
How the NSA Plans to Infect “Millions” of Computers with Malware - uptown
https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/
======
r0h1n
After a while all these news items about the NSA and GCHQ can seem a bit too
much, but not if we take a step back and _really_ understand the enormity of
it all.

The NSA and its cohorts set up fake Facebook websites, spoof security
certificates, secretly record webcam streams, vacuum up everything they can
lay their hands on etc.

Meanwhile the CIA coolly wipes hundreds of documents from the machines of
those who are investigating it, and when caught, threaten their overseers with
criminal charges.

Given the scale of their operations, tens of billions of dollars in budgets
and how many years they've been at it (this article essentially talks about
what the NSA was doing _in 2009_ ), is it now futile to think that govt.
agencies around the world can _ever_ be expected to turn the clock back?

I mean, really, is there _any possible reality_ that involves the NSA/GCHQ
deleting the mountains of data they have surreptitiously recorded? And
unplugging or reversing the hundreds of traps, backdoors, viruses, intercepts,
decoys that are aimed at common citizens?

~~~
bananas
Yes it's called a revolution at which point we storm the bases and burn the
data centres and monitoring stations to the ground.

But, as Huxley was so keen to point out, that's not going to happen when
people are staring at Honey Boo Boo and Hollyoaks.

~~~
JulianMorrison
Revolution is a tool of limited usefulness, and violent ones very often put
something back in that is just as bad as what they ejected (see also: the
KGB).

~~~
bananas
It's more complicated than that.

    
    
       ----->[ good times ]---->[ hard times ] ---> [fascism] --\
          ^                                                     |
          \-------------------[revolution] <--------------------/
    

Revolution merely starts the cycle again. We'll always end up with the KGB,
Stasi, NSA, GCHQ, CIA etc so you have to deconstruct society regularly to
flush it out.

We're stuck in a pretty long loop at the moment just verging on hard times.

Edit: the "good times" above is optional.

~~~
sillysaurus3
Luckily, our founding fathers built in a way to achieve the same effects as a
revolution without any violence.

If you were to start an armed insurrection, the government would be totally
justified in ending you. Not a smart decision given today's level of
technology. It was through sheer luck that the American revolution worked at
all: the British commanders were so incredibly incompetent that they
checkmated themselves.

~~~
CodeMage
Hasn't there been enough evidence that the system the founding fathers built
in has been compromised to the point of irrelevance?

What you have today is an illusion of the freedom and the "equal and impartial
justice under the law".

[http://www.popehat.com/2013/12/23/burn-the-fucking-system-
to...](http://www.popehat.com/2013/12/23/burn-the-fucking-system-to-the-
ground/)

~~~
a3n
You're probably right. I think the Feinstein/CIA spying episode currently
unfolding shows that the intelligence services have flipped the fuckit bit,
and they don't even try to make it look like they're subject to Congressional
oversight. They do still _say_ they're subject, which I guess is something;
they just don't try hard anymore to hide what they _do_.

~~~
whatevsbro
> They do still say they're subject, which I guess is something

Nope, it's meaningless. What else are they going to say?

 _" It's exactly what it looks like! We just don't give a fuck about you or
your rights, and in fact, we're an important part of the police state
springing up all around you. When you're thinking of rebelling, remember we
know where you live, where you are, and pretty much everything else about you!
Stay in line, peasant!"_

That would be fairly accurate, but they're not going to say it. Doesn't the
propaganda just keep going anyway, even in North-Korea?

------
higherpurpose
Remember, Microsoft is part of this plot, even if they have "plausible
deniability". Microsoft is giving NSA access to lists of vulnerabilities
Windows has many months before Microsoft even begins to work on a fix. They
are in effect helping NSA break into many computers, even if they are up to
date.

[http://www.bloomberg.com/news/2013-06-14/u-s-agencies-
said-t...](http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-
data-with-thousands-of-firms.html)

Every single one of these vulnerabilities could be seen as a backdoor, except
Microsoft can have plausible deniability, since they are not actually
_putting_ a backdoor in the OS themselves - they're "just telling NSA about
the vulnerabilities that exist".

If something like CISPA passes, which NSA keeps pushing for, this capability
will expand dramatically, as all companies will be forced to give these
vulnerabilities to NSA, but not to "protect us" and for cyber "security", as
they keep claiming when they try to promote laws like these, but for
_offense_. They will hoard every single one of them, and then use them in such
automated systems to infect millions of computers.

~~~
Fuxy
And this is why I'm glad my main OS is linux.

Not impossible for NSA to get in but a lot more difficult.

~~~
logn
I seriously doubt linux presents a challenge for them. Think about all the web
servers that are linux, you think they don't have an army of experts that can
pwn those OS's?

