
We may have witnessed a NSA "Shotgiant" TAO-like action - julespitt
http://blog.erratasec.com/2014/03/we-may-have-witnessed-nsa-shotgiant-tao.html
======
paul
Where there are security vulnerabilities, I'd rather it be the NSA exploiting
them than someone else. The fact that Huawei support engineers have so much
power is much more troubling.

~~~
tptacek
This is so obviously true that I found the tone of the post confusing. It's
similar to people's reaction to the comparative threat of keeping their email
on Google Mail or some random webmail provider that's likely to lose their
mail spool to SQL injection. I'm not arguing that the NSA threat isn't
worrisome; it is. But other threats are in fact even worse!

~~~
ig1
Criminals by and large just want money, governments want power. That makes
them a far more serious threat.

A government is far more likely to oppress you, deny you rights, blackmail you
for political reasons, etc. because it has the resources to do so.

~~~
saidajigumi
> Criminals by and large just want money, governments want power. That makes
> them a far more serious threat.

It's really, really easy to say this living in a place where the rule of law
is reasonably robust. There are many parts of the world where this isn't the
case.

~~~
coldtea
> _There are many parts of the world where this isn 't the case._

There are even more parts of the world where the "rule of law" is what
opresses people rather than criminals. Dictatorships, third world monarchies,
banana republics etc. And sometimes, criminals and an opressive government go
hand in hand, as in some latin american countries...

~~~
einhverfr
BTW, the district in Indonesia which has the best government is a monarchy
(the Sultanate of Jogjakarta). It is a Constitutional Monarchy and the Sultan
does not have legislative power (only executive power).

I will admit though that as an American it seems weird to have a Sultan of a
small district in a larger parliamentary democracy. It would be like having a
King of New Hampshire....

~~~
wglb
Well, doesn't New Hampshire have the Northeast Kingdom?

------
brown9-2
_A backdoor or 0day for a Huawei router would be of limited use to the NSA,
because the control ports are behind firewalls. Hacking behind firewalls would
likely give full access to the target network anyway, making any backdoors
/0days in routers superfluous.

But embedding themselves inside the support infrastructure would give the NSA
nearly unlimited access to much of the world. Huawei claims that a third of
the Internet is running their devices. Almost all of it is under support
contract. These means a Huawei support engineer, or a spy, can at any time
reach out through cyberspace and take control of a third of the Internet
hardware, located in data centers behind firewalls._

So the companies that use Huawei's products put the control ports behind their
firewalls, but somehow are allowing unrestricted access through that firewall
to/for Huawei's support mechanism?

Is that common?

~~~
robertgraham
Extremely common.

It's the norm today that companies have firewall/VPN holes allowing support
engineers from other companies to have access to their networks, to manage
things as simple as the HVAC system, or things as complex as their entire
routing infrastructure.

Throughout the world, most Huawei routers come with such support contracts.

~~~
eropple
_> to manage things as simple as the HVAC system_

 _Hello_ , Target breach. =)

------
mjolk
>In 2012, during an incident, we watched in real time as somebody logged into
an account reserved for Huawei tech support, from the Huawei IP address space
in mainland China.

I'm a little skeptical.

I wonder what they mean by "watched," because I doubt that they guessed the
tty for reading or that the hacker joined a screen session. What is the
likelihood that one would just "happen" to be staring at that server during an
"incident."

~~~
robertgraham
It was an internal system. We noticed with 'netstat' that it had a connection
to an outside system. 'who' told us it was the account setup for Huawei remote
support, and the IP address told us indeed that it was from a Huawei network.

The SQL query took 15 minutes to run. We saw it using 'ps'.

We then kept dumping their '.bash_history'.

~~~
peterwwillis
That's weird. Bash_history doesn't usually get flushed for every command you
run; only when you exit an interactive shell. If you `kill -9 $$` or erase the
.bash_history file and create it as a directory, it loses the history. The
exception is if you create a custom PROMPT_COMMAND="history -a; history -n",
which would append on each new bash prompt. (You'd think a hacker would know
these things...?)

As an alternative to dumping history, if your system has perl and strace and
you want to watch a live ssh or bash session, I wrote a script that will do
that. [https://github.com/psypete/public-bin/blob/public-
bin/src/sy...](https://github.com/psypete/public-bin/blob/public-
bin/src/system/dumpfd.pl)

~~~
acdha
That "history -a" bit is extremely common if the environment has shared
storage like NFS in use or multiple shells are common. It would not surprise
me at all to see it on by default on an account used for debugging / support
purposes as a cheap audit measure.

------
diminoten
I'm not sure if this is in any way useful, but consider that Ed Snowden
himself was in a "support"/administrator role and that's what gave him access
to the documents he later then leaked.

------
tzs
TAO?

Edit: finally found it, with some Googling. There are a lot of things with TAO
as their TLA leading to a lot of false leads. TAO in this story means "Total
Access Operations".

Edit 2: "tailored", not "total".

