TS//SI//REL FVEY We have discovered a way that may be able to remotely
brick network cards. We need someone to perform research and develop a
deployable tool.
---
TS//SI//REL) Currently CASTLECRASHER is the only production quality
Windows execution technique that Payload Persistence techniques have.
Another mechanism to execute DNT payloads is needed. Most pre-boot
Persistence techniques only have the ability to influence an OS through
modifications to the target file system. Work needs to be done to investigate
other ways to get execution inside of Windows
---
(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the
BIOS and runs from SMM. Although the core of the code is stable, there are
always new requirements against which to develop. This includes new
network interface card parasitic drivers as well as applications.
---
(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to
apply industry best practices and agile development processes to internal
projects. To this end, the project is managed via the Scrum process. Test
Driven Development (TDD) practices are used as well in an effort to reduce
code defects. The project also is looking to incorporate ideas from DNT such
as their SCube build environment
[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of funny]
---
(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices
from a particular vendor. We need to port TORNSTEAK from the existing two
firewalls to several more from the same vendor.
>BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM
Yeah that sucks.. the BIOS is never out of the picture thanks to the SMM. Intel should find an alternative solution for the minor functions provided by the SMM (APM, thermal management, etc.).
Also from wiki: "Due to this fact, it is a target for malicious rootkits to reside in,[10][11][12] including NSA's "implants"[13] which have individual code names for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls,[14] SCHOOLMONTANA for J-series routers of the same company,[15] DEITYBOUNCE for DELL,[16] or IRONCHEF for HP Proliant servers."
And using the TPM may not help you:
>TPM Vulnerabilities to Power Analysis and An Exposed Exploit to Bitlocker
"The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft's Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS"
Though it sounds like they need physical access to do this.
Microsoft (MS) began encrypting web-based chat with the introduction of the new outlook.com service. This new Secure Socket Layer (SSL) encryption effectively cut off collection of the new
service for FAA 702 and likely 12333 (to some degree) for the Intelligence Community (IC). MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012.
March 7, 2014
PRISM now collects Microsoft Skydrive data as part of PRISM'S standard Stored Communications collection package for a tasked FISA Amendments Act Section 702 (FAA702) selector. This means that analysts will no longer have to make a special request to SSO for this - a process step that many analysts may not have known about. This new capability will result in a much more complete and timely collection response from SSO for our Enterprise customers. This success is
the result of the FBI working for many months with Microsoft to get this tasking and collection solution established. "SkyDrive is a cloud service that allows users to store and access their files on a variety of devices.
March 15, 2013
SSO's PRISM program began tasking all Microsoft PRISM selectors to Skype because Skype allows users to log in using account identifiers in addition to Skype usernames. Until now, PRISM would not collect any Skype data when a user logged in using anything other than the Skype username which resulted in missing collection; this action will mitigate that. In fact, a user can create a Skype account using any e-mail address with any domain in the world. UTT does not currently allow analysts to task these non-Microsoft e-mail addresses to PRISM, however,
> MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012.
And there it is. They claim ignorance to NSA data tapping of their servers but are in fact entirely complicit as we suspected.
• (TS//SI//REL) SODAPRESSED - Linux application persistence. Given a
running installation of Linux, install some application or inject
something into memory which will. This currently works on certain
versions of Linux without SELinux enabled. [1]
I'm most excited about the collection of documents in their GitHub repo. I've casually tried to build my own collection, but most media organizations aren't very good about consistently providing the source documents in an easily downloadable format.
"Yeah, that pretty much makes sense, but how are you 'just gonna get CNE access' on an admin?"
(S/SI//REL) Good question, thanks for asking. Most of the time I'm going to rely on QUANTUM to get
access to their account (yeah, you could try spam, but people have been getting smarter over
the last 5-10 years... it's not as reliable anymore). So, inorderto work our QUANTUM-magic on an
admin, we'll need some sort of webmail/facebook selector for them.
"You know, you could just look up the 'point of contact' in the registry information associated
with their IP space/domain names..."
