hacking tools – Techdirt (original) (raw)
Stories filed under: "hacking tools"
Report Says CIA's Hacking Unit — Home To The Vault 7 Exploits — Deployed Almost No Internal Security Measures
from the no-one-would-dare-cross-the-CIA...-would-they? dept
More details about the leak of CIA hacking tools are coming to light. And they’re not making the CIA look any more deserving of its “Intelligence” middle name.
The “Vault 7” leak detailed the CIA’s exploits — ones targeting cellphones and a variety of smart devices. Encryption still works, though, but devices have to remain uncompromised by exploits. Since they aren’t, encryption won’t stop agencies like the CIA from intercepting communications or inserting themselves into private conversations.
The prosecution of the accused Vault 7 leaker has been a nightmare of its own, with the government having difficulty pressing its case even as it uncovers evidence the leaker continued to leak sensitive information after being incarcerated.
The latest report, by Ellen Nakishima and Shane Harris of the Washington Post, shows the CIA was far more interested in developing tech weapons than ensuring its hoard of exploits remained in its possession.
The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.
[…]
The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.
Information wants to be leaked, apparently. Maybe not innately, but when the culture says the best defense is a good offense, chances are sensitive tools and tech are going to go wandering off.
The CIA knows how exploitable pretty much everything is. That it deployed nearly no security measures to ensure its exploit stash remained on the premises is an indictment of every bureaucracy that thinks merely being a big government agency will deter people — both on the inside and outside — from screwing with it. According to this report, the CIA didn’t even employ bush-league, mom-and-pop-store-level security measures. There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network, which has prevented the CIA from determining the size of the breach or enumerating what was actually taken.
This crucial job was outsourced, which apparently contributed to the problem. The job was too important to be left undone. But the CIA apparently didn’t feel it was important enough to handle itself so it gave it to someone else, resulting in this:
The computer network was maintained by contractors, the former official added. “There was a misunderstanding between the people who ran the unit and people who ran and maintained the network.”
Give an agency more money than oversight and it can perform any task poorly. Exploits are truly useful but they’re only useful if they remain undisclosed and unpatched. Treating security cavalierly has paid off about as well as anyone outside the agency would have imagined. The tools were leaked. Only after that did anyone decide to check the latches on the Vault’s doors. Proactive is better than reactive, as any intel operative should know. While this may be a great way to inadvertently comply with the Vulnerability Equities Process, it’s no way to run an intel agency’s tech black ops program.
Filed Under: cia, hacking tools, security, vault 7, vault7
DOJ's First Attempt To Prosecute Accused Vault 7 Leaker Ends In A Mistrial
from the if-at-first-you-fuck-things-up... dept
The DOJ has taken an open-and-shut espionage case and managed to somehow misplace the back cover. Does this say something about the unintended consequences of charge-stacking? Maybe. Whatever it is, it isn’t pretty.
The case against alleged Vault 7 leaker Joshua Schulte seemed pretty air tight, especially when Schulte continued to leak sensitive documents while behind bars, as well as attempting to rope his family into committing contempt of court violations on his behalf.
He also, as Marcy Wheeler pointed out, gave the government pretty much everything it wanted or needed, but the DOJ’s prosecutors failed to present evidence in a coherent way, resulting in a whole lot of juror confusion.
According to InnerCity Press (virtually the only press covering the Schulte verdict watch), by end of day today the jurors had sent out 25 notes, most questions but also problems with two of the jurors. At the end of the day they told the Court they “aligned” on two of the charges, but were at an impasse on the other. Given that there’s slam dunk evidence that he committed the least serious crimes (false statements and contempt), that suggests at least some members of the jury have reasonable doubt that the guy who wrote a virtual signed confession to committing the most damaging leak in CIA history actually did so.
The verdict is now in, what there is of it. The case initially involved charges ranging from false statements to CFAA violations to copyright infringement (!) to child porn possession (!!!). Barely any of those charges have survived. A mistrial has been declared with jurors only finding Schulte guilty on the two least serious charges: false statements and contempt. Those won’t be enough to keep him in jail since he’ll likely be credited with time served. Schulte has been in jail since December of 2018.
