NSA Malware

There's a fascinating report in the Washington Post about the dimensions of US offensive cyber-operations. Here are a few excerpts.

Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget documents say the $652 million project has placed “covert implants,” sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions.

The documents provided by Snowden and interviews with former U.S. officials describe a campaign of computer intrusions that is far broader and more aggressive than previously understood. The Obama administration treats all such cyber-operations as clandestine and declines to acknowledge them.

and

The administration’s cyber-operations sometimes involve what one budget document calls “field operations” abroad, commonly with the help of CIA operatives or clandestine military forces, “to physically place hardware implants or software modifications.”

Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets.

The NSA unit’s software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work.

The implants that TAO creates are intended to persist through software and equipment upgrades, to copy stored data, “harvest” communications and tunnel into other connected networks. This year TAO is working on implants that “can identify select voice conversations of interest within a target network and exfiltrate select cuts,” or excerpts, according to one budget document. In some cases, a single compromised device opens the door to hundreds or thousands of others.

The focus on routers, switches, and firewalls is very interesting and news.  To the best of my knowledge, nothing like this is known to the computer security industry.  No doubt the NSA is careful to test its efforts first, to ensure they aren't detected.

However, the hunt will be on now.

This suggests also a new market niche doing intrusion detection on these kinds of infrastructure components.  However, it's not clear that a US based firm could be a very credible provider...

Some Questions on XKeyscore

Glenn Greenwald at the Guardian has written another very interesting article on XKeyscore, an NSA intelligence program to search huge amounts of bulk traffic that allied intelligence agencies are collecting from around the globe.  The Guardian also made available a top-secret presentation on XKeyscore from 2008.  This represents the program as it was inherited by the Obama administration from the Bush administration.  However, comments in interviews by Edward Snowden suggest that substantially similar capabilities still exist.

I wanted to draw attention to several things in the NSA presentation that the Guardian didn't mention but that struck me as interesting (having a computer security background).  The first is this map:

Several questions arise:

Snowden and the Toxicity of the Internet

I think we are still operating with very partial information here.  Glenn Greenwald has promised that he has thousands of documents from Snowden still, dozens of which are newsworthy.  It's still very unclear how Snowden came to have access to the documents he seems to have, who he really is, whether his testimony is 100% accurate, or where he has gone now.  I assume a lot more will come out in coming days and weeks.

With that caveat, here are a few thoughts: this case illustrates some long-standing concerns I have about the direction of society.