NSA has direct access to tech giants' systems for user data, secret files reveal

Discussion in 'privacy general' started by Dermot7, Jun 6, 2013.

  1. 142395

    142395 Guest

    Why Russian researchers expose breakthrough U.S. spying program was locked? I think it is worth discussing separately. Anyway, I can hardly disagree with Mayahana. Many of us may think I'm secure, safe, w/out knowing our hardware have built-in rootkit (possibly). If it communicates only when you use web browser and those communication are embedded in usual http request, it's hard to detect. But I agree with mirimir, I shouldn't be interesting target for such agencies in any means.
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I posted here back when I first joined about where I am taking security/privacy with clients. Someone in this thread just brought it up.

    Since you can't fully validate the integrity of the overall operating system, and communication protocols then it is wise to secure the important data with container security. That is, encryption of passwords, documents, photos, and other things you deem private/crucial. With a compromised OS/HardDrive/Internet you are still working with 'contained' crucial data. That's why the three letter groups have a severe dislike for real encryption. If I am dealing with a client that has crucial company secrets I always tell them to encrypt the folders above all else, and then worry about additional security layers later. But a potential issue may be when you decrypt that data it could then be compromised at the point of decryption. Now my tin foil hat gets taken out of the drawer.

    Yuki, I wonder how much of the stuff my ZyXEL's were picking up is state sponsored? (if any) Since KasperskyUTM seems quite focused on defeating advanced threats. Since ZyXEL sniffs packets, and peels injections out of packets it can get very busy these days, and often shockingly so. Picking apart injected alterations in HTTP streams was something I noticed it doing to a major degree on my home network. I need to buy a new ZyXEL since I am exceeding 100Mbps on my connection the USG60 was sold off, I need to pick up a USG110 or 210.. I don't feel confident with Untangle on my gateway given it's totally anemic IPS, and it's Antivirus that ONLY scans HTTP traffic rather than actual packet stream.
     
  3. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,097
    I think it should have been a separate thread also. Here is another article on the hard drive infection. I don't think even the hdparm command would touch this.

     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Also if you read the Kaspersky paper, you will see the spooks use .LNK to install malware on systems. Also .LNK launching from inserted USB's even with autorun disabled.

    I think we need a new thread to pull this apart, and discuss it.
     
  5. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,097
    I wonder if a system could be infected through a Live Linux disk like Tails.
     
  6. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Good idea. I already block several million domains (Untangle WF, Untangle AB, Avast or Trend WF, Peerblock Paid on each desktop, Adguard w/enhancements). So I would expect I am already blocking most, if not all of the IP's affiliated with this spying. I will test it later.
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi Stefan,

    You are quite welcome! However, media reports this morning indicate that the code for these advanced malwares are planted inside of hard-drive firmware(s). I wonder if Snowden's unreleased documents have anything more to add about this topic.

    -- Tom
     
  9. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    But it should be still enough to prevent their working if blocking them from phoning home right?

    Edit: Ah, I see. You mean that it can bypass software layer completely?
    Damn! That's bad if it can do that!
     
  10. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    From:
    http://www.biztekmojo.com/00306/anc...iscovered-kaspersky-labs-hacking-group-may-be

    "One of the group's most recent malware component is GrayFish, which can infect the latest operating systems from Microsoft, including Windows 8, 7 and 2000 among others. It is also considered as the most sophisticated compared to EquationDrug and EquationLaser.


    GrayFish hides in the infected system's registry, allowing it to stay almost invisible from detection. It uses a very complex decryption process at several stages to unpack its malicious code. It also uses an advanced bootkit that loads every time an infected system reboots. It gives the malware component complete control over the computer's operating system, considerably making GrayFish as the running operating system of the computer. Should an error occur during the process, GrayFish will stop and self-destruct, leaving no trace of its existence."


    ~ Snipped as per TOS ~ :(

    Ok, so if I get infected by this monster then there is now way it can be detected ?
    And the infected system firewall/anti-virus/whatever will not help at all?

    And only thing that could (at least in theory?) prevent this thing from phoning home is to filter and block those C&C domains and ips (both incoming/outcoming) in
    the home router instead ?
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Blocking IP's should stop most of them... However we can't guarantee some may tunnel through. I recently removed malware from the President of a major company that was using it's own masked VPN to tunnel through to a C&C, hence bypassing ALL of his security protocols! Scary stuff, but I suspect it's not as rare as people think.
     
  12. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    :eek:

    Okay, now Im even more scared. :(
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
  14. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Researchers Find ‘Astonishing’ Malware Linked to NSA Spying
    https://firstlook.org/theintercept/2015/02/17/nsa-kaspersky-equation-group-malware/

    The Equation Group's Sophisticated Hacking and Exploitation Tools
    https://www.schneier.com/blog/archives/2015/02/the_equation_gr.html
     
  15. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    I cant seem to find the report from kaspersky as i would like to add the ips to peerblock as well.
     
  16. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
    trott3r, here's the link: https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf (4.0 MB size)
     
  17. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    thanks for that JR
     
  18. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
    trott3r, you're welcome! Take care.
     