This doesn’t mean it’s over. Marcy Wheeler says the government will very likely take another stab at presenting a coherent case.
The two sides will have a conference on March 26 to decide what to do. The government will certainly push to retry Schulte; Sabrina Shroff [Schulte’s lawyer] asked for an extended deadline to file motions. She may try to do something further about the government’s late notice that Michael, a key witness, got put on paid leave last August (though the government has argued compellingly that Michael’s underlying lack of candor has been noticed to the defense throughout). She also may make yet another bid to get more access to the forensics, something I’ve argued that the government should have permitted in the first place.
The mistrial declaration is a credit to Shroff, who performed the unenviable task of shepherding an extremely unhelpful client through a federal espionage prosecution. Facing espionage charges drastically reduces a defendant’s options. Drawing additional judicial scrutiny by attempting to leak sensitive material while incarcerated and spending your free time openly insulting the FBI and federal prosecutors isn’t a course of action recommended by anyone.
Prosecutors needed to present a case containing a wealth of technical detail to jurors with clarity and conciseness. The twenty questions given to the judge by jurors a few days before the mistrial declaration showed the jury still remained confused about the facts of the case and, in a couple of instances, focused on information that had little to do with the criminal charges they were deliberating.
The government may get more charges to stick the second time around. But this initial failure is an indictment of the prosecution and its apparently misplaced confidence that the evidence spoke for itself. When you have to prove something beyond a reasonable doubt, quantity is no replacement for quality. As for Schulte, he’s still at the DOJ’s mercy until it exhausts its prosecutorial options. This isn’t going to work out well for Schulte who’s shown he’s unable to quietly bide his time and capitalize on the government’s missteps. He seems compelled to make things worse for himself during his unfortunately ample downtime.
Filed Under: doj, espionage, hacking tools, joshua schulte, leaks, mistrial, vault 7
Gov't Says Accused CIA Hacking Tools Leaker Leaking Even More Classified Info From Behind Bars
from the I-guess-he's-just-on-a-roll... dept
The DOJ is still waiting for accused Vault 7 leaker Joshua Shulte’s trial to begin, but that’s not stopping it from adding to the long list of charges he already faces. The former NSA/CIA operative’s house was raided last year by the feds who were looking for evidence of Shulte’s leak of CIA hacking tools to Wikileaks. It found some of that, but also found 10,000 child porn images in the 5+ terabytes of data seized.
The child porn alone will likely see Shulte put away for a long time if the prosecution can secure a conviction. Leaking top secret tools isn’t likely to be greeted with a wrist slap — not with the forever War on Leakers still in progress. For some reason, the government felt compelled to add copyright infringement to the list of charges after discovering a few pieces of pirated content on Shulte’s personal server.
Shulte — who is locked up in a New York detention facility until he goes to trial — must figure he has nothing to lose. That’s one conclusion that can be drawn from the latest set of charges being brought by the DOJ. (via Slashdot)
According to new court documents filed late Wednesday, October 31, US prosecutors plan to file three new charges against Joshua Schulte for allegedly leaking more classified data while in detention at the New York Metropolitan Correctional Center (MCC).
The filing [PDF] is quite the read. According to the allegations, Shulte had access to multiple smuggled cellphones and was using them to disseminate classified info to “third parties” outside the prison walls. It appears the info Shulte smuggled out of the prison came from classified documents released to him as part of his pre-trial discovery. The DOJ has now stripped him of access to classified documents, restricting him to unclassified info released by the FBI.
A flurry of paperwork and a search of Shulte’s housing unit turned up a number of things, including a new form of encryption.
