Digital threats, detection, protection and (counter) moves
From Gender and Tech Resources
Revision as of 09:42, 6 June 2015 by Lilith2 (Talk | contribs) (Created page with "This page lists theoretical defenses and detection methods for selected groups of leaked surveillance programs and services. This is just a thought experiment covering (theore...")
This page lists theoretical defenses and detection methods for selected groups of leaked surveillance programs and services. This is just a thought experiment covering (theoretical) defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.
Due to the age and limited scope of the leaked documents and what we are up against [1], the defenses mentioned in these tables should not be relied upon for protection and I make no guarantees to their accuracy. You need to do research in your own environment as to what new developments are and make informed decisions knowing it is impossible to be completely safe. Things move incredibly fast in this arena and I will update these tables when more is found and/or theorised.
Contents
Hardware implants (backdoors)
Notes:
- Unless you are targeted by a government intelligence agency, there seems to be no need to worry about installing commodity hardware from reputable vendors.
- If there is physical evidence of tampering, then looking for physical devices will always be the easiest solution to detect them.
- Ideally we discuss these exploits and counter moves without the NSA being privy to those discussion, but that would make spreading possible counter moves too slow for the surveillance development cycle (security arms race) and effectively exclude non-techie activists from being able to defend themselves to some extent, so the next best solution is to discuss everything in the open, so everyone knows how they work and how to defeat them, maybe making us all a little safer, than not discussing them at all.
- Table was initially filled with threats listed on the SpiderBlog and TAO catalog (not all), then updated with the latest info. (June 2015)
| More information | Possible types of attacks | Detection | |
|---|---|---|---|
| Godsurge | Godsurge is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard. JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on. | Look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like [4] | |
| Ginsu and Bulldozer | Ginsu provides software application persistence on target systems with the PCI bus hardware implant, Bulldozer. |
|
Open up the computer's case and look for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video. Or maybe it is. |
| Cottonmouth I II and III | These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet. |
|
Open up the keyboard or USB hub and identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start. |
Radio frequency exfiltration
Notes:
- The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol.
| More information | Possible types of attack | Detection | |
|---|---|---|---|
| Howlermonkey | Short to medium range Radio Transceiver [7] |
|
|
| Ragemaster | Hardware implant in a VGA cable that sends video data over RF | ||
| Loudauto | Hardware device that sends amplifies audio over RF | ||
| Surleyspawn | Hardware implant in a keyboard that emits keystrokes over RF |
Infected firmware
Cellular attacks
Android attacks
iPhone attacks
Related
References
- ↑ Cryptome: Communications privacy folly http://cryptome.org/2012/06/comms-folly.htm
- ↑ Getting Terminal Access to a Cisco Linksys E-1000 http://blog.spiderlabs.com/2012/12/getting-terminal-access-to-a-cisco-linksys-e-1000.html
- ↑ Oops, I pwned your router http://blog.spiderlabs.com/2012/06/oops-i-pwned-your-router.html
- ↑ Wikipedia JTAG http://en.wikipedia.org/wiki/Joint_Test_Action_Group
- ↑ GINSU: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/ginsu_nsa_explo.html
- ↑ Hackers create spy plug inspired by the NSA's surveillance kit - and it costs just £13 to make http://www.dailymail.co.uk/sciencetech/article-2920419/When-USBs-attack-Hackers-create-covert-spy-plug-inspired-NSA-s-Cottonmouth-surveillance-kit.html
- ↑ Page with graphics https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg
- ↑ HOWLERMONKEY: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html