~~~
tptacek
Among vulnerability research people, TAO is practically slang for "the branch
of NSA that hacks into Chinese computers". Robert Graham comes from those
circles. I think that's what he's trying to evoke by referencing TAO.

~~~
throwaway7767
I was not aware that the NSA had decided to restrict TAO's operations to
China. That must be a very recent thing if so. Can you provide any references
to that?

------
noir_lord
The normal guidelines for developing a security strategy is to estimate the
resources and capabilities ranged against you and the probability they will be
levelled against you and then develop a strategy for mitigation (absolute
security is impossible).

The capabilities the NSA and GCHQ have developed are scary enough in and of
themselves but the sheer _breadth and depth_ of what they have achieved is far
more horrifying, If I was the CTO for a large multi-national or a foreign
government I'm not even sure where I'd _start_ protecting against them.

------
jobu
What I don't understand is why the US government would point fingers at the
Chinese for putting backdoors in Huawei devices when it was really the NSA all
along. It seems like they're shooting themselves in the foot by giving
pointing out the backdoors. My best guess is that they assumed someone would
figure it out eventually and they wanted to spread misinformation to get out
ahead of that.

Has anyone else come up with a better reason?

~~~
stephengillie
One of the best ways to distract others from blaming you is to publicly accuse
them of doing what evils you're secretly doing.

~~~
Tobu
It's also a good way to drum up support; start by accusing the "other side" of
doing whatever it is you want to do. You're basically coordinating with the
other team with the full cooperation of the people you've scared.

------
jontas
I dont understand why this level of access (if it is accurately described in
the article) would only be of use to American intelligence, and "would['t]
interest other intelligence services -- except to pass it on to the
Americans."

It seems like something that powerful would be of interest to any intelligence
service (or group of any sort), anywhere.

~~~
sliverstorm
You misunderstand. The author is saying that the particular SQL query they saw
executed, would only return data interesting to Americans

~~~
danielweber
That's leaving a lot to his interpretation.

Chinese intelligence might be interested in something simply because they
(correctly or not) deduce that American intelligence will be interested in it.

~~~
sliverstorm
Obviously, but I'm just clarifying here.

------
peterkelly
One of the biggest ironies of the Huawei hacking case is that now every time
someone detects an attack from a Huawei device or the company itself, they can
never be sure if it's China or the US that's behind it.

------
malandrew
What we really need is a new agency just like the NSA except for it's _only_
mandate is closing holes everywhere even if those holes are actively being
exploited by the NSA and CIA. Such an agency would actively discover holes,
patch them when possible or disclosing the vulnerabilities to the engineers
responsible for the software or hardware in question. Furthermore, the NSA and
CIA would need to be barred from trying to get any access to this organization
for its own use.

------
jnbiche
So what was the SQL query?

~~~
notastartup
SELECT * FROM Foreign_Corporations fc INNER JOIN Foreign_Corporation_Employees
fce ON fc.FCID = fce.FCID WHERE fc.Country IN ('Pakistan', 'Afghanistan',
'Iran')

~~~
robertgraham
I can't reveal the exact SQL query because that's customer private
information.

However, it had both a subject and a timeframe that were peculiar. Googling
the subject revealed news stories about it -- making it clear this was
something the U.S. was interested in, but which would be no particular
interest to anybody else.

~~~
saraid216
Can you reveal the subject and timeframe? It doesn't seem like those would
require customer private information.

~~~
pja
If you have a restricted timeframe & the information that the US government
would be interested in knowing details about an event that happened in that
timeframe, then that might well be enough information to identify the company
involved, or at least reduce the list of candidates to a very short one
indeed.

The OP probably has a contractual duty to protect their client's identity &
therefore can't take the risk that revealing more details would result in
their client being identified.

------
einhverfr
This sort of thing is significant. It puts remote support for systems in a
very different light. At Efficito, we have plans to release on-premise
appliances as well as our cloud hosting options. This sort of story makes me
think about how to avoid this sort of problem.

Here are rules I am suggesting.

1\. The on-premise appliance should not be directly accessed from the network
unless folks at the local environment enable contact.

2\. Everything else, regarding services, should be loosely coupled and
designed not to give significant access to either party over the other.

This sort of thing strikes me as an area where the industry is going to have
to evolve. The danger of "we can connect to your systems" is becoming clearer
to a larger section of the market.

------
danielweber
This blog post is trying to say something tremendously important but it also
is not giving us any information to evaluate it. Apparently everything is on
fire but they can't tell us how.

------
vampirechicken
How does the support login have the privileges to delete all of the activity
log files, and why is a login with enough privilege to delete logs allowed to
perform SQL queries?

------
RankingMember
It's scary to think that a third of the internet relies on any one company's
backbone products, regardless of the country that company calls home. Way too
many eggs in one basket, but much easier for the humans involved compared to
having a ton of different manufacturers who would have their own individual
issues. Find an exploit once, employ it (most) everywhere (appropriation of
old Java tagline).

------
eli
I don't understand why there's a sharp distinction between installing a
backdoor and using stolen support access as a backdoor.

------
sgt101
Witnessing in this way runs counter to my experience of system management. How
can you see (in real time) a query, the encryption, the email and the log
deletion? I have run sql monitors and I see queries appear and then
disappear... but my brain doesn't allow me to understand what the user is "up
to" without lots of investigation and so on.

------
italophil
It's one thing getting spied on by the US government, but one would hope
they'd use something more sophisticated than Hotmail to move the information
around.

~~~
makomk
Trouble with that is, the more sophisticated and unusual the mechanism you
use, the more likely it is that someone will (a) notice you, and (b) be able
to identify you based on it.

~~~
robertgraham
That's my theory. Any monitoring of outgoing information would just see a
typical attachment to a hotmail address.

