works closely with the CIA and the FBI to undertake sensitive missions, and has successfully penetrated the security of several undersea fiber-optic cables.
The TAO also intercepts the deliveries of several types of electronic equipment to plant spyware devices in an effort to gain remote access to those systems once they are delivered and become operational.
The Der Spiegel report describes a 50-page product catalog of tools and techniques that an NSA division called ANT, which stands for Advanced or Access Network Technology, uses to gain access to several devices.
This follows a report that the security firm RSA intentionally allowed the NSA to create a backdoor into its encryption tokens.
"For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA's specialists seem already to have gotten past them," the report said.
The ANT department prefers targeting the BIOS-- code on a chip on the motherboard that runs when the machine starts up. The spyware infiltration is largely invisible to other security programs and can persist if a machine is wiped and a new operating system is installed.
With the exception of Dell, the companies cited in the report and contacted by Der Spiegel claimed they had no knowledge of any NSA backdoors into their equipment.
In a blog post Sunday, a Cisco spokesperson wrote-- "At this time, we do not know of any new product security vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it."
"As we have stated before, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security back doors in our products," it added.
The NSA declined to comment on the report but said the TAO was key for national defense. "Tailored Access Operations (TAO) is a unique national asset that is on the front lines of enabling the U.S. NSA to defend the nation and its allies," the agency said in a statement.
"We won't discuss specific allegations regarding the TAO's mission, but its work is centered on computer network exploitation in support of foreign intelligence collection," the NSA added.
The end does not appear to be in sight for the revelations from the documents obtained by Edward Snowden, according to Glenn Greenwald, the journalist who first collaborated with Snowden to publish the material.
In a speech delivered by video to the Chaos Communication Congress (CCC) in Hamburg on Friday, he said, "There are a lot more stories to come, a lot more documents that will be covered. It's important that we understand what it is we're publishing, so what we say about them is accurate."
In other internet security news
In August of this year, Gibson Security, a group of freelance security vulnerability researchers, notified the image search service Snapchat that it had found serious security holes in the system that needed to be addressed quickly.
Having heard absolutely nothing back from Snapchat, the group has now released the details and some security exploit code to back up its claims.
"Given that it's been around four months since our last Snapchat release, we figured we'd do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure-- none of them)," said the group in a December 24 missive to the internet security community.
Gibson studied Snapchat's Android app, and claims to have found serious security holes in its private API-– the interface between the software and the Snapchat servers, that enable an attacker to decode and decrypt received data and then build a database linking various users to their cell numbers.
It appears that photos sent via Snapchat are encrypted using AES and a key hardwired into the application's code, allowing anyone to decrypt and view intercepted images. But separately, DDoS (denial-of-service) attacks are also possible, we're told.
"We were able to crunch through no less than thousand phone numbers-- an entire sub-range in the American number format (XXX) YYY-ZZZZ. All that in approximately just seven minutes on a gigabit line on a virtual server," the report states.
Given some asynchronous code optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half, or, in a worst case scenario, in just two minutes.
This means you'd be railing through as many as 6666 phone numbers a minute, or, in our worst case, 5000. The published exploit code can harvest these phone numbers, and a separate piece can register multiple bogus accounts for spamming purposes, we're told.
Snapchat's application allows its predominantly young users base to send up to ten second views of pictures before they are permanently deleted. Given the current fad for sexting, and the ensuing moral panic that it has recently inspired, the service has a significant following among those who wish to send sleazy messages to someone.
This crucial young adult market has had venture capitalists valuing the company at roughly $800 million in June 2013, although Evan Spiegel, Snapchat’s 23-year-old co-founder and CEO reportedly turned down a $3 billion offer from Facebook and a $4 billion counter-bid offer from Chinese eCommerce conglomerate Tencent Holdings.
Snapchat's small audience might be young, but they are also very fickle, and if malware can easily use the newly released information, then those kinds of valuation numbers might fall to the ground faster than how they went up in the first place.