In or about early October 2018, the Government learned that Schulte was using one or more smuggled contraband cellphones to communicate clandestinely with third parties outside of the MCC. The Government and the FBI immediately commenced an investigation into Schulte’s conduct at the MCC. That investigation involved, among other things, the execution of six search warrants and the issuance of dozens of grand jury subpoenas and pen register orders. Pursuant to this legal process, in the weeks following the Government’s discovery of Schulte’s conduct at the MCC, the FBI has searched, among other things, the housing unit at the MCC in which Schulte was detained; multiple contraband cellphones (including at least one cellphone used by Schulte that is protected with significant encryption); approximately 13 email and social media accounts (including encrypted email accounts); and other electronic devices.
Given the FBI’s recent history, it probably should be more careful when it discusses encryption. A few years of “going dark” narrative was upended by the agency itself, which revealed it could not competently count physical devices in its possession. The ever-inflating number of impenetrable devices was suddenly, and embarrassingly, converted to an asterisk on multiple FBI/DOJ webpages with footnotes stating an updated number would be provided at the agency’s convenience.
Now, there’s this: a DOJ prosecutor relaying the FBI’s message about “significant” encryption — whatever the hell that is — to the federal judge presiding over the case. What makes this particular encryption “significant” isn’t explained, but it does seem to make this encryption appear far more nefarious than the regular, insignificant encryption used by citizens not currently under federal indictment.
Three more charges are headed Shulte’s way, all of them related to unlawful disclosure of classified documents. This isn’t charge stacking — not if the government’s allegations are true — but it could definitely nudge Shulte towards a plea deal that will save the DOJ a lot of time, energy, and arguments over presenting sensitive information in open court.
Then again, Shulte appears to be anything but cooperative. Leaking classified documents directly under the fed’s nose while in supervised detention is a bold move that bears a lot of resemblance to a middle finger extended in the direction of the government. This may end up being a very fun trial to watch.
Filed Under: cia, doj, encryption, hacking tools, joshua schulte, leaks, vault 7
Companies: wikileaks
Alleged Vault 7 Leaker Charged With Stealing Gov't Secrets, Child Porn Possession, And Copyright Infringement?
from the kitchen-sink-prosecution dept
The US government has taken down another alleged leaker. Joshua Schulte, a former NSA and CIA operative, had his apartment raided by the feds last March. The raid targeted documents showing Schulte had leaked CIA hacking tools to Wikileaks (the “Vault 7” collection). But it uncovered a whole lot of child porn — 10,000 images on Schulte’s personal computer and his file-sharing server that held another 5 terabytes of data.
The first criminal complaint [PDF] by the DOJ contained nothing but child porn charges. It suggests the former government spook didn’t practice much opsec when not on the clock. One IRC chat shows Schulte’s aware encryption is sometimes only a temporary deterrent if the government really wants to find out what’s been sent or shared. But then he apparently went on to provide the government with some easily-accessible evidence.
Based on my review of those Google Searches, I have learned, among other things, that on a number of occasions in or about 2011 and in or about 2012, SCHULTE appeared to search the Internet for child pornography. For example: (i) on or about April 9, 2011, SCHULTE conducted a Google Search for “child pornography” on at least three occasions; (ii) on or about October 15, 2011, SCHULTE conducted Google Searches for “movie where father videos daughter and friend sex” and “movie where father videos child porn”; and (iii) on or about May 15, 2012, SCHULTE conducted a Google Search for “female teenage body by year.”
The recently-released superseding indictment [PDF] really starts stacking the charges. In addition to the child porn charges carried over from the original complaint, the government adds charges related to the leaked hacking tools, including unauthorized access with the intent of gathering classified info and theft of government property.
Then the charges get interesting. Schulte is charged with “causing transmission of a harmful computer program” for allegedly altering an intelligence agency “computer system” to give himself access to restricted areas of the system and cover up any evidence he had accessed these files. Apparently, this alteration resulted in other users being denied access.
There’s the expected “lying to the feds” charges (making false statements, obstruction of justice) which show Schulte was very cooperative when being questioned about the child porn but apparently not so much when asked about purloined CIA data.
Rolling past the copy-pasted child porn charges, one reaches the most unexpected charge in the indictment: criminal copyright infringement.
