Digital threats, detection, protection and (counter) moves

From Gender and Tech Resources

Revision as of 16:32, 12 June 2015 by Lilith2 (Talk | contribs) (Social engineering)

This page lists theoretical defenses and detection methods for selected groups of leaked surveillance programs and services. This is just a thought experiment covering (theoretical) defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.

Due to the age and limited scope of the leaked documents and what we are up against [1], the defenses mentioned in these tables should not be relied upon for protection and I make no guarantees to their accuracy. Do your own research and make informed decisions, knowing it is impossible to be completely safe. Things move incredibly fast in this arena and I will update these tables when more is found and/or theorised.

Ideally we discuss these exploits and counter moves without the NSA being privy to those discussion, but that would make spreading possible counter moves too slow for the surveillance development cycle (security arms race) and effectively exclude non-techie activists from being able to defend themselves to some extent, so the next best solution is to discuss everything in the open, rather than not discussing them at all. May we not have to rely on a new class of technocracy.

Social engineering

These tables were started off from http://www.itsecurity.be/social-engineering-what-is-it-and-how-to-defend-yourself and then added to. I started off from a to gendersec external source to increase chances of finding that which we may be overlooking.

Internal threats

More information (Counter) moves
Excitement of victory & fear of loss Yes! An opportunity! Easy money!!! Out of excitement security is switched off, links are clicked and documents downloaded that turn out to be corrupted (and contained malware that allows the email sender to gain remote access to the machine, or someone's funds, or data, or ...).

Or, "You have won 1 Million Dollars and to claim the winning amount, deposit $75,000 in Account number: XXXXXX in 10 days from receiving this e-mail, failing to which the winning amount would be declared unclaimed and there would be a nee lucky-draw to decide the next winner"

An example is the 419 scams many people fell for http://www.social-engineer.org/wiki/archives/ConMen/ConMen-Scam-NigerianFee.html

Power of scarcity Scarcity is when people are told something they need or want has limited availability and to get it they must comply with a certain attitude or action. Many times the desired behavior is not even spoken, but the way it is conveyed is by showing people who are acting "properly" getting rewards.

An example is a government, in this case South Africa, taking something necessary to life, and making it "scarce" and available only to supporters — a malicious, but very effective, manipulation tactic: http://www.social-engineer.org/wiki/archives/Governments/Governments-FoodElectionWeapon.html

Fear of authority Many people are apprehensive in the presence of someone they perceive as an authority figure, it is not that person they are apprehensive about but most likely the position and power of the person that intimidates them. The attackers take on roles of authority figures such as law enforcement officers or high-ranking company officials to extract sensitive organizational information from the victims. Example
Desire to be helpful People in their desire to be helpful and to solve other peoples queries, give out a lot of information that otherwise should not be. Do not disclose information to an outsider as it could give an attacker a chance to get unauthorized access.
Laziness All of us have come across some job that requires us to do only a specified set of activities and nothing more. This causes boredom to the person who performs the same task repeatedly on a daily basis and over the time the "bored" learn "shortcuts" to do the tasks using minimal efforts and is meeting the targets. This leads to "laziness" (laid back attitude) and becoming susceptible to attackers who target such individuals knowing they can get the required information with much ease. Example
Ego Many a times, the attacker makes a person more emotionally sure of himself/herself, thus removing the logical awareness of the security breach that is occurring. The result is that, the person being hacked senses no harm in providing whatever it is that the attacker is requesting. The reason that such an attack succeeds is that the attacker is a receptive audience for victims to display how much knowledge they have. Example
Insufficient knowledge People with insufficient knowledge can easily be exploited by creating a sense of urgency and not allowing much time to think and understanding the fact that they are under attack. Gather and spread knowledge

External threats

More information Header text
Example Example
Shoulder Surfing Example Example
Dumpster diving Going through the trash can yield one of the most lucrative payoffs for information gathering. People often throw away invoices, notices, letters, CDs, computers, USB keys, and a plethora of other devices and reports that can truly give amazing amounts of information.