In other internet-security news
Target said earlier this morning that hackers have stolen data from some 40 million credit and debit cards of customers who visited its brick-and-mortar stores during the first three weeks of the holiday season in the second-largest such security breach reported by a major U.S. retailer.
Worse-- in terms of the speed at which the hackers were able to access large numbers of credit cards, the data theft was totally unprecedented and never seen before.
The whole thing took place in the nineteen days from the day before Thanksgiving to Sunday, in the heart of the annuel Christmas holiday sales season that is so vital to all major retailers.
Target, the number three retailer in the United States said late Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It didn't disclose how its systems were compromised, however.
Experts said the incident couldn't have come at a worse time for Target, which is working to boost sales away from rivals in the last week of the holiday shopping season.
Several complaints from angry customers began to surface on social media as they learned of it early Thursday morning. "Most of these attacks are just a cost of doing business," said Mark Rasch, a former U.S. cyber crimes prosecutor.
"But an attack that's targeted against a major retailer during the peak of the Christmas season is much more than that because it undermines confidence," he added.
The largest security breach against a retailer, uncovered in 2007 at TJX Companies led to the theft of data from more than 90 million credit cards over a span of about 18 months.
Since then, many companies have gotten far more adept at identifying intruders. However, criminals have responded by developing more-powerful attack strategies, spending months on reconnaissance to launch highly sophisticated schemes with the goal of extracting as much data as they can in the shortest period of time.
Investigators believe that hackers compromised software installed on point-of-sales terminals that customers use to swipe magnetic strips on cards when paying for merchandise at Target stores, according to a person familiar with the investigation but not authorized to discuss the matter.
Target warned customers in an alert on its website that the criminals had stolen names, payment card numbers, expiration dates and their corresponding 3-digit security codes at the back.
The company had identified the security breach on Sunday and had begun responding to it the same day, spokeswoman Molly Snyder said.
Krebs on Security, a closely watched security industry blog that broke the news late Wednesday evening, said the breach involved nearly all of Target's 1,797 stores in the United States.
It's not yet clear how the attackers were able to compromise point-of-sales terminals a6t so many Target stores. "It's very clear by now that this is a sophisticated crime, and the timing couldn't have been worse," Snyder said.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
Unhappy Target customers began to weigh in early on Thursday, posting complaints on Target's Facebook page. "Thank you Target for nearly costing me and my wife our identities, we will never shop or purchase anything in your store again," said one posting.
"Shop at Target, become a target," remarked another. "Gee, thanks." JP Morgan Chase & Co, one of the biggest U.S. credit card issuers, said it was monitoring the accounts involved for suspicious activity and urged customers to contact their bank if they noticed anything unusual.
MasterCard and Visa officials had declined to comment late on Wednesday, after news of the security breach had surfaced. An American Express spokeswoman said the company was aware of the incident and was putting several fraud controls in place.
In other internet security news
A top federal judge said today that he believes the U.S. government's once-secret collection of domestic phone records is unconstitutional, setting up likely appeals and further challenges to the data mining revealed by classified documents leaker Edward Snowden.
U.S. District Judge Richard Leon said the National Security Agency's bulk collection of metadata-- phone records of the time and numbers called without any disclosure of content violates privacy rights in the United States.
Leon's preliminary ruling favored five plaintiffs challenging the practice, but he limited his decision only to their case.
"I cannot imagine a more indiscriminate and arbitrary invasion of privacy than this systematic and high-tech collection and retention of personal data on virtually every citizen for purposes of querying and analyzing it without prior judicial approval," said Leon, an appointee of President George W. Bush.
"Surely such a program infringes on that degree of privacy that our own Founders enshrined in the Fourth Amendment," the judge added.
Leon's ruling said that the "plaintiffs in this case have also shown a strong likelihood of success on the merits of a Fourth Amendment claim," adding "as such, they too have adequately demonstrated irreparable injury."
