News By Graham Templeton Dec. 30, 2013 5:10 pm
Think about locking your front door. A dead-bolt is a slim bar of steel in a housing of (hopefully) heavy wood — in this ear of technology wonders, you are under no illusions about the protections this provides. Whether they use an axe, a lock-pick, or a bruised shoulder, any determined person can get through that door. So, why do you lock it? Because we understand that in the vast majority of cases, all that’s needed to stop a crime is deterrence. You don’t need to make it*impossible to enter your home, just too difficult to be worth the time. We all live and sleep under the knowledge that, in physical terms, we are only ever really protected from random cries, and that if somebody wanted to get us specifically, there’s no particularly convenient way to stop them.
Until recently, the internet enjoyed a very different sort of security. In terms of electronic security, it was possible to make your communications utterly secure. There was a confidence that came with knowing that your data was philosophically safe, so much so that the most powerful super-computer couldn’t possibly break in. Thanks to the documents released by Edward Snowden, the past year has seen a series of revelations challenging the assumption of security; though the algorithms of RSA should still technically be sound, there are so many loopholes, workarounds, exploits, and back-doors to make the mathematical security utterly meaningless. The same general principle seems to apply to the Deep Web’s supposedly anonymous Tor Network: though the security is technically secure against direct attack, creative work-around can beat it in many cases.
The first known mention of TAO, from classified slides released by the Washington Post last month.
And yet, like locking the front door of your house, encryption is not useless. It can still protect you from malware and criminal hackers, keep you from being a victim of credit-card fraud or identity theft. It can even keep you relatively safe from passive government trolling operations — but only the passing ones. A new report from the German newspaper Der Spiegel has made this clear, laying out the capabilities of the NSA’s elite targeted hacking unit, the Tailored Access Operations unit, or TAO.
Like the physical spies you always knew could creep into your house if they truly wanted to, TAO hackers can see your information if they wish. Their mission, in the NSA’s own words, is to “get the ungettable.” This refers to the people who use encryption software religiously, even for their most boring communications, who pay shady Russian web hosts with LiteCoins and use most devices through special boot drives. According to Der Spiegel‘s reporting, which surprisingly doesn’t seem derived from any Snowden-leaked documents, even these people are vulnerable to TAO. So, what possible hope do you have of keeping the out?
NSA is building enormous facilities to store unprecedented amounts of data.
TAO, which had just 60 members in 2008 but which is projected to reach 270 by 2015, certainly sets itself to challenging targets. At one point, the agency set about using the Mexican border security and counter-terrorism agency as a means of collecting information about the international drug trade — in the end, it must have simply seemed easier to secretly obtain any desired information from the Secretariat of Public Security than to ask this political ally to share that information willingly.
Among the tools available to TAO are physical taps on the backbone of the internet, amply reported a few months ago in a Snowden-born flurry of information. Spiegel‘s latest report now shows that the taps extend even to physical devices, as a process referred to as interdiction sees agents snagging mail-order electronics for tampering. Malware is often installed in the system’s BIOS, beyond the reach of virus scanning software, and physical hardware can replace stock parts with versions that allow the NSA to listen in or even take control of the device altogether. When this sort of infiltration is achieved on both hardware and software, it’s almost impossible to get rid of; even formatting the HDD and reinstalling the operating system won’t get rid of it. The NSA calls this ability “persistence” and they believe it gives them all-but-unbeatable ability to spy on a target of choice.*And they probably can.
Edward Snowden.
All this comes from an NSA division first discovered just a few weeks ago: ANT. At this time nobody knows what the name, presumably an acronym, stands for — it’s pulled from a leaked internal document that Der Spiegel describes as a mail-order catalog for spies. The 50-page document has listings for everything from bugged monitor cables to key-loggers to fake USB drives. Ranging from a few dollars to a few hundred thousand, this is evidently a catalog used for operations large and small. ANT seems to be the agency division concerned with the manufacture of this classified spy hardware, along with the malware programs that compliment them.
It’s these programs that may cause the biggest stir, though. While intercepting and tampering with mail is serious business, Spiegel‘s report also reveals a number of custom back-door programs available to agents through the ANT catalog. In particular, the program Feedtrough is mentioned as a tailor-made solution for beating Juniper firewall security. All an agent need do is order and install the Feedtrough digital lock-pick to render that block utterly inert, and such an installation could happen as quickly as a man-in-the-middle attack made by posing as Google via direct taps of the internet backbone.
Lest you think that Juniper is uniquely compromised, however, it seems that NSA has specialized back-door privileges for virtually every major member of the security infrastructure, from Cisco in the US to Huawei in China. A wide array of specialized programs are available to NSA agents, each tailored to exploit the specific vulnerabilities of a specific security software suite. None of the affected companies, it seems, have willingly participated in NSA’s efforts, and all seem to have been blindsided by such a definitive statement of NSA’s ability to compromise their core products.
Boeing recently lost a contract for over $4 billion, allegedly in retaliation for NSA spying.
NSA is not making any friends. Threats to the business models of giants like Google and Microsoft have led to robustly funded opposition, while customers put significant pressures of telecom companies to resist NSA requests for information. Foreign governments are turning away lucrative industrial contracts, allegedly to punish the US for political and economic espionage. Now, the NSA is revealed to be an existential threat to mid-level security and infrastructure companies, who collectively represent a huge amount of power in the digital space. It’s becoming difficult to name an interested party who has not been motivated to oppose the NSA’s programs.