Some people shred documents but some types of shredding can be thwarted with a little time and patience and some tape.

Mind what you throw away where.

Using a shredder that shreds both directions into a fine minced mess makes taping documents back together nearly impossible.

Role playing Example Example
Trojan horses Example Example
Phishing Example
Surfing websites & online forums Example Example
Reverse Social Engineering Example Example

Targeted surveillance

Hardware implants

Unless you are targeted by a government intelligence agency, there seems to be no need to worry about installing commodity hardware from reputable vendors.

Detection: Looking for physical devices will always be the easiest solution to detect them. The links to NSA exploits of the day were added for the comments. :)

More information Possible types of attacks Detection
Godsurge Godsurge is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard. JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on. The JTAG debugging interface can be used to reflash the BIOS from scratch, for example loading a compromised version of the software. Look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like [2]
Ginsu and Bulldozer Ginsu provides software application persistence on target systems with the PCI bus hardware implant, Bulldozer

http://leaksource.files.wordpress.com/2013/12/nsa-ant-ginsu.jpg

https://www.schneier.com/blog/archives/2014/01/ginsu_nsa_explo.html

Exploit persistence from a PCI card ROM Open up the computer's case and look for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video. Or maybe it is.
Cottonmouth I, Cottonmouth II and Cottonmouth III These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet.

http://leaksource.files.wordpress.com/2013/12/nsa-ant-cottonmouth-i.jpg

https://www.schneier.com/blog/archives/2014/03/cottonmouth-i_n.html

http://leaksource.files.wordpress.com/2013/12/nsa-ant-cottonmouth-ii.jpg

https://www.schneier.com/blog/archives/2014/03/cottonmouth-ii.html

http://leaksource.files.wordpress.com/2013/12/nsa-ant-cottonomouth-iii.jpg

https://www.schneier.com/blog/archives/2014/03/cottonmouth-iii.html

USB host attack Open up the keyboard or USB hub and identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start.

Radio frequency exfiltration

The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol. The frequencies are not known and based on the information leaked the devices are passive (only power on when data is being extracted) making identification of (type of) signal (and intelligence) hard.

Detection: First check for evidence of a device which has been wired in to an existing device such as a keyboard or other peripheral. The SpiderBlog describes the following possibility: You can check if there are RF transmitters in a device by monitoring the spectrum (using an amateur RF listening bug detector) while the device is off (to get a baseline for ambient RF background noise) and then monitoring it again after the suspect device is turned on and transmitting data via radio frequency. The detection device would pick up the signal and alert the user. [3] Further analysis of the signal and its intelligence is still hard, as the exact protocols are (still) unknown.

More information Possible types of attack
Howlermonkey Short to medium range Radio Transceiver

https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg

https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html

HOWLERMONKEY is a COTS-based transceiver deigned to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality. PCB layouts are tailored to individual implant space requirements and can vary greatly in form factor.
Ragemaster Hardware implant in a VGA cable that sends video data over RF

https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg

https://www.schneier.com/blog/archives/2014/03/ragemaster_nsa.html

The RAGEMASTER taps the red video line between the video card within the desktop unit and the computer monitor, typically an LCD. When the RAGEMASTER is illuminated by a radar unit, the illuminating signal is modulated with the red video information. This information is re-radiated, where it is picked up at the radar, demodulated, and passed onto the processing unit, such as a LFS-2 and an external monitor, NIGHTWATCH, GOTHAM, or (in the future) VIEWPLATE. The processor recreates the horizontal and vertical sync of the targeted monitor, thus allowing TAO personnel to see what is displayed on the targeted monitor.
Loudauto Hardware device that sends amplified audio over RF

https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg

https://www.schneier.com/blog/archives/2014/01/loudauto_nsa_ex.html

Room audio is picked up by the microphone and converted into an analog electrical signal. This signal is used to pulse position modulate (PPM) a square wave signal running at a pre-set frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal from a nearby radar unit, the illuminating signal is amplitude-modulated with the PPM square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the room audio. Processing is currently performed by COTS equipment with FM demodulation capability (Rohde & Schwarz FSH-series portable spectrum analyzers, etc.) LOUDAUTO is part of the ANGRYNEIGHBOR family of radar retro-reflectors.
Surleyspawn Hardware implant in a keyboard that emits keystrokes over RF

