[TriLUG] NSA hunting and hacking sysadmins
Mark Turner
jmarkturner at gmail.com
Fri Mar 21 09:15:06 EDT 2014
Food for thought. Has the NSA pwned YOU?
Cheers,
Mark
https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
https://firstlook.org/theintercept/document/2014/03/20/hunt-sys-admins/
Inside the NSA’s Secret Efforts to Hunt and Hack System Administrators
By Ryan Gallagher and Peter Maass 20 Mar 2014, 7:07 PM EDT 54
Across the world, people who work as system administrators keep computer
networks in order – and this has turned them into unwitting targets of
the National Security Agency for simply doing their jobs. According to a
secret document provided by NSA whistleblower Edward Snowden, the agency
tracks down the private email and Facebook accounts of system
administrators (or sys admins, as they are often called), before hacking
their computers to gain access to the networks they control.
The document consists of several posts – one of them is titled “I hunt
sys admins” – that were published in 2012 on an internal discussion
board hosted on the agency’s classified servers. They were written by an
NSA official involved in the agency’s effort to break into foreign
network routers, the devices that connect computer networks and
transport data across the Internet. By infiltrating the computers of
system administrators who work for foreign phone and Internet companies,
the NSA can gain access to the calls and emails that flow over their
networks.
The classified posts reveal how the NSA official aspired to create a
database that would function as an international hit list of sys admins
to potentially target. Yet the document makes clear that the admins are
not suspected of any criminal activity – they are targeted only because
they control access to networks the agency wants to infiltrate. “Who
better to target than the person that already has the ‘keys to the
kingdom’?” one of the posts says.
The NSA wants more than just passwords. The document includes a list of
other data that can be harvested from computers belonging to sys admins,
including network maps, customer lists, business correspondence and, the
author jokes, “pictures of cats in funny poses with amusing captions.”
The posts, boastful and casual in tone, contain hacker jargon (pwn,
skillz, zomg, internetz) and are punctuated with expressions of
mischief. “Current mood: devious,” reads one, while another signs off,
“Current mood: scheming.”
The author of the posts, whose name is being withheld by The Intercept,
is a network specialist in the agency’s Signals Intelligence
Directorate, according to other NSA documents. The same author wrote
secret presentations related to the NSA’s controversial program to
identify users of the Tor browser – a privacy-enhancing tool that allows
people to browse the Internet anonymously. The network specialist, who
served as a private contractor prior to joining the NSA, shows little
respect for hackers who do not work for the government. One post
expresses disdain for the quality of presentations at Blackhat and
Defcon, the computer world’s premier security and hacker conferences:
https://prod01-cdn00.cdn.firstlook.org/wp-uploads/sites/1/2014/03/defcon.png
It is unclear how precise the NSA’s hacking attacks are or how the
agency ensures that it excludes Americans from the intrusions. The
author explains in one post that the NSA scours the Internet to find
people it deems “probable” administrators, suggesting a lack of
certainty in the process and implying that the wrong person could be
targeted. It is illegal for the NSA to deliberately target Americans for
surveillance without explicit prior authorization. But the employee’s
posts make no mention of any measures that might be taken to prevent
hacking the computers of Americans who work as sys admins for foreign
networks. Without such measures, Americans who work on such networks
could potentially fall victim to an NSA infiltration attempt.
The NSA declined to answer questions about its efforts to hack system
administrators or explain how it ensures Americans are not mistakenly
targeted. Agency spokeswoman Vanee’ Vines said in an email statement: “A
key part of the protections that apply to both U.S. persons and citizens
of other countries is the mandate that information be in support of a
valid foreign intelligence requirement, and comply with U.S. Attorney
General-approved procedures to protect privacy rights.”
As The Intercept revealed last week, clandestine hacking has become
central to the NSA’s mission in the past decade. The agency is working
to aggressively scale its ability to break into computers to perform
what it calls “computer network exploitation,” or CNE: the collection of
intelligence from covertly infiltrated computer systems. Hacking into
the computers of sys admins is particularly controversial because unlike
conventional targets – people who are regarded as threats – sys admins
are not suspected of any wrongdoing.
In a post calling sys admins “a means to an end,” the NSA employee
writes, “Up front, sys admins generally are not my end target. My end
target is the extremist/terrorist or government official that happens to
be using the network some admin takes care of.”
The first step, according to the posts, is to collect IP addresses that
are believed to be linked to a network’s sys admin. An IP address is a
series of numbers allocated to every computer that connects to the
Internet. Using this identifier, the NSA can then run an IP address
through the vast amount of signals intelligence data, or SIGINT, that it
collects every day, trying to match the IP address to personal accounts.
“What we’d really like is a personal webmail or Facebook account to
target,” one of the posts explains, presumably because, whereas IP
addresses can be shared by multiple people, “alternative selectors” like
a webmail or Facebook account can be linked to a particular target. You
can “dumpster-dive for alternate selectors in the big SIGINT trash can”
the author suggests. Or “pull out your wicked Google-fu” (slang for
efficient Googling) to search for any “official and non-official
e-mails” that the targets may have posted online.
Once the agency believes it has identified a sys admin’s personal
accounts, according to the posts, it can target them with its so-called
QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM
methods have been used to secretly inject surveillance malware into a
Facebook page by sending malicious NSA data packets that appear to
originate from a genuine Facebook server. This method tricks a target’s
computer into accepting the malicious packets, allowing the NSA to
infect the targeted computer with a malware “implant” and gain
unfettered access to the data stored on its hard drive.
“Just pull those selectors, queue them up for QUANTUM, and proceed with
the pwnage,” the author of the posts writes. (“Pwnage,” short for “pure
ownage,” is gamer-speak for defeating opponents.) The author adds,
triumphantly, “Yay! /throws confetti in the air.”
In one case, these tactics were used by the NSA’s British counterpart,
Government Communications Headquarters, or GCHQ, to infiltrate the
Belgian telecommunications company Belgacom. As Der Speigel revealed
last year, Belgacom’s network engineers were targeted by GCHQ in a
QUANTUM mission named “Operation Socialist” – with the British agency
hacking into the company’s systems in an effort to monitor smartphones.
While targeting innocent sys admins may be surprising on its own, the
“hunt sys admins” document reveals how the NSA network specialist
secretly discussed building a “master list” of sys admins across the
world, which would enable an attack to be initiated on one of them the
moment their network was thought to be used by a person of interest. One
post outlines how this process would make it easier for the NSA’s
specialist hacking unit, Tailored Access Operations (TAO), to infiltrate
networks and begin collecting, or “tasking,” data:
https://prod01-cdn00.cdn.firstlook.org/wp-uploads/sites/1/2014/03/go-CNE.png
Aside from offering up thoughts on covert hacking tactics, the author of
these posts also provides a glimpse into internal employee complaints at
the NSA. The posts describe how the agency’s spies gripe about having
“dismal infrastructure” and a “Big Data Problem” because of the massive
volume of information being collected by NSA surveillance systems. For
the author, however, the vast data troves are actually something to be
enthusiastic about.
“Our ability to pull bits out of random places of the Internet, bring
them back to the mother-base to evaluate and build intelligence off of
is just plain awesome!” the author writes. “One of the coolest things
about it is how much data we have at our fingertips.”
More information about the TriLUG
mailing list