(S/SI//REL) Yeah, you could do that. Personally, I haven't had a huge amount of luck with it,
because most of the time I end up running across their ♦official* e-mail address that's hosted on
their own network. That's generally not a recipe for success in the QUANTUM world, what we'd
really like is a personal webmail or facebook account to target. There's a couple ways you could
try' this: dumpster-dive for alternate selectors in the big SIGINT trash can, or pull out your wicked
Google-fu to see if they've posted on any forums and list both their official and non-official e-mails
in a signature block...but what if there was another way to do it?
(S/SI//REL) If a target that I care about is on a network that I don't have access to. in this post I
described that I will try to get access to that network by targeting the sys admin. In order to
target the sys admin, it's easiest if I know what their personal webmail/facebook username is so
that I can target it with QUANTUM. The hardest part is identifying that admin's personal account
to target in the first place.
Now, fade off with me into dream-land. Pretend that we had some master list. This master list
contained tons of networks around the world, and the personal accounts of admins for each of
those networks. And any time you wanted to target a new network, you could just find the admin
associated with it, queue his accounts up for QUANTUM, get access to his box and proceed to pwn
the network. Wouldn't that be swell?
Yes I reading this too. Very interesting. Earlier in the doc, he says:
"...our ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!
(S/SI//REL) One of the coolest things about it is how much data we have at our fingertips. If we only collected the data we knew we wanted...yeah, we'd fill some of our requirements, but this is a whole world of possibilities we'd be missing! It would be like going on a road-trip, but wearing a blindfold the entire time, and only removing it when you're at one of your destinations...yeah, you'll still see stuff, but you'll be missing out on the entire journey!"
They really do have a different view of privacy. Only being giving what you're specifically seeking is like going on a trip with a blindfold on! Well, yes, yes it is!
As previously reported, the BULLRUN document is very interesting. One line stands out to me:
"Cryptanalytic capabilities
- Are extremely difficult and costly to acquire
- Require a long lead time "
There is a tie-in with the export law. Look at 740.17:
"(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end-user” located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR."
They do not like "non-standard cryptography." I take from this that while it is true that well known algorithms are the safest in terms of receiving the most scrutiny, new less scrutinized algorithms may still offer a practical defense.
Of course they don't like unknown cryptography. It easily makes automatic decryption impossible. That means that the NSA needed scarce expert-time for each customly secured communications. No agency in the world has the ressources to pull that off for many connections. That is the reason why they love Google and Facebook, and why I stay away from these services.
But here on HN, many folks like their mantra of "security by obscurity is bad" too much. Personally, I think many of those who repeat that didn't think for themselves.
This is very cool. It would be awesome if the site itself had a bit more functionality to grow in future. Rather than be static it could be linked to other media articles, discussions etc. For example, new stuff being found by XYZ virus vendor could then be linked and discussed to the original source documents. Similarly patents which are declassified, data found about people who operated these systems on Linkedin or other leaks, suspicions could be incorporated.
Interestingly, this collection of documents doesn't seem to include the list of targeted IP addresses in Hong Kong and China that he handed over to the South China Morning Post when he was in Hong Kong[1].
Curious about the legalities of downloading these materials. (Not that it's going to stop me.)
Are they technically still "classified"? Or have they been declassified? I remember hearing threats of prosecuting NSA folks who had these materials and weren't supposed to, even though they were already released.
The United States does not have an Official Secrets Act (UK does).
Outside of the Intelligence Identities Protection Act of 1982, if you were never granted a clearance or read in to specific programs (you'd know; you have to sign an NDA and such), you have no obligation to keep classified information secret. Arguably if you gave information/support/etc. to enemies of the US, it might be treason, but there's no need for that information to be classified in the first place for it to be treason.
If you have had a clearance, even for unrelated stuff, you don't want to touch these -- it can be a violation of your NDA for the other materials.
I am not a lawyer; I am not your lawyer; this is not legal advice.
Just because something is public or leaked does not automatically make it declassified. This material is still classified until officially declassified by appropriate classification authorities. Persons with a US security clearance should avoid viewing this material. I don't know what the NSA is telling its people. When I was a fed, before the Snowden leaks, we were already warned about not visiting Wikileaks, and to avoid viewing classified material outside of the proper facilities established for doing so (that meant the internet, for one).