From at least in or about September 2015, up to and including at least in or about August 2017, in the Southern District of New York and elsewhere, JOSHUA ADAM SCHULTE, the defendant, unlawfully, willfully, and knowingly did infringe copyrights by the reproduction and distribution, including by electronic means and by making it available on a computer network accessible to members of the public, during a 180-day period, of ten and more copies and phonorecords, of one and more copyrighted works, which had a total retail value of more than $2,500, to wit, without authorization, SCHULTE maintained a computer server that housed thousands of copyrighted movies, television shows, and audio recordings, which SCHULTE shared with others by electronic means and using the Internet.
This appears to refer to the server Schulte set up for IRC chat buddies. It’s mentioned in a couple of chat transcripts and was, until 2017, accessible at cryptm.org. There’s plenty archived at the Wayback Machine [click at your own risk, I suppose] but this server seems to be the source of the copyright infringement charge. Whether or not any of these files were actually downloaded isn’t clear, but they were uploaded and accessible to site visitors. This short list of a small portion of the files hosted by Schulte on his server was put together by Jason Koebler and Lorenzo Franceschi-Bicchierai of Motherboard.
An archived version of his page there shows that he had files related to chess, an episode of South Park, a copy of The 40 Year Old Virgin, textbooks, C Programming textbooks, and a folder called “Facebook Convos.”
Speaking of Facebook, Schulte was apparently maintaining a diary of his criminal justice system experience. (Spoiler alert: it’s unpleasant and broken.) The documents are worth reading for a firsthand look at the federal arraignment process and the unpleasant realities of being sentenced to house arrest (with no internet access privileges) while still supposedly an “innocent” person in the eyes of the Constitution. It does get a little weird when he claims he’s only been charged with “victimless” crimes given what he’s been charged with (leaking CIA hacking tools, child porn). But nothing’s been proven beyond a reasonable doubt at this point, so maybe only the copyright infringement charge that will make the final cut.
As Parker Higgins points out on Twitter, this supremely weird addition should be viewed with apprehension. Copyright infringement happens all the time. Much of it has zero profit motive, but the government is apparently more than willing to selectively enforce this law if it seems it might push someone towards a plea deal and save it the trouble of having to prove its case.
Filed Under: child porn, cia, copyright, hacking tools, joshua schulte, leaks, nsa, vault 7
Leaked NSA Hacking Tool On Global Ransomware Rampage
from the who-trusts-the-nsa? dept
Welp. What was that we were saying about the problems of the NSA creating hacking tools that leak, rather than helping patch security flaws? Oh, right. That it would make everyone less safe.
And here we are. With a global ransomware rampage, referred to as “WannaCry” putting tons of people at risk, thanks to leaked NSA malware:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks ? which been spotted in tens of thousands of incidents in 99 countries, according to the cyber firm Avast ? have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
Specifically, it appears that the ransomware is using an NSA tool called ETERNALBLUE, which was leaked in April by Shadow Brokers. This was among those that were quietly patched by Microsoft back in March, but not everyone installs security patches in a timely manner. Indeed, as some are reporting, some of the victims — including the National Health Service Hospitals in the UK — are running ancient Windows XP, an operating system that is not even remotely secure, and is no longer supported.
Thus, there’s some debate online about whether the “problem” here is organizations who don’t upgrade/patch or the NSA. Of course, these things are not mutually exclusive: you can reasonably blame both. Failing to update and patch your computers is a bad idea these days — especially for large organizations with IT staff who should know better.
At the same time, the fact that this hack is built off of a leaked NSA hacking tool highlights a couple of key points:
- The NSA’s dual-hatted offensive & defensive structure is damaging: The NSA plays both offense and defense on computer security. That is, it is supposed to hack into other systems, but also help protect our systems. But it’s quite clear that the offensive capabilities are valued much more than the defensive ones — and that’s a problem. Once again, it appears that people in the intelligence community are not doing a clear cost-benefit analysis of the tools that they use. They like their toys, but they rarely seem to take into consideration what happens should those toys get out.