Leon also noted that the government "does not cite a single instance in which analysis of the NSA's bulk metadata collection actually stopped an imminent attack, or otherwise aided the government in achieving any objective that was time-sensitve in nature."
But the judge put off enforcing his order barring the government from collecting the information, pending an appeal by the U.S. government.
The whole issue is highly controversial as both the White House and Congress have spent thousands of hours on this since the Snowden affair broke out in June 2013.
A Justice Department spokesman said Monday that "we believe the program is constitutional as previous judges have found," but said that the ruling is being studied nevertheless.
Democratic Senator Mark Udall of Colorado, a strong critic of the NSA data mining, said Leon's ruling showed that "the bulk collection of Americans' phone records conflicts directly with Americans' privacy rights under the U.S. Constitution and has failed to make us safer."
He called on Congress to pass legislation he proposed to "ensure that the NSA focuses on terrorists and spies and not innocent American civilians."
Explosive revelations earlier this year by Edward Snowden, a former NSA contractor, triggered new debate about national security and privacy interests in the aftermath of the September 11, 2001 terrorist attacks in New York and on the Pentagon.
In particular, Snowden's revelations led to more public disclosure about the secretive legal process that sets in motion the U.S. government's surveillance of its own people.
For its part, the NSA did admit that it received secret court approval to collect vast amounts of metadata from telecom giant Verizon and leading internet companies, including Microsoft, Apple, Google, Yahoo and Facebook.
The case before Leon involved approval for surveillance in April by a judge at the Foreign Intelligence Surveillance Court (FISC), a secret government body that handles individual requests for electronic surveillance for "foreign intelligence purposes."
As it is duly required, Verizon Business Network Services promptly turned over the metadata to the government. Leon's ruling comes as the Obama administration completes a review of NSA surveillance in the aftermath of the Snowden leaks.
Sources said that technology company executives would meet with President Barack Obama at the White House on Tuesday about the issue.
President Obama plans to sit down with Tim Cook of Apple and Eric Schmidt of Google, as well as executives from Microsoft, Facebook, Salesforce, Netflix and other companies.
In November, the U.S. Supreme Court refused to take up the issue when it denied a separate petition, which was filed by the Electronic Information Privacy Center. Prior lawsuits against the broader NSA program have also been unsuccessful to this date.
Just a few days after the Snowden disclosure in June, some Verizon customers filed legal challenges in the D.C. federal court. The left-leaning ACLU (American Civil Liberties Union) also filed a separate, pending suit in New York federal court.
Under the Foreign Intelligence Surveillance Act of the 1970s, the secret courts were set up to grant certain types of government requests-- wiretapping, data analysis, and other monitoring of possible terrorists and spies operating in the United States.
The Patriot Act that Congress passed after the 9/11 attacks on U.S. soil deeply broadened the government's ability to conduct anti-terrorism surveillance in the United States and abroad, eventually including the metadata collection.
In order to collect the information, the U.S. government has to demonstrate that it's "relevant" to an international terrorism investigation.
But the 1978 FISA law lays out exactly what the special court must decide-- "A judge considering a petition to modify or set aside a nondisclosure order may grant such petition only if the judge finds that there is no reason to believe that disclosure may endanger the national security of the United States, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person."
In defending the program, NSA Director General Keith Alexander told the Senate Judiciary Committee last week that "15 separate judges of the FISA Court have held on 35 occasions that Section 215 (of the Patriot Act) authorizes the collection of telephony metadata in bulk in support of counterterrorism investigations."
Initially, telecommunications companies such as Verizon, were the targets of legal action against Patriot Act provisions. Congress later gave retroactive immunity to those private businesses.
The revelations of the NSA program and the inner workings of the FISC court came after Snowden leaked documents to the Guardian newspaper. Snowden fled to Hong Kong and then Russia to escape U.S. prosecution.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
Source: Der Spiegel.
You can link to the Internet Security web site as much as you like.