There is essentially no chance that this will end up being the final revelation about the NSA. As the news keeps piling up, along with the consequences, it may become impossible for officials to continue pretending these programs have more pros than cons. Until then, though, digital security will remain little more than dead-bolt: a deterrent to infiltration, but in no way a guarantee.
More...
Until recently, the internet enjoyed a very different sort of security. In terms of electronic security, it was possible to make your communications utterly secure. There was a confidence that came with knowing that your data was philosophically safe, so much so that the most powerful super-computer couldn’t possibly break in. Thanks to the documents released by Edward Snowden, the past year has seen a series of revelations challenging the assumption of security; though the algorithms of RSA should still technically be sound, there are so many loopholes, workarounds, exploits, and back-doors to make the mathematical security utterly meaningless. The same general principle seems to apply to the Deep Web’s supposedly anonymous Tor Network: though the security is technically secure against direct attack, creative work-around can beat it in many cases.
The first known mention of TAO, from classified slides released by the Washington Post last month.And yet, like locking the front door of your house, encryption is not useless. It can still protect you from malware and criminal hackers, keep you from being a victim of credit-card fraud or identity theft. It can even keep you relatively safe from passive government trolling operations — but only the passing ones. A new report from the German newspaper Der Spiegel has made this clear, laying out the capabilities of the NSA’s elite targeted hacking unit, the Tailored Access Operations unit, or TAO.
Like the physical spies you always knew could creep into your house if they truly wanted to, TAO hackers can see your information if they wish. Their mission, in the NSA’s own words, is to “get the ungettable.” This refers to the people who use encryption software religiously, even for their most boring communications, who pay shady Russian web hosts with LiteCoins and use most devices through special boot drives. According to Der Spiegel‘s reporting, which surprisingly doesn’t seem derived from any Snowden-leaked documents, even these people are vulnerable to TAO. So, what possible hope do you have of keeping the out?
NSA is building enormous facilities to store unprecedented amounts of data.TAO, which had just 60 members in 2008 but which is projected to reach 270 by 2015, certainly sets itself to challenging targets. At one point, the agency set about using the Mexican border security and counter-terrorism agency as a means of collecting information about the international drug trade — in the end, it must have simply seemed easier to secretly obtain any desired information from the Secretariat of Public Security than to ask this political ally to share that information willingly.
Among the tools available to TAO are physical taps on the backbone of the internet, amply reported a few months ago in a Snowden-born flurry of information. Spiegel‘s latest report now shows that the taps extend even to physical devices, as a process referred to as interdiction sees agents snagging mail-order electronics for tampering. Malware is often installed in the system’s BIOS, beyond the reach of virus scanning software, and physical hardware can replace stock parts with versions that allow the NSA to listen in or even take control of the device altogether. When this sort of infiltration is achieved on both hardware and software, it’s almost impossible to get rid of; even formatting the HDD and reinstalling the operating system won’t get rid of it. The NSA calls this ability “persistence” and they believe it gives them all-but-unbeatable ability to spy on a target of choice.*And they probably can.
Edward Snowden.All this comes from an NSA division first discovered just a few weeks ago: ANT. At this time nobody knows what the name, presumably an acronym, stands for — it’s pulled from a leaked internal document that Der Spiegel describes as a mail-order catalog for spies. The 50-page document has listings for everything from bugged monitor cables to key-loggers to fake USB drives. Ranging from a few dollars to a few hundred thousand, this is evidently a catalog used for operations large and small. ANT seems to be the agency division concerned with the manufacture of this classified spy hardware, along with the malware programs that compliment them.
It’s these programs that may cause the biggest stir, though. While intercepting and tampering with mail is serious business, Spiegel‘s report also reveals a number of custom back-door programs available to agents through the ANT catalog. In particular, the program Feedtrough is mentioned as a tailor-made solution for beating Juniper firewall security. All an agent need do is order and install the Feedtrough digital lock-pick to render that block utterly inert, and such an installation could happen as quickly as a man-in-the-middle attack made by posing as Google via direct taps of the internet backbone.
Lest you think that Juniper is uniquely compromised, however, it seems that NSA has specialized back-door privileges for virtually every major member of the security infrastructure, from Cisco in the US to Huawei in China. A wide array of specialized programs are available to NSA agents, each tailored to exploit the specific vulnerabilities of a specific security software suite. None of the affected companies, it seems, have willingly participated in NSA’s efforts, and all seem to have been blindsided by such a definitive statement of NSA’s ability to compromise their core products.
Boeing recently lost a contract for over $4 billion, allegedly in retaliation for NSA spying.NSA is not making any friends. Threats to the business models of giants like Google and Microsoft have led to robustly funded opposition, while customers put significant pressures of telecom companies to resist NSA requests for information. Foreign governments are turning away lucrative industrial contracts, allegedly to punish the US for political and economic espionage. Now, the NSA is revealed to be an existential threat to mid-level security and infrastructure companies, who collectively represent a huge amount of power in the digital space. It’s becoming difficult to name an interested party who has not been motivated to oppose the NSA’s programs.
There is essentially no chance that this will end up being the final revelation about the NSA. As the news keeps piling up, along with the consequences, it may become impossible for officials to continue pretending these programs have more pros than cons. Until then, though, digital security will remain little more than dead-bolt: a deterrent to infiltration, but in no way a guarantee.
More...