Of course, if the government had its way, no one would view this material. But that's another discussion.
Only the government can declassify a document, even if it's available through other means. These are still classified documents, you should at minimum treat them with respect.
IANAL: Not unlike copyrighted material, if you are found to be distributing classified documents, you are definitely at more risk for prosecution. Holding classified documents in your personal possession, however, won't likely cause any real means for prosecution.
Read the documents, be informed as to what they mean, then act on them through legal means -- in the voting booth or through the courts.
Some of this looks fake. I've been reading through the documents, and there's little or no detail there that indicates any inside information. It's mostly plausible management-level PowerPoint presentations.
Some not so plausible.The picture of a "network operations center"[1] is actually a power station control room; the picture was lifted from a site for industrial generating plants.[2] That presentation is supposedly by "Head of GCHQ NAC", but whoever picked that picture has never been in a network operations center.
Also, some of of the "classified codewords" seem related to the subject matter. Real NSA codewords are chosen randomly, to avoid that.
> [S]ome of of the "classified codewords" seem related to the subject matter.
1) I'm aware of not-really-important projects that have an obvious connection between their code words and the thing described by the code word.
2) Many, but not all projects have randomly generated names. It's really up to the discretion of the -for lack of a better term- project manager and his supervisor whether they use the random name or use a more evocative one. DESERT SHIELD and DESERT STORM were two high-profile classified projects from the early 1990s whose names were not randomly generated.
[+] [-] rdtsc|10 years ago|reply
---
TS//SI//REL FVEY We have discovered a way that may be able to remotely brick network cards. We need someone to perform research and develop a deployable tool.
---
TS//SI//REL) Currently CASTLECRASHER is the only production quality Windows execution technique that Payload Persistence techniques have. Another mechanism to execute DNT payloads is needed. Most pre-boot Persistence techniques only have the ability to influence an OS through modifications to the target file system. Work needs to be done to investigate other ways to get execution inside of Windows
---
(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM. Although the core of the code is stable, there are always new requirements against which to develop. This includes new network interface card parasitic drivers as well as applications.
---
(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to apply industry best practices and agile development processes to internal projects. To this end, the project is managed via the Scrum process. Test Driven Development (TDD) practices are used as well in an effort to reduce code defects. The project also is looking to incorporate ideas from DNT such as their SCube build environment
[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of funny]
---
(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices from a particular vendor. We need to port TORNSTEAK from the existing two firewalls to several more from the same vendor.
---
[+] [-] jhallenworld|10 years ago|reply
Yeah that sucks.. the BIOS is never out of the picture thanks to the SMM. Intel should find an alternative solution for the minor functions provided by the SMM (APM, thermal management, etc.).
Also from wiki: "Due to this fact, it is a target for malicious rootkits to reside in,[10][11][12] including NSA's "implants"[13] which have individual code names for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls,[14] SCHOOLMONTANA for J-series routers of the same company,[15] DEITYBOUNCE for DELL,[16] or IRONCHEF for HP Proliant servers."
And using the TPM may not help you:
>TPM Vulnerabilities to Power Analysis and An Exposed Exploit to Bitlocker
"The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft's Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS"
Though it sounds like they need physical access to do this.
[+] [-] sitkack|10 years ago|reply
[+] [-] azinman2|10 years ago|reply
[+] [-] vezzy-fnord|10 years ago|reply
Apparently codenamed PASSIONATEPOLKA. Given the vagueness, I have a feeling it might be some remote form of rfkill(8) instead.
[+] [-] voltagex_|10 years ago|reply
https://bugzilla.kernel.org/show_bug.cgi?id=11382 perhaps?
[+] [-] bitmapbrother|10 years ago|reply
July 31, 2012
Microsoft (MS) began encrypting web-based chat with the introduction of the new outlook.com service. This new Secure Socket Layer (SSL) encryption effectively cut off collection of the new service for FAA 702 and likely 12333 (to some degree) for the Intelligence Community (IC). MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012.