~~~
Crito
> _Think about all the web servers that are linux_

None, unless you install them and activate them? What sort of desktop distro
comes with pre-configured webservers?

~~~
sentenza
I think you misunderstood the GP. He means that the internet runs on linux, so
the OS is a high-value target. Thus, it is reasonable to assume that the
intelligence agencies have collected some as-of-now-unknown-to-the-public
vulnerabilities for libraries that are typically used with Linux.

------
logn
The NSA, breaking into US computers, is violating the Third Amendment, in my
opinion.

 _No Soldier shall, in time of peace be quartered in any house, without the
consent of the Owner, nor in time of war, but in a manner to be prescribed by
law._

~~~
diydsp
Interesting angle.

Perhaps if research were to show that "soldier" could be more broadly
interpreted to mean "agent of security," you could really get some momentum
going for this line of though. After all, we aren't required to keep other
pieces of security enforcement in our homes, such as turrets on the roof
controlled by the government.

Keep it up.

~~~
rurounijones
There is a "War on terror" going on, as governments are very keen to point out
all the time.

Who fights wars on behalf of their governments...

Ok, reasoning is a bit simplistic and technically inaccurate depending on your
definition of "war" (congress approved etc.) but I do like hoisting by own
petards.

------
oskarth
_An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take
over a targeted computer’s microphone and record conversations taking place
near the device. Another, GUMFISH, can covertly take over a computer’s webcam
and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories
and collects login details and passwords used to access websites and email
accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data
from removable flash drives that connect to an infected computer._

Will all the conspiracy theorists come out of the woodwork, please. We need
your help.

~~~
saraid216
Hi. My conspiracy theory is that Satoshi Nakamoto is the NSA.

You're welcome.

~~~
oskarth
Hi, Michael. Both of us are now in a labelled graph database of identities,
were the label signifies how strong the connection is. Right now it's 2/10,
but by responding to you it's now 3/10\. And if you (yes, you) are reading
this comment, assume that you just got a 1/10 label to me [1].

You're welcome.

1: More efficient representations probably exist. Maybe we are all uniquely
indexed in some database cluster in Utah. I'd call it BACON-BINLADIN.

------
aspensmonster
That's strange. If ever I tried to build a botnet with millions of nodes I'd
surely be thrown in prison for years at least. Probably decades. But if I've
learned anything in my short time on this planet, it's to always commit your
crimes behind the corporate or government veils. Preferably both.

Edit:

[https://prod01-cdn02.cdn.firstlook.org/wp-
uploads/2014/03/ha...](https://prod01-cdn02.cdn.firstlook.org/wp-
uploads/2014/03/hammer-vpn.jpg)

Mirror: [http://i.imgur.com/JbLqxAY.jpg](http://i.imgur.com/JbLqxAY.jpg)

Fuckin' hell. I think we can consider the internet more than owned. More like
bent over and pounded.

------
josephlord
> GCHQ cooperated with the hacking attacks despite having reservations about
> their legality. One of the Snowden files, previously disclosed by Swedish
> broadcaster SVT, revealed that as recently as April 2013, GCHQ was
> apparently reluctant to get involved in deploying the QUANTUM malware due to
> “legal/policy restrictions.” A representative from a unit of the British
> surveillance agency, meeting with an obscure telecommunications standards
> committee in 2010, separately voiced concerns that performing “active”
> hacking attacks for surveillance “may be illegal” under British law.

Wow, finally a limit on what GCHQ thinks that they are allowed to do! Now can
the NSA be prosecuted for these actions when done in the UK? #notgonnahappen

------
aasarava
At some point, laptops, displays, and handheld devices started carrying built-
in microphones and cameras as a feature. Perhaps the new feature is devices
that don't have these things? To use a mic or camera, you'd explicitly have to
plug it in and could physically unplug it later.

~~~
hrkristian
Better then, to have hardware switches similar to the iPhone lock switch.

I'd welcome that in general! Make the switch open up the camera app directly,
and a similar one for the mics; binding it to your phone or recording app,
depending on what you prefer.

Make each switch a LED which -if they are- signals ON-state as the screen is
turned on or off.

Edit: And incoming call screen would have to reflect the mic being off, in
which case flicking the switch would accept the call.

------
snake_plissken
Through all of the news articles and the analyses I have read, I still don't
understand how exactly all of this works. I understand the MITM concept, but
the Man-On-The-Side parts boggle m:

"When a target attempts to log in to the social media site, the NSA transmits
malicious data packets that trick the target’s computer into thinking they are
being sent from the real Facebook. By concealing its malware within what looks
like an ordinary Facebook page, the NSA is able to hack into the targeted
computer and covertly siphon out data from its hard drive."