- Once again, this reinforces why we should not allow backdoors to encryption or any other such vulnerability. Over and over again, the proponents of backdooring encryption have insisted that it can be built in a “safe” way, where only government will get the backdoor access to encryption. The fact that some of the NSA’s most powerful hacking tools have not only been leaked but are now wreaking havoc around the world, should put a complete end to the “going dark” debate. But it won’t. It’s not safe, but many in the law enforcement community, in particular, are in denial about this.
These problems are not new. Hell, we’ve been talking about both of them for the better part of a decade already. But this rapid spread of WannaCry is putting an exclamation point on those arguments. Unfortunately, the cynical side of my brain says this warning will still be ignored.
Filed Under: hacking tools, malware, nhs, nsa, ransomware, shadow brokers, wannacry
Personal Security Takes A Hit With Public Release Of NSA's Hacking Toolkit
from the national-security-still-healthy,-but-always-worth-panicking-over dept
Former members of Team Espionage recently expressed their concern that the Shadow Brokers’ dump of NSA Windows exploits had done serious damage to the security of the nation. The unwanted exposure of NSA power tools supposedly harmed intelligence gathering efforts, even though the tools targeted outdated operating systems and network software.
However, there are still plenty of computers and networks online using outmoded software. This makes the released exploits a threat (especially those targeting XP users, as that version will never be patched). But not much of a threat to national security, despite the comments of anonymous former Intelligence Community members. It makes them a threat to personal security, as Chris Bing at CyberScoop points out:
One of these hacking tools, a backdoor implant codenamed DOUBLEPULSAR — which is used to run malicious code on an already compromised box — has already been installed on 30,000 to 50,000 hosts, according to Phobos Group founder Dan Tentler. Other researchers have also engineered different detection scripts to quickly scan the internet for infected computers.
John Matherly, the CEO of internet scanning-tool maker Shodan.io, said that upwards of 100,000 computers could be affected.
Rather surprisingly, data gathered by security researchers shows a majority of the infected computers are in the United States. This shows Microsoft’s steady updating push still faces a sizable resistance right here at home. What it also shows is how fast exploits can be repurposed and redeployed once they’re made public. The scans for DOUBLEPULSAR have turned up thousands of hits worldwide.
DOUBLEPULSAR is simply a backdoor, but an extremely handy one. Once installed, it makes targeted computers extremely receptive to further malware payloads.
“The presence of DOUBLEPULSAR doesn’t mean they’re infected by the NSA, it means there is a loading dock ready and waiting for whatever malware anyone wants to give it,” Tentler said. “The chances are none that all theses hosts [were hacked by] the NSA.
So, there’s that small bit of comfort. It’s not the NSA nosing around the innards of your Windows box, but a bunch of script kiddies playing with new toys… adding them to the normal rolls of malware purveyors seeking to zombify your device and/or make off with whatever information is needed to open fraudulent credit card accounts or whatever.
The NSA certainly could have informed Microsoft of these exploits before it ended support for certain platforms, thus ensuring late- (or never-) adopters were slightly more protected from malware merchants and state agencies. But that’s the Vulnerabilities Equity Process for you: no forewarning until a third party threatens to turn your computing weapons over to the general public.
Filed Under: exploits, hacking tools, privacy, security, shadow brokers
Former Spies' Dubious Claim: Release Of NSA's Windows Exploits Has Seriously Harmed National Security
from the protesting-a-bit-much dept
The Shadow Brokers’ attempted firesale of NSA exploits didn’t go well. After early leaks failed to pique buyers’ interest, SB decided to start handing over the agency’s hacking tools to the general public.
The most recent dump was the most interesting. It contained a variety of remote access exploits — several of them zero days — that gave NSA operatives “God mode” control over compromised computers with fairly-recent versions of the Windows operating system.
But they were of limited use. The most recent exploitable version was Windows 8, and every version still supported by Microsoft was patched before the SB dump, most likely as the result of a belated tip from the NSA. However, older operating systems without Microsoft support are still exploitable, and will remain exploitable until those systems are updated.
