Digital threats, detection, protection and (counter) moves

From Gender and Tech Resources

Revision as of 16:39, 8 June 2015 by Lilith2 (Talk | contribs)

This page lists theoretical defenses and detection methods for selected groups of leaked surveillance programs and services. This is just a thought experiment covering (theoretical) defenses against these attacks and not intended to spread fear, uncertainty or doubt about surveillance states.

Due to the age and limited scope of the leaked documents and what we are up against [1], the defenses mentioned in these tables should not be relied upon for protection and I make no guarantees to their accuracy. You need to do research in your own environment as to what new developments are and make informed decisions knowing it is impossible to be completely safe. Things move incredibly fast in this arena and I will update these tables when more is found and/or theorised.

Hardware implants (backdoors)

Notes:

  • Unless you are targeted by a government intelligence agency, there seems to be no need to worry about installing commodity hardware from reputable vendors.
  • If there is physical evidence of tampering, then looking for physical devices will always be the easiest solution to detect them.
  • Ideally we discuss these exploits and counter moves without the NSA being privy to those discussion, but that would make spreading possible counter moves too slow for the surveillance development cycle (security arms race) and effectively exclude non-techie activists from being able to defend themselves to some extent, so the next best solution is to discuss everything in the open, so everyone knows how they work and how to defeat them, maybe making us all a little safer, than not discussing them at all.
  • Table was initially filled with threats listed on the SpiderBlog and TAO catalog (not all), then updated with the latest info. (June 2015)
More information Possible types of attacks Detection
Godsurge Godsurge is a physical device plugged-in to the Joint Test Action Group or JTAG headers on a system's motherboard. JTAG headers can be found on many systems and are notoriously common in embedded devices. These headers are used during the development process for debugging purposes: they give you a direct interface with the CPU and are extremely helpful. They are commonly left on the production boards, so finding them on a device is normal and not a security concern. However, if there is a chip or board wired in to a device's JTAG headers that you did not wire in yourself, then something fishy may be going on.
  • Getting Terminal Access to a Cisco Linksys E-1000 [2]
  • Oops, I pwned your router [3]
Look for the JTAG connecter on the motherboard. The location of the JTAG headers may differ, but they tend to be near the CPU and may have exposed pins (or not). See the Wikipedia page on JTAG for more information and to see what they look like [4]
Ginsu and Bulldozer Ginsu provides software application persistence on target systems with the PCI bus hardware implant, Bulldozer.
  • Exploit persistence from a PCI card ROM
  • GINSU: NSA Exploit of the Day [5]
 Open up the computer's case and look for a PCI card that does not belong. For example, if you find a PCI card that appears to serve no purpose (e.g.. not your network card or it has no external ports), then perhaps try removing it and see how things work. If a few black SUVs roll up to your house after unplugging the PCI card, it's probably not because your domicile is the set for a rap superstar's new music video. Or maybe it is.
Cottonmouth I II and III These bugs are embedded somewhere along the USB bus and function as an air gap bridge to assist in exfiltration of data as well as allow persistent compromise. It can be embedded directly in the USB headers in an existing USB peripheral (USB hub or keyboard). These devices allow for exfiltration of data over unknown radio frequencies to listening devices in the area, even on a system that is not connected to the internet.
  • USB host attack
  • Hackers create spy plug inspired by the NSA's surveillance kit [6]
 Open up the keyboard or USB hub and identify a board that serves no purpose to the device. The malicious USB device would also likely show up on your computer's list of USB devices, so just checking there would be a good place to start.

Radio frequency exfiltration

Notes:

  • First check for evidence of a device which has been wired in to an existing device such as a keyboard or other peripheral.
  • The devices used can vary, but they all employ a similar method of communication via an unknown radio/radar protocol. The frequencies are not known and based on the information leaked the devices are passive (only power on when data is being extracted) making identification of (type of) signal (and intelligence) hard.
  • The SpiderBlog describes the following possibility: You can check if there are RF transmitters in a device by monitoring the spectrum (using an amateur RF listening bug detector) while the device is off (to get a baseline for ambient RF background noise) and then monitoring it again after the suspect device is turned on and transmitting data via radio frequency. The detection device would pick up the signal and alert the user. [7]
  • Further analysis of the signal and its intelligence is still hard, as the protocol is (as of yet still) unknown (Also see tempest on the surveillance page).
More information Possible types of attack
Howlermonkey [8][9] Short to medium range Radio Transceiver
Ragemaster [10][11] Hardware implant in a VGA cable that sends video data over RF
Loudauto [12][13] Hardware device that sends amplified audio over RF
Surleyspawn [14][15] Hardware implant in a keyboard that emits keystrokes over RF

Infected firmware

Detection: Dump the BIOS to a bin file and compare the hash with a clean BIOS hash. What if we crowdsourced a BIOS binary fingerprint database?