http://leaksource.files.wordpress.com/2013/12/nsa-ant-surlyspawn.jpg

https://www.schneier.com/blog/archives/2014/02/surlyspawn_nsa.html

The board taps into the data line from the keyboard to the processor. The board generates a square wave oscillating at a preset frequency. The data-line signal is used to shift the square wave frequency higher or lower, depending on the level of the data-line signal. The square wave, in essence, becomes frequency shift keyed (FSK). When the unit is illuminated by a CW signal from a nearby radar, the illuminating signal is amplitude-modulated (AM) with this square wave. The signal is re-radiated, where it is received by the radar, demodulated, and the demodulated signal is processed to recover the keystrokes. SURLYSPAWN is part of the ANGRYNEIGHBOR family of radar retro-reflectors.

Infected firmware

Detection: Dump the BIOS to a bin file and compare the hash with a clean BIOS hash. See flashrom for identifying, reading, writing, erasing, and verifying BIOS/ROM/flash chips [4].

Removal: For each of these infections, where applicable, pulling the chip and replacing it with a new freshly burned BIOS chip or compact flash card would be sufficient. When dealing with built-in firmware it's a bit more difficult than pulling and replacing. You will need to re-flash the device using an operating system that is not at risk of being attacked by the infected firmware. You could boot the device into a low level OS in hopes that the firmware infection isn't able to protect itself. Or, you could wire in a debugging header to the device (such as JTAG , if available) to read or write the firmware on the device to clean things up for good.

Most motherboards can be flashed with coreboot https://www.coreboot.org/Supported_Motherboards tutorials: https://www.coreboot.org/Category:Tutorials

Most routers can be flashed with openWRT http://wiki.openwrt.org/toh/start

More information Possible types of attack
Dietybounce Motherboard BIOS Infector

https://leaksource.files.wordpress.com/2013/12/nsa-ant-deitybounce.jpg?w=1208&h=1562

https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html

Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on.
Swap Hard Drive Firmware Infector

https://leaksource.files.wordpress.com/2013/12/nsa-ant-swap.jpg

https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html

Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS and TWISTEDKILT to write the Host Protected Area on the hard drive on a target machine in order to implant SWAP and its payload (the implant installer). Once implanted, SWAP's frequency of execution (dropping the playload) is configurable and will occur when the target machine powers on.
Headwater, sierramontana, and jetplow Firmware backdoors that target popular networking hardware

https://leaksource.files.wordpress.com/2013/12/nsa-ant-headwater.jpg

https://www.schneier.com/blog/archives/2014/01/headwater_nsa_e.html

https://leaksource.files.wordpress.com/2013/12/nsa-ant-sierramontana.jpg

https://www.schneier.com/blog/archives/2014/01/sierramontana_n.html

https://leaksource.files.wordpress.com/2013/12/nsa-ant-jetplow.jpg

https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html

HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer, the PBD will be installed in the router's boot ROM via an upgrade command. The PBD will then be activated after a system reboot. Once activated, the ROC operators will be able to use DNT's HAMMERMILL Insertion Tool (HIT) to control the PBD as it captures and examines all IP packets passing through the host router.

Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process on the target operating system. The vector of attack is the modification of the target's BIOS. The modification will add the necessary software to the BIOS and modify its software to execute the SIERRAMONTANA implant at the end of its native System Management Mode (SMM) handler.

JETPLOW persists DNT's BANANAGLEE software implant and modifies the Cisco firewall's operating system (OS) at boot time. If BANANAGLEE support is not available for the booting operating system, it can install a Persistent Backdoor (PDB) designed to work with BANANAGLEE'S communications structure, so that full access can be reacquired at a later time.