Where is the security hole? My network card? OS? Browser? But then there are
so many layers in there. Is it a specially malformed ICMP packet? Or is it a
vulnerability in the OS's RPC functions? It's one thing to exploit a
vulnerability in Java or Flash, but just using "malicious packets"?

~~~
Consultant32452
It seems to me that they are sending out packets identifying themselves as
facebook. If you're not using SSL this is expected to be possible. If you are
using SSL to communicate with FB then it's likely that the NSA has the private
keys for FB's SSL certificates.

~~~
ds9
Right, I think this is referring to a technique described in some of the
earlier info releases, where the agency intercepts requests and send a fake
response before the real one arrives, and ditching the real response. I'm not
clear on the details - it may rely on spoofing the server's IP, falsifying DNS
replies and/or manipulating data in transit.

What interests me more, and what the above poster may be asking about is this
part: "By concealing its malware within what looks like an ordinary Facebook
page, the NSA is able to hack into the targeted computer".

This implies a true drive-by exploit - one not requiring any user interaction.
Most of the Windows malware is actually installed by the user - they're
tricked into clicking something, thinking it's anti-virus, funny video,
"accelerate your internet" or some other innocuous thing. The no-user-action
exploits generally have been workable only for plugins, particularly Flash or
Java, which the user has allowed to run without any filters.

~~~
snake_plissken
Yup, your second paragraph nails it. But even then, it boarders on XSS or some
hybrid injection attack which would rely on a vulnerability somewhere else up
the stack. The way I understood a lot of this article, I'm lead to believe
that their able to monitor/intercept a target's requests, imitate the web
server and send replies which are so meticulously malformed that they are able
to infect the target system.

Like I said in my post and which you echo in your third paragraph, it's one
thing to trick users into downloading and running binaries or to exploit a
plugin, but it's another thing to imagine malformed packets breaking the
security of an entire system.

------
sys32768
Since they see everyone as a potential threat, taint their data so that
everyone appears to be that threat. Millions of us could increase the signal-
to-noise ratio in their collected data by using a bot to perform random human-
like web searches and visits.

If 100 people are searching for <insert bad thing here>, the government has
actionable surveillance data. If 100 thousand or 10 million are searching for
it in ways that are indistinguishable from a human, then that data becomes
unreliable and is no longer actionable.

Adding email to this would strike a fatal blow. Someone could figure a way to
create a secure layer to inform a client when a given email being sent was
fake, and thus suppress it visually. Soon from the government perspective
everyone would be cheating on their spouses and spouting extremist views and
plotting this or that.

This would result in an increase in liberty by proving to the government that
it should fear its people, if only because its sophisticated surveillance
tools now confirm that all the people are evil.

~~~
mattkrea
Has anyone looked into doing this? Meaning has anyone started building
anything like this? I would be interested.

------
minimax
All of this sounds like excellent operational technology. I don't understand
all the outrage here. If you sit down and ask yourself, "What kind of
technology would I build if I wanted to infiltrate government/military
networks of technologically sophisticated adversaries?", this is basically
what you'd end up with. This is exactly the sort of thing I would expect the
NSA to spend their time on.

~~~
summerdown2
I don't think the majority of people are outraged that a spy organisation
spies. The things that have got most people rattled are:

a) The breadth of the spying, including many, many innocent people.

b) The long-term storage of data, likewise.

c) Deliberate weakening of security standards we all rely upon.

d) The fact it's all happening without democratic debate.

If instead of the above, they threw innocent people's data away, targeted
their intrusions, engaged with the democratic mechanisms, and used their
expertise to improve internet security, a lot of people would be much happier.

------
adamrights
When I was in middle/highschool -- late 90's-03 -- using a mix of home-made
tools, scripts I tweaked, some trojans I hex edited to make work for me...I
had almost all of my schools home computers logging into an IRC room where I
could use them to DoS attack and easily knock off (especially before few had
broadband) anyone -- all my infected IRC clients could also upload, often
around firewall/virus protection varying degrees of other trojans that let me
print on their computers, watch them on webcams, open their cd-roms... I was
young, told most people and really didn't abuse it: and finally learned
'hackers make things, crackers break things' \-- but the point is: yes this
isn't a surprise, and in many cases the sophistication is not even too deep,
but ya like many said: we need this to keep being published so the open
community as a whole can understand, and circumvent if need be.

------
caf
I believe the money quote here is:

    
    
      “If we can get the target to visit us in some sort of web
      browser, we can probably own them,” an agency hacker boasts
      in one secret document. “The only limitation is the ‘how.’”

------
innocentius
> By concealing its malware within what looks like an ordinary Facebook page,
> the NSA is able to hack into the targeted computer and covertly siphon out
> data from its hard drive. A top-secret animation demonstrates the tactic in
> action.

Can anyone explain why they need to conceal it as a Facebook server? Why is
that essential to infecting your computer? Why can't it just send you the
malware, and then redirect you to the real Facebook (since their mission is
accomplished anyway)?