Now that most of the stash is out in the open, the Intelligence Community is able to do two things:
1. Determine who is responsible for the leaked toolset.
2. Complain about it.
The latter appears to be what’s happening now. A few (anonymous) former members of the Intelligence Community are talking up what a horrible blow this is to the NSA.
Although digital exploits are used for spying rather than destruction, they allow operators to break down invisible doors, pilfering information. Seeing these latest tools published online was “devastating,” the former cyber intelligence employee said.
Three recently retired intelligence employees who worked on hacking tools for the government requested anonymity in order to speak freely about sensitive matters and to protect ongoing work and employability.
“By my estimation, there’s not much left to burn,” another former intelligence official who worked for several three-letter agencies told Foreign Policy. “The tools that were released were pretty critical.
Supposedly, this set of tools was worth millions of dollars to the NSA. If market prices in Bitcoin are anything to go by, criminals and foreign espionage agencies didn’t appear to feel they were worth much more than a few thousand dollars. Of course, potential buyers didn’t know exactly what they were getting. Others probably figured the exploits would be patched into irrelevance by the time they got their hands on them.
The “sky is falling” narrative tends to follow every leak of national security documents, starting with Snowden’s, which damaged the NSA so much it’s in better shape than ever. There may have been some valuable tools in the SB stash, but the moment they ended up in someone other than the NSA’s hands, they became relatively worthless to the agency.
But what was released, however powerful, was outdated. The stash appeared to be a 2013 vintage — valuable in its prime, but no longer quite as useful after Microsoft’s forced migration of Windows users to version 10. The NSA is undoubtedly sitting on a stash of current exploits far more valuable than what it lost when someone left a bunch of hacking tools behind in a compromised server.
The public gnashing of natsec teeth also serves another purpose: it hopefully encourages surveillance targets to let their guard down a bit. By projecting the image of an intelligence agency fumbling around in the dark, the agency can very likely obtain a few new intercepts from careless foes it catches relaxing.
Filed Under: exploits, hacking tools, leaks, national security, nsa, surveillance
NSA Zero Day Tools Likely Left Behind By Careless Operative
from the opsec-only-works-if-you-do-it-100%-of-the-time dept
More information is surfacing on the source of the NSA’s hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don’t own is that others can access the tools, too… especially if an operative doesn’t follow through on the more mundane aspects of good opsec.
Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.
Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.
But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.
NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.
And what a mistake it was. Tools purchased or developed by the NSA’s Tailored Access Operations (TAO) are now — at least partially — in the public domain. The other aspect of this unprecedented “mistake” being confirmed is the fact that the NSA couldn’t care less about collateral damage.
That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.
Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco’s networking equipment. Not only was TAO’s operation security compromised, but so were any number of affected products offered by US tech companies.
However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other’s mistakes and (eventually) leading to a public showing of valuable surveillance tools.
As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.
The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It’s unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency — whether the tools were left behind accidentally or deliberately. It’s just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.
Filed Under: carelessness, hacking tools, nsa, surveillance, zero day
Ed Snowden Explains Why Hackers Published NSA's Hacking Tools
from the you-break-many-things. dept
Yesterday, the news broke that a “mysterious” hacking group had gotten its hands on some NSA hacking tools and was releasing some of the tools as proof (it was also demanding lots of Bitcoin to reveal more). The leak came with a neat little message that feels like it was written by a Hollywood script writer trying to sound Russian.
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
You break many things indeed! (For what it’s worth, it appears that GitHub and Tumblr both killed the accounts where whoever hacked this stuff first posted it).
The files that were leaked were mostly installation scripts, but also exploits designed for specific routers and firewalls. And, it’s noted, that some of the tools named line up with previously leaked NSA codenames. One other interesting point from the Motherboard link above: the files are a bit dated:
The most recent file is dated June 2013, though the hackers could have tampered with the dates. Dmitri Alperovitch, the co-founder of security firm CrowdStrike, theorized that ?the leakers were probably sitting on this information for years, waiting for the most opportune time to release.?