Dragnet surveillance

Darknet surveillance

Tor

I2P

FreeNet

TLS/SSL

Censorship

Table initially filled with data from How to effectively argue against Internet Censorship ideas http://rys.io/en/94.txt.

Proxy servers, especially anonymous ones, located outside the area where a censorship solution is deployed can be used quite easily to circumvent any blocking method; users can modify their operating system or browser settings, or install browser additions that make using this circumvention method trivial. It is possible to block the proxy servers themselves (via IP-blocking, keyword blocking, etc.), however it is infeasible to block them all, as they are easy to set-up.

Virtual Private Networks (including “poor man’s VPNs” like SSH tunnels) require more technical prowess and usually a (usually commercial) VPN service (or SSH server) outside the area with blocking deployed. Blocking all VPN/SSH traffic is possible, but requires deep packet inspection and is a serious problem for many legitimate businesses using VPNs (and SSH) as their daily tools of trade, to allow their employees access to corporate networks from outside physical premises, via a secured link on the Internet.

TOR, or The Onion Router, is a very effective (if a bit slow) circumvention method. It is quite easy to set-up — users can simply download the TOR Browser Bundle and use it to access the Internet. Due to the way it works it is nigh-impossible to block TOR traffic (as it looks just like vanilla HTTPS traffic), to the point that it is known to allow access to the uncensored Internet to those living in areas with most aggressive Internet censorship policies — namely China, North Korea and Iran. See Tor threats.

None of the censorship solutions is able to block content on darknets — virtual networks accessible anonymously only via specialised software (for instance TOR, I2P, FreeNet), and guaranteeing high resilience to censorship through technical composition of the networks themselves. Because darknets are both practically impossible to block entirely and not allowing for any content blocking within them, they are effectively the ultimate circumvention methods. The downside to using darknets is their lower bandwidth. Deploying Internet censorship pushes the to-be-blocked content into darknets, making it ever-harder for law enforcement gather evidence and researchers gather data on the popularity of a given type of censored content.

Blocking type How it works Circumvention DPI
DNS-based blocking DNS-based blocking requires ISPs (who usually run their own DNS servers, being default for their clients) to de-list certain domains (so that they are not resolvable when using these DNS servers). This means that the costs of implementing it are small. Custom DNS server settings can be used to easily circumvent DNS-based blocking. It does not require almost any technical prowess and can be used by anybody. There is a number of publicly available DNS servers that can be used for this purpose. There is no way to easily block the use of this method without deploying censorship methods other than pure DNS-blocking. no
IP address-based blocking IP-based blocking requires the ISPs to either block certain IP addresses

internally or route all the outgoing connections via a central, government-mandated censoring entity. It is only superficially harder to circumvent, while retaining most if not all problems of DNS-based blocking.

no
URL-based blocking Because this method blocks only certain, URL-identified content, not whole websites or servers (as do DNS-based and IP-based methods), it has much lower potential for accidental over-blocking. This also entails it has a higher potential for under-blocking, as the content can be available on the same server under many different URLs, and changing just a small part of the name defeats the filter. yes
Dynamic blocking This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type). yes
Hash-based blocking Hash-based blocking uses deep packet inspection to inspect the contents of data-streams, hashes them with cryptographic hash functions and compares to a known database of hashes to be blocked. yes
Hybrid solutions In order to compromise between high-resource, low-over-blocking hash-based blocking and low-resource, high-over-blocking IP- or DNS-based solutions, a hybrid solution might be proposed. Usually it means that there is a list of IP addresses or domain names for which the hash-based blocking is enabled, hence only operating for a small part of content. This method does employ deep packet inspection. yes

Related

References

  1. Cryptome: Communications privacy folly http://cryptome.org/2012/06/comms-folly.htm
  2. Wikipedia JTAG http://en.wikipedia.org/wiki/Joint_Test_Action_Group
  3. Detecting A Surveillance State - Part 2 Radio Frequency Exfiltration https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-A-Surveillance-State---Part-2-Radio-Frequency-Exfiltration/
  4. Debian packages: flashrom https://packages.debian.org/jessie/flashrom