~~~
endeavor
It sounds like they are going after a vulnerability in the browser. My guess
would be that do a man-in-the-middle attack where they have a device that acts
as a proxy so you get YOUR Facebook page, but with an exploit injected into
the code.

------
abjorn
>"The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance
dragnet, monitoring packets of data as they are sent across the Internet."

"TURMOIL", really? Honestly, is this just an elaborate setup for a new bond
film or something, this is getting ridiculous.

------
blueskin_
>computer servers

I've been seeing this pattern a lot in nontechnical news recently, and have
always been baffled as to what other kind of server there is (short of some
basic network service implemented purely in logic gates, I guess).

~~~
lutusp
>> computer servers > I've been seeing this pattern a lot in nontechnical news
recently, and have always been baffled as to what other kind of server there
is ...

In this fast-breaking story, the expression "computer servers" has joined
"software program" and "underground tunnel" at the Department of Redundancy
Department.

~~~
blueskin_
Don't forget putting your PIN number into an ATM machine.

------
clamprecht
I don't know about you guys, but to me, the NSA code names seem to be a great
source for hostnames. "ssh hammerstein" has a good ring to it, no?

------
Canada
Look, SSH clients are used as selectors.

------
pvnick
The obvious solution is to run everything on Temple OS.

I'm only half joking.

~~~
chroem
Too bad God doesn't approve of a networking stack.

~~~
tedks
This is _exactly why_ God doesn't approve of a networking stack.

Wake up, sheeple.

~~~
lucastx
I feel guilty of upvoting a joke on HN.

My only comfort is knowing that this one will be buried, and this will be my
punishment.

~~~
kirubakaran
That's a little dramatic, don't you think? :-)

~~~
tedks
Looks like the comment-parent isn't a native english speaker; a lot probably
got lost in translation.

------
pistolpete20
Anyone else find the graphics in the slides as almost too bad, that they
aren't believable?

------
eliteraspberrie
Does anyone have a good guess of how FASHIONCLEFT works? Has it been seen
before?

~~~
guest29572
Google reveals [http://s3.documentcloud.org/documents/1077764/vpn-and-
voip-e...](http://s3.documentcloud.org/documents/1077764/vpn-and-voip-
exploitation-with-hammerchant-and.txt) which seem to be slides regarding it.

------
bitsteak
“When they deploy malware on systems,” Hypponen says, “they potentially create
new vulnerabilities in these systems, making them more vulnerable for attacks
by third parties.”

Really, how does that work Mikko? You don't even have a copy of any malware to
make that statement.

All the hyperbole about how this is somehow unique is really getting old.
Exploit kit authors have had shitty PHP web applications that accomplish the
same task for ages: manage thousands of bots by grouping them together with a
point and click management interface. It sounds like, prior to TURBINE, NSA
had a single person tasked to oversee every action taken by hand, which is
kind of inefficient if you ask me, so it stands to reason they would try to
manage that process with technology.

How do you cool yourself First Look when you're reporting on this in 2014?
Jeez.

~~~
dTal
Hypponen said "potentially" and it is an absolutely defensible statement. You
go around poking holes in a system, don't be surprised if other people find
the holes. You gonna trust the guy who hacked your machine to lock the door
behind him on the way out?

>All the hyperbole about how this is somehow unique is really getting old.

The issue isn't that the spooks have developed some superweapon. The issue is
that they've signaled intent and means to do mass espionage on citizens, not
just at the network level, but at the machine level. This is as if your local
law enforcement handed out burglars tools to all their officers so they could
get into everyone's homes "to check for drugs". "Eh, burglars tools are
nothing special" totally misses the point.

------
cloverich
Prediction: If this goes on long enough, NSA (and other entities) will
accidentally create Skynet.

~~~
Crito
Drones fly around, listening to cell traffic and logging call data and the
position of phones in the middle east _(so called "metadata")_. These logs are
then fed into a computer, which attempts to find relationships between phones.
Which phones regularly find themselves in the same location as other phones?
Which phones called other phones? The computer is also fed imperfect
information that correlates _some_ phones to the identities of alleged
'baddies'.

When phones are found to have close 'relationships' with phones that have at
least at one point been used by 'baddies', sometimes the computer decides that
the phone must be executed. It prints out an order, which is passed up the
line to the President. The President rubber stamps the order. The order goes
back down the line and eventually finds it's way back to the computer. The
computer, using the before mentioned drones, locates that phone and informs a
drone operator. The drone operator then tells the drone to execute that phone,
and any people who may happen to be in the area with it. The drone carries out
the execution.

Nothing but a bureaucratic skynet.

