NSA Malware

There's a fascinating report in the Washington Post about the dimensions of US offensive cyber-operations. Here are a few excerpts.

Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget documents say the $652 million project has placed “covert implants,” sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions.

The documents provided by Snowden and interviews with former U.S. officials describe a campaign of computer intrusions that is far broader and more aggressive than previously understood. The Obama administration treats all such cyber-operations as clandestine and declines to acknowledge them.

and

The administration’s cyber-operations sometimes involve what one budget document calls “field operations” abroad, commonly with the help of CIA operatives or clandestine military forces, “to physically place hardware implants or software modifications.”

Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets.

The NSA unit’s software engineers would rather tap into networks than individual computers because there are usually many devices on each network. Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work.

The implants that TAO creates are intended to persist through software and equipment upgrades, to copy stored data, “harvest” communications and tunnel into other connected networks. This year TAO is working on implants that “can identify select voice conversations of interest within a target network and exfiltrate select cuts,” or excerpts, according to one budget document. In some cases, a single compromised device opens the door to hundreds or thousands of others.

The focus on routers, switches, and firewalls is very interesting and news.  To the best of my knowledge, nothing like this is known to the computer security industry.  No doubt the NSA is careful to test its efforts first, to ensure they aren't detected.

However, the hunt will be on now.

This suggests also a new market niche doing intrusion detection on these kinds of infrastructure components.  However, it's not clear that a US based firm could be a very credible provider...

Some Questions on XKeyscore

Glenn Greenwald at the Guardian has written another very interesting article on XKeyscore, an NSA intelligence program to search huge amounts of bulk traffic that allied intelligence agencies are collecting from around the globe.  The Guardian also made available a top-secret presentation on XKeyscore from 2008.  This represents the program as it was inherited by the Obama administration from the Bush administration.  However, comments in interviews by Edward Snowden suggest that substantially similar capabilities still exist.

I wanted to draw attention to several things in the NSA presentation that the Guardian didn't mention but that struck me as interesting (having a computer security background).  The first is this map:

Several questions arise:

Brainstorming a Few Hypotheses About Prism

So executives at major tech companies are doubling down on the denials that they know anything about PRISM, including Larry Page and Mark Zuckerberg.  My first assumption was that the denials were legally compelled by the very orders under which they provided the data.  However, after the Obama administration had confirmed the program's existence, there would be little incentive for CEOs to personally continue to dispute the facts.  So what's going on here?  I don't know, but here's all the hypotheses I can come up with:

• The tech executives do know about PRISM (in fact if not by name) but are continuing to deny it in the hopes of muddying the waters and limiting the damage to their company's brands internationally (this doesn't seem like it would be very smart given that more revelations seem likely, but it's at least a logical possibility).
• The tech companies have employees with clearances who have implemented PRISM at the behest of the government, and non-cleared executives, including CEOs, genuinely don't know what's occurring.  If so, they are going to be outraged, and with every right.
• The NSA has gained access to company's internal data via some third party (eg a telco provider to the tech companies, or a hardware or operating system vendor who has provided equipment with a backdoor).
• The NSA has used technical means to break into the tech companies and install monitoring systems without their knowledge or permission (much as China has been trying to do).
• The reporting by the Washington Post and the Guardian mischaracterized PRISM, and for some hard-to-imagine reason, the administration has decided to confirm it rather than correct it or deny it.

I have to say that any of these would be fairly breath-taking.  I await further revelations with great interest.  I have a feeling there are a lot more shoes still to drop here.

Oh, in an aside, the Guardian is reporting from a supposedly knowledgeable US intelligence source that "We hack everyone everywhere. We like to make a distinction between us and the others. But we are in almost every country in the world"  If that's true, not very much of it's been brought to light by the commercial security industry, suggesting that there are some interesting techniques in need of discovery.

US Exports and PRISM

It appears to me that the new revelations about the PRISM program are likely to hurt US commerce over time.  If I'm a buyer at a non-US company and I'm contemplating putting my data on Amazon's cloud, using Google Docs, buying a Cisco router, even installing Microsoft Windows on my PCs, I now have to assume that the US company I want to do business with is in bed with the NSA.  I have to assume that my enterprise data, my employee's personal data, etc, may be compromised by this new equipment or software.  The company's denials clearly mean nothing (since the government has now confirmed PRISM, thereby making liars of them all).  For all foreigners, you have to assume that anything you share on Facebook, send in a Gmail, say on a Skype call, etc, could be inspected by US intelligence.

In the short term, this will likely have little effect, since people will have limited choice, and it will take a while for the culture to shift.  But in every internal debate about whether to use the American solution or some other homegrown option, this information is going to put a finger on the scale.  Foreign governments are now going to have excellent reasons to promote and protect their homegrown software and equipment industries, since they know they can trust them.  It will take years or even decades for this to play out, but "Made in America", or at least "Designed in California", just took a massive hit to the brand.