|
|
Line 1: |
Line 1: |
− | This page lists teoretical defenses and detection methods for a selected group of leaked surveillance programs and services. This is just a thought experiment covering theoretical defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.
| |
| | | |
− | Due to the age and limited scope of the leaked documents and what we are up against <ref>Cryptome: Communications privacy folly http://cryptome.org/2012/06/comms-folly.htm
| |
− | </ref>, the defenses mentioned in these tables should not be relied upon for protection and I make no guarantees to their accuracy. You need to do research in your own environment as to what new developments are and make informed decisions knowing it is impossible to be completely safe. Things move incredibly fast in this arena and I will update these tables when more is found and/or theorised.
| |
− |
| |
− | == Hardware implants (backdoors) ==
| |
− | '''Notes:'''
| |
− | * Unless you are targeted by a government intelligence agency, there seems to be no need to worry about installing commodity hardware from reputable vendors.
| |
− | * If there is physical evidence of tampering, then looking for physical devices will always be the easiest solution to detect them.
| |
− | * Ideally we discuss these exploits and counter moves without the NSA being privy to those discussion, but that would make spreading possible counter moves too slow for the surveillance development cycle (security arms race) and effectively exclude non-techie activists from being able to defend themselves to some extent, so the next best solution is to discuss everything in the open, so everyone knows how they work and how to defeat them, maybe making us all a little safer, than not discussing them at all.
| |
− | * Table was initially filled with threats listed on the SpiderBlog and TAO catalog (not all), then updated with the latest info. (June 2015)
| |
− | {| class="wikitable"
| |
− | |-
| |
− | ! !! More information !! Possible types of attacks !! Detection
| |
− | |-
| |
− | | Godsurge || Godsurge is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard. JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on. ||
| |
− | * Getting Terminal Access to a Cisco Linksys E-1000 <ref>Getting Terminal Access to a Cisco Linksys E-1000 http://blog.spiderlabs.com/2012/12/getting-terminal-access-to-a-cisco-linksys-e-1000.html</ref>
| |
− | * Oops, I pwned your router <ref>Oops, I pwned your router http://blog.spiderlabs.com/2012/06/oops-i-pwned-your-router.html</ref>
| |
− | || Look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like <ref>Wikipedia JTAG http://en.wikipedia.org/wiki/Joint_Test_Action_Group</ref>
| |
− | |-
| |
− | | Ginsu and Bulldozer || Ginsu provides software application persistence on target systems with the PCI bus hardware implant, Bulldozer. ||
| |
− | * Exploit persistence from a PCI card ROM
| |
− | * GINSU: NSA Exploit of the Day <ref>GINSU: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/ginsu_nsa_explo.html
| |
− | </ref>
| |
− | || Open up the computer's case and look for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video. Or maybe it is.
| |
− | |-
| |
− | | Cottonmouth I II and III || These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet. ||
| |
− | * USB host attack
| |
− | * Hackers create spy plug inspired by the NSA's surveillance kit <ref>Hackers create spy plug inspired by the NSA's surveillance kit - and it costs just £13 to make http://www.dailymail.co.uk/sciencetech/article-2920419/When-USBs-attack-Hackers-create-covert-spy-plug-inspired-NSA-s-Cottonmouth-surveillance-kit.html</ref>
| |
− | || Open up the keyboard or USB hub and identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start.
| |
− | |}
| |
− |
| |
− | == Radio frequency exfiltration ==
| |
− | '''Notes:'''
| |
− | * The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol.
| |
− | {| class="wikitable"
| |
− | |-
| |
− | ! !! More information !! Possible types of attack !! Detection
| |
− | |-
| |
− | | Howlermonkey || Short to medium range Radio Transceiver <ref>Page with graphics https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg</ref> ||
| |
− | * HOWLERMONKEY: NSA Exploit of the Day <ref>HOWLERMONKEY: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html
| |
− | </ref>
| |
− | ||
| |
− | |-
| |
− | | Ragemaster || Hardware implant in a VGA cable that sends video data over RF || ||
| |
− | |-
| |
− | | Loudauto || Hardware device that sends amplifies audio over RF || ||
| |
− | |-
| |
− | | Surleyspawn || Hardware implant in a keyboard that emits keystrokes over RF || ||
| |
− | |}
| |
− |
| |
− | == Infected firmware ==
| |
− |
| |
− | == Cellular attacks ==
| |
− |
| |
− | == References ==
| |