March 7, 2014
PRISM now collects Microsoft Skydrive data as part of PRISM'S standard Stored Communications collection package for a tasked FISA Amendments Act Section 702 (FAA702) selector. This means that analysts will no longer have to make a special request to SSO for this - a process step that many analysts may not have known about. This new capability will result in a much more complete and timely collection response from SSO for our Enterprise customers. This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established. "SkyDrive is a cloud service that allows users to store and access their files on a variety of devices.
March 15, 2013
SSO's PRISM program began tasking all Microsoft PRISM selectors to Skype because Skype allows users to log in using account identifiers in addition to Skype usernames. Until now, PRISM would not collect any Skype data when a user logged in using anything other than the Skype username which resulted in missing collection; this action will mitigate that. In fact, a user can create a Skype account using any e-mail address with any domain in the world. UTT does not currently allow analysts to task these non-Microsoft e-mail addresses to PRISM, however,
[+] [-] ionised|10 years ago|reply
And there it is. They claim ignorance to NSA data tapping of their servers but are in fact entirely complicit as we suspected.
[+] [-] junto|10 years ago|reply
[+] [-] errtnsd|10 years ago|reply
How long until Windows OS is going to be monitored?
[+] [-] linkregister|10 years ago|reply
What was the name of this doc? There is some date incongruity here, unless Ed got his old job back.
[+] [-] junto|10 years ago|reply
[deleted]
[+] [-] junto|10 years ago|reply
[deleted]
[+] [-] zxcvcxz|10 years ago|reply
• (TS//SI//REL) SODAPRESSED - Linux application persistence. Given a running installation of Linux, install some application or inject something into memory which will. This currently works on certain versions of Linux without SELinux enabled. [1]
Does anyone know what exploit this refers to?
[1] https://search.edwardsnowden.com/docs/S3285InternProjects201...
[+] [-] therein|10 years ago|reply
That sounds like a great internship. I thought I had cool projects when I was interning at Silicon Valley.
[+] [-] Noctem|10 years ago|reply
https://github.com/transparencytoolkit/nsa-data
[+] [-] robwormald|10 years ago|reply
This reads like a reddit or HN post.
"Yeah, that pretty much makes sense, but how are you 'just gonna get CNE access' on an admin?"
(S/SI//REL) Good question, thanks for asking. Most of the time I'm going to rely on QUANTUM to get access to their account (yeah, you could try spam, but people have been getting smarter over the last 5-10 years... it's not as reliable anymore). So, inorderto work our QUANTUM-magic on an admin, we'll need some sort of webmail/facebook selector for them.
"You know, you could just look up the 'point of contact' in the registry information associated with their IP space/domain names..."
(S/SI//REL) Yeah, you could do that. Personally, I haven't had a huge amount of luck with it, because most of the time I end up running across their ♦official* e-mail address that's hosted on their own network. That's generally not a recipe for success in the QUANTUM world, what we'd really like is a personal webmail or facebook account to target. There's a couple ways you could try' this: dumpster-dive for alternate selectors in the big SIGINT trash can, or pull out your wicked Google-fu to see if they've posted on any forums and list both their official and non-official e-mails in a signature block...but what if there was another way to do it?
(S/SI//REL) If a target that I care about is on a network that I don't have access to. in this post I described that I will try to get access to that network by targeting the sys admin. In order to target the sys admin, it's easiest if I know what their personal webmail/facebook username is so that I can target it with QUANTUM. The hardest part is identifying that admin's personal account to target in the first place.
Now, fade off with me into dream-land. Pretend that we had some master list. This master list contained tons of networks around the world, and the personal accounts of admins for each of those networks. And any time you wanted to target a new network, you could just find the admin associated with it, queue his accounts up for QUANTUM, get access to his box and proceed to pwn the network. Wouldn't that be swell?
[+] [-] unreal37|10 years ago|reply
"...our ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!
(S/SI//REL) One of the coolest things about it is how much data we have at our fingertips. If we only collected the data we knew we wanted...yeah, we'd fill some of our requirements, but this is a whole world of possibilities we'd be missing! It would be like going on a road-trip, but wearing a blindfold the entire time, and only removing it when you're at one of your destinations...yeah, you'll still see stuff, but you'll be missing out on the entire journey!"
They really do have a different view of privacy. Only being giving what you're specifically seeking is like going on a trip with a blindfold on! Well, yes, yes it is!