  19. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Kaspersky will give any usable exploit of value that they uncover to the Russian government for their use.

    All public announcements of other 'things' uncovered should be examined from the perspective of 'information operations.'


    That is all.

    -Frank

    .
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I haven't read the Kaspersky report yet, so maybe I ought to just do that now.

    But maybe someone who has could share a little. I get that NSA defenders are styling the Equation Group's work as targeted. But what I don't get is which of the following are so: 1) the NSA is using malware and rootkit droppers to introduce modules that allow flashing HDD firmware; 2) the NSA is intercepting HDDs and flashing the firmware; 3) some mix of the first two approaches; or 4) all HDDs from affected manufacturers contain compromised firmware.

    Anyone?

    If it's the first approach, I wonder whether VMs would protect. As I understand it, VMs by default don't access HDDs directly, but rather write to virtual disk files via host modules. Generally, one can't flash HDDs from VMs, right?

    If it's the first approach, and if HDD interception and compromise are in fact targeted, couldn't one just securely (and anonymously) obtain a HDD from a relatively uninfested area, such as the US. But of course, this would be iffy, given that compromise is apparently not detectable.

    But even if it's the last approach, everything that I've seen talks about HDDs. What about SSDs? Or is that grasping at straws?
     
  21. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I just skimmed it now. (thanks for the link, I wouldn't be able to follow any of this stuff without you guys here)

    Right, the actual hardware would be safe I'd hope. I wonder if they could compromise the VM's virtual hardware and drivers though... If the VMs are running some locked down Linux/BSD, I'd think it'd be a good deterrent. That's probably a discussion that's been had a ton already, but I wouldn't know. I don't know enough about VMs to say. I don't have any examples to give.

    I have a feeling SSDs would be even easier to flash, as there's more readily available programs to do so to improve speed/fix firmware issues. But I'd also feel for the same reason that SSDs would be easier to hash check/re-flash out of warranted paranoia for everyday people. I've said before on here we'd have to have a readily available hash list of every BIOS/firmware for every device and a way to dump them, verify or even simply reflash over them all. It'd be very tedious to do so manually.

    We need that long fabled open source firmware, or the manufactures to start making it easier to find the firmware for all of their devices. Or, I wonder if you could make all computer parts that use firmware (keyboards, mice, dvd drives, HHDs/SSDs, etc) with a physical jumper that you'd have to set to enable flashing. https://en.wikipedia.org/wiki/Jumper_(computing)

    The one thing I don't get is how they were able to pull it all off without a user noticing a BSOD from flashing firmwares, or just other odd behavior. Or maybe there was but most didn't recognize it.
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Reading the Kaspersky report, reveals the fact that a number of us on here have been suspicious of for over 10 years ! For all this time, & more, we have been discussing the possibilities that "Agents" etc could most probably infect etc, HDD's/BIOS etc etc. Many people thought it was impossible & just SciFi etc.

    Well now we Know for a Fact that, not only was/is it possible, but it's Actually been happening for at least 14 years. Kaspersky also said that, even as early as 1996 !

    Fortunately, i would think that most, if not all of us on here, would be safe from such things, as "They" are only interested in targetting certain people/data/info etc. Having said that, if all/most HDD's came pre infected from now on, or at some point in the not too distant future, that "could" make it a lot easier for, "Them " & others, to try & gain access etc to who/whatever, at will !

    Trust NOTHING !
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Maybe we'd be better off using knockoffs from China ;)
     
  24. 142395

    142395 Guest

    The problem is, if OS, firmware, and/or BIOS is infected all encryption conducted on them can't be reliable enough.

    As to http injection, probably what I said is different. Http injection is common technique used by banking malware, but what I meant is use http traffic to send or receive info so there can't be any detection unless the server is blacklisted, I mean traffic itself is non-malicious, no different from legitimate software except it may contain a bit more info than usual. Of course adversary can also use https so that it can't be seen unless you enable MITM proxy on UTM.
    MRG once conducted a test with custom malware called BABO (tho I know some suspicion against their tests, let's forget it temporary.), and proved this technique works well as no MPS (malware protection system) could detect it, tho I think endpoint products should detect it based on behavior.
     
  25. 142395

    142395 Guest

    It's the first case. And VM should prevent it in theory. But remember it is targeted attack. Targeted attack is, by definition, customized attack specifically crafted to penetrate the victim, and only the victim. I've seen many arguments that, if victim used product X they could avoid infection, but it's flawed logic and forgetting targeted attack's nature. It more likely means simply victim didn't use the product X so attacker didn't need to bypass it.
    (maybe off topic, but I tend to think VM is actually not as much secure as some people believe. They are not for security, and sometimes even designed w/out security in mind. It's the case in VBox, not only ASLR issue but they don't follow security standard process for vulnerability management (I forgot correct name of that). And there've been at least some serious vuln in VMs which let attacker bypass VM, or even gives system priv on host. VM is complex system w/ millions of code lines, has full of potential attack surface, but simply attacking VM is not cost-effective for most criminals. This will be main reason we haven't seen actual attack against VM.)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.