Removal: For each of these infections, where applicable, pulling the chip and replacing it with a new freshly burned BIOS chip or compact flash card would be sufficient. When dealing with built-in firmware it's a bit more difficult than pulling and replacing. You will need to re-flash the device using an operating system that is not at risk of being attacked by the infected firmware. You could boot the device into a low level OS in hopes that the firmware infection isn't able to protect itself. Or, you could wire in a debugging header to the device (such as JTAG , if available) to read or write the firmware on the device to clean things up for good.

More information Possible types of attack
Dietybounce [16][17] Motherboard BIOS Infector: providing software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (supports only Windows server and workstation OS) Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on.
Swap [18][19] Hard Drive Firmware Infector: SWAP provides software application persistence by exploiting the motherboard BIOS and the hard drive's Host Protected Area to gain periodic execution before the Operating System loads. Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS and TWISTEDKILT to write the Host Protected Area on the hard drive on a target machine in order to implant SWAP and its payload (the implant installer). Once implanted, SWAP's frequency of execution (dropping the playload) is configurable and will occur when the target machine powers on.
Headwater [20][21], sierramontana [22][23], and jetplow [24][25] Firmware backdoors that target popular networking hardware: Headwater is a Persistent Backdoor (PDB) software implant for selected Huawei routers; Sierramontana provides persistence for DNT implants; Jetplow is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfe, the PBD will be installed in the router's boot ROM via an upgrade command. The PBD will then be activated after a system reboot. Once activated, the ROC operators will be able to use DNT's HAMMERMILL Insertion Tool (HIT) to control the PBD as it captures and examines all IP packets passing through the host router.

Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process on the target operating system. The vector of attack is the modification of the target's BIOS. The modification will add the necessary software to the BIOS and modify its software to execute the SIERRAMONTANA implant at the end of its native System Management Mode (SMM) handler.

JETPLOW persists DNT's BANANAGLEE software implant and modifies the Cisco firewall's operating system (OS) at boot time. If BANANAGLEE support is not available for the booting operating system, it can install a Persistent Backdoor (PDB) designed to work with BANANAGLEE'S communications structure, so that full access can be reacquired at a later time.

Related

References

  1. Cryptome: Communications privacy folly http://cryptome.org/2012/06/comms-folly.htm
  2. Getting Terminal Access to a Cisco Linksys E-1000 http://blog.spiderlabs.com/2012/12/getting-terminal-access-to-a-cisco-linksys-e-1000.html
  3. Oops, I pwned your router http://blog.spiderlabs.com/2012/06/oops-i-pwned-your-router.html
  4. Wikipedia JTAG http://en.wikipedia.org/wiki/Joint_Test_Action_Group
  5. GINSU: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/ginsu_nsa_explo.html
  6. Hackers create spy plug inspired by the NSA's surveillance kit - and it costs just £13 to make http://www.dailymail.co.uk/sciencetech/article-2920419/When-USBs-attack-Hackers-create-covert-spy-plug-inspired-NSA-s-Cottonmouth-surveillance-kit.html
  7. Detecting A Surveillance State - Part 2 Radio Frequency Exfiltration https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-A-Surveillance-State---Part-2-Radio-Frequency-Exfiltration/
  8. Leaksource ANT product page howlermonkey https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg
  9. HOWLERMONKEY: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/howlermonkey_ns.html
  10. Leaksource ANT product page ragemaster https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg
  11. RAGEMASTER: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/03/ragemaster_nsa.html
  12. Leaksource ANT product page loudauto https://leaksource.files.wordpress.com/2013/12/nsa-ant-howlermonkey.jpg
  13. LOUDAUTO: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/loudauto_nsa_ex.html
  14. Leaksource ANT product page surleyspawn http://leaksource.files.wordpress.com/2013/12/nsa-ant-surlyspawn.jpg
  15. SURLYSPAWN: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/02/surlyspawn_nsa.html
  16. Leaksource ANT product page DEITYBOUNCE https://leaksource.files.wordpress.com/2013/12/nsa-ant-deitybounce.jpg?w=1208&h=1562
  17. DEITYBOUNCE: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
  18. Leaksource ANT product page SWAP https://leaksource.files.wordpress.com/2013/12/nsa-ant-swap.jpg
  19. SWAP: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html
  20. Leaksource ANT product page HEADWATER https://leaksource.files.wordpress.com/2013/12/nsa-ant-headwater.jpg
  21. HEADWATER: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/headwater_nsa_e.html
  22. Leaksource ANT product page SIERRAMONTANA https://leaksource.files.wordpress.com/2013/12/nsa-ant-sierramontana.jpg
  23. SIERRAMONTANA: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/sierramontana_n.html
  24. Leaksource ANT product page JETPLOW https://leaksource.files.wordpress.com/2013/12/nsa-ant-jetplow.jpg
  25. JETPLOW: NSA Exploit of the Day https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html
Retrieved from "https://gendersec.tacticaltech.org/wiki/index.php?title=Digital_threats,_detection,_protection_and_(counter)_moves&oldid=2092"