Of course, June 2013 is interesting for another reason. That’s when Ed Snowden passed on his documents to a small group of reporters and the very first stories based on the Snowden leaks started. So it seems noteworthy that Snowden has put together a bit of a tweetstorm for his take on the hack and release of the hacking tools. To make it easier to read, we’ve put it all together here:
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know:
NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So… The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.
You’re welcome, @NSAGov. Lots of love.
Sure, it’s speculation, but it’s pretty informed speculation and it makes a lot of sense. There’s still plenty of talk about what to do about the DNC hack, and we’ve talked about “cybersecurity firms” (who profit from FUD and scare stories) arguing that we should “declare cyberwar” on Russia based on loose attribution. But, as Snowden notes, this hack and partial release could very well be a warning shot that escalation won’t end up looking good for the US if they go that route.
Filed Under: dnc hack, ed snowden, equation group, hacking tools, malware, nsa, surveillance
Hacking Team Hacked: Documents Show Company Sold Exploits And Spyware To UN-Blacklisted Governments
from the I-would-imagine-there-are-plenty-of-new-openings-on-its-appointment-calendar dept
Hacking Team — purveyor of exploits and spyware to a variety of government agencies all over the world — has been hacked. Late Sunday night, its Twitter account name was changed to “Hacked Team” and its bio to read:
Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.
Whoever’s behind this (no group has claimed responsibility yet) has repurposed the official Hacking Team Twitter feed to send out screenshots of incriminating information it/they have uncovered. For those who want to take a look themselves, the liberated documents can be torrented. Here are two places the torrent file can be picked up. (CAUTION: Actual file is 400 GB, so use a robust client and check your drive[s] for free space…) [And, if those go down, I’ve also stashed the torrent file here.]
What has been exposed so far shows Hacking Team has been lying about its business partners. It claims to only sell to NATO partners and blacklists oppressive governments. But its “Customer” Wiki appears to show that it counts such countries as Kazakhstan, Sudan, Russia, Saudi Arabia, Egypt and Malaysia as partners.
Screenshots of emails accessed by Hacking Team’s hackers show the company circumventing local regulations and restrictions on the export of exploits and spyware by using third-party resellers.
If you can’t see/read the screenshot, here’s the pertinent information. The email subject is “Remote Control Davinci System Into Nigeria.” Underneath that is the proposed third-party process for sneaking Hacking Team’s “Davinci” past import/export restrictions:
Commissions and meeting:
Being an Italian company, we are following the guidelines of our exterior ministry.
Understanding that this is an uncommon circumstance, this is what we are proposing:
HackingTeam will sell directly to your company and then TunsmosPetroleum will add its own mark up. The price you will purchase from us will include a discount on the list price as a compensation for the 1st meeting/demo in Milan and the training (in Milan as well) after the sale.
Other screenshots further confirm Hacking Team’s efforts in forbidden markets. One shows the company dealing with a “Sudan Citizen Lab request,” suggesting its end user(s) are uncomfortable with the investigative activities CL is performing.
ACLU technologist Chris Soghoian has taken a look at the files and uncovered even more incriminating information, including Hacking Team’s stonewalling of a UN investigation into its sales in Sudan. This investigation is the direct result of Citizen Lab’s investigative work. According to the files viewed by Soghoian, Hacking Team has denied any “current sales relationship” with Sudan, at least in terms of selling the sort of weaponized software forbidden by multiple treaties and UN resolutions. It claimed the software isn’t weaponized tech. The UN disagreed.
Your letter 1029 of 13 March 2015 also stated that the company did not consider the Remote Control Software to be a weapon, and therefore fell outside the parameters of the sanctions regime. The view of the Panel is that as such software is ideally suited to support military electronic intelligence (ELINT) operations it may potentially fall under the category of “military… equipment” or “assistance” related to prohibited items…
There’s still plenty more to be uncovered in the document dump. Soghoian has already uncovered a spreadsheet listing every government customer, along with revenue to date.
Whatever happens from here on out should prove very interesting. Hacking Team is in for the longest Monday ever.
Filed Under: citizen lab, governments, hacking team, hacking tools, sudan, un
Companies: hacking team