[+] [-] robwormald|10 years ago|reply
[+] [-] jhallenworld|10 years ago|reply
"Cryptanalytic capabilities - Are extremely difficult and costly to acquire - Require a long lead time "
There is a tie-in with the export law. Look at 740.17:
"(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end-user” located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR."
They do not like "non-standard cryptography." I take from this that while it is true that well known algorithms are the safest in terms of receiving the most scrutiny, new less scrutinized algorithms may still offer a practical defense.
[+] [-] madez|10 years ago|reply
But here on HN, many folks like their mantra of "security by obscurity is bad" too much. Personally, I think many of those who repeat that didn't think for themselves.
[+] [-] secfirstmd|10 years ago|reply
[+] [-] butler14|10 years ago|reply
'selectors' instead of 'attributes', 'targets' instead of 'users/audiences'... and both are terrible at using PowerPoint
the spies just have a great deal more (illegally obtained) data to play with.
[+] [-] crisnoble|10 years ago|reply
[+] [-] travjones|10 years ago|reply
[+] [-] fwn|10 years ago|reply
[+] [-] Xophmeister|10 years ago|reply
[+] [-] jackgavigan|10 years ago|reply
1: http://www.scmp.com/news/hong-kong/article/1260306/edward-sn...
[+] [-] colinbartlett|10 years ago|reply
Are they technically still "classified"? Or have they been declassified? I remember hearing threats of prosecuting NSA folks who had these materials and weren't supposed to, even though they were already released.
[+] [-] rdl|10 years ago|reply
Outside of the Intelligence Identities Protection Act of 1982, if you were never granted a clearance or read in to specific programs (you'd know; you have to sign an NDA and such), you have no obligation to keep classified information secret. Arguably if you gave information/support/etc. to enemies of the US, it might be treason, but there's no need for that information to be classified in the first place for it to be treason.
If you have had a clearance, even for unrelated stuff, you don't want to touch these -- it can be a violation of your NDA for the other materials.
I am not a lawyer; I am not your lawyer; this is not legal advice.
[+] [-] engi_nerd|10 years ago|reply
Of course, if the government had its way, no one would view this material. But that's another discussion.
[+] [-] taftster|10 years ago|reply
IANAL: Not unlike copyrighted material, if you are found to be distributing classified documents, you are definitely at more risk for prosecution. Holding classified documents in your personal possession, however, won't likely cause any real means for prosecution.
Read the documents, be informed as to what they mean, then act on them through legal means -- in the voting booth or through the courts.
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] rajadigopula|10 years ago|reply
[+] [-] relet|10 years ago|reply
[+] [-] coldpie|10 years ago|reply
[+] [-] ytdht|10 years ago|reply
[+] [-] spin|10 years ago|reply
[+] [-] Animats|10 years ago|reply
Some not so plausible.The picture of a "network operations center"[1] is actually a power station control room; the picture was lifted from a site for industrial generating plants.[2] That presentation is supposedly by "Head of GCHQ NAC", but whoever picked that picture has never been in a network operations center.
Also, some of of the "classified codewords" seem related to the subject matter. Real NSA codewords are chosen randomly, to avoid that.
[1] https://search.edwardsnowden.com/docs/AutomatedNOCDetection2... [2] http://www.pgsicorp.com/industrial-generators.html
[+] [-] omeid2|10 years ago|reply
Did you expect a real NSA Network Operations photo on a presentation? would that add any credibility?
[+] [-] simoncion|10 years ago|reply
1) I'm aware of not-really-important projects that have an obvious connection between their code words and the thing described by the code word.
2) Many, but not all projects have randomly generated names. It's really up to the discretion of the -for lack of a better term- project manager and his supervisor whether they use the random name or use a more evocative one. DESERT SHIELD and DESERT STORM were two high-profile classified projects from the early 1990s whose names were not randomly generated.
[+] [-] aporetics|10 years ago|reply
[+] [-] OmniGiraffe|10 years ago|reply
[+] [-] pcf|10 years ago|reply
[+] [-] webmaven|10 years ago|reply
[+] [-] lvs|10 years ago|reply
[+] [-] brobdingnagian|10 years ago|reply