Attacks/Breaches
1/8/2014
05:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Leaked NSA Hacking Tools, Tactics, In Focus

Enterprises worry about NSA 'copycat' spying scenarios

The NSA's catalog of custom hacking tools for popular networking and consumer products recently leaked by former contractor Edward Snowden provided a rare glimpse at the arsenal at the fingertips of the spy agency's hackers.

But the tools were not unlike many techniques and weapons employed by criminals or other espionage cyberattackers, experts say. Take DROPOUT JEEP, the NSA-built hacking tool included in its recently published catalog in 2008 that hacks iPhones. DROPOUT JEEP is technically a remote access Trojan or RAT, says Lucas Zaichkowsky, enterprise defense architect at incident response and forensics firm AccessData.

Zaichkowsky says based on the leaked information and diagrams, NSA hackers are operating the RAT backdoor for their intelligence-gathering operations. The RAT backdoor likely has a small footprint and can be updated with plugins for various functions, he says.

"They're just jailbreaking the iPhone," Zaichkowsky says. "It's a remote administrative tool ... it can take pictures, do keystroke recording," not unlike other RATs, he says.

The version leaked by Snowden is for attacks that require close proximity to the target, but the NSA's description of the tool says a remote installation capability was on the horizon. The documents were published late last month by Der Spiegel, exposing the NSA's elite hacking team, called the Tailored NSA's Tailored Access Operations (TAO) Group, and the agency's homegrown hacking tools.

Apple has reportedly denied providing the NSA with any backdoors to its products. "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products," the company said in statement. "We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

"My initial thought was that Apple didn't give them [access]," Zaichkowsky says. "[The NSA] may have found some network-based exploits and sent specially crafted packets over the network," he says. "If there isn't proper input validation, then you end up jailbreaking the iPhone, exploiting it, and getting kernel-mode or root access" on the targeted iPhone, he says.

[Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks. See NSA Elite Hacking Team Operations Exposed.]

The actual damage these NSA operations revelations have had -- and will have -- on security has been debated within the security community since the Snowden leaks began this past summer. While the scope of the NSA's operations is under scrutiny, the agency is basically doing its own bug-hunting not unlike an advanced attacker would do, experts say.

"Any attacker could be finding zero-days. It's less bad if we know our people know what those exploits are and are keeping an eye out, instead of having no clue those exploits exist," Zaichkowsky says. NSA needs more external checks and balances surrounding its operations, however, he says.

But the fallout has already been felt not only within the U.S. as vendors have expressed concerns about the NSA's operations, but also overseas.

Ron Gula, CEO and CTO of Tenable, says he has seen European and Asian markets going sour on U.S.-based cloud firms in the wake of the NSA revelations. That has actually boosted Tenable's business, he says. "Since our stuff is inside the network, we have been able to switch out with some of our competitors who are cloud-based," he says. But that's only a temporary trend, he says.

The bigger worry of most enterprises in the wake of the leaked NSA documents outlining some controversial and widespread spying operations, as well as backdoors in popular products, is copycat scenarios, Gula says. "More organizations are going to be interested in 'becoming' NSA," he says. "There are technologies out there that take a movie of your desktop and play it later. That has dramatic ramifications for HR and IT security, with competitive intel [at risk]."

Most enterprises are just as worried about their top researchers being hired away, and being attacked by APTs, he says.

Not much is likely to change at NSA until any legal proceedings occur, says privacy expert Mark Weinstein, CEO of Sgrouples. "It's business as usual right now," Weinstein says. "This really has to work through our court systems. The courts are going to have to redefine what the Fourth Amendment means ... and it's going to take a couple of years" to hash out, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KaranK771
50%
50%
KaranK771,
User Rank: Apprentice
3/25/2014 | 10:43:45 AM
re: Leaked NSA Hacking Tools, Tactics, In Focus
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
1/9/2014 | 6:48:13 PM
re: Leaked NSA Hacking Tools, Tactics, In Focus
"The courts are going to have to redefine what the Fourth Amendment means ...
" . Why? The fourth ammendment, like the second ammendment, is very plain, and is timeless. Regardless of the evolution of technology, HOW we communicate and HOW we store information, our privacy is still protected. The fourth ammendment prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. The concept and meaning of "privacy" is not bound to any technology or other advancement in society. The fourth ammendment governs the actions of PEOPLE, not any tecnology or storage or communication medium. It prevents your government and fellow citizens from simply taking what they want, from stealing your personal information and invading your life. It is the people, your elected officials who have not only miserably failed to defend the Constitution of the United States, but have blatantly betrayed you through executive orders and subversive legislation like the Patriot Act and Homeland Security Act that allow them to circumvent your constitutional rights any time they choose. And they justify it with their ambiguous "War on Terror", specifically designed to NEVER END, giving the president war powers for eternity. Where is your OUTRAGE America? The deeds of this government are horrific, and we simply stand by and let it happen. The ONLY reason the NSA gets away with this is because the executive and legislative branches want it to, and the judicial branch is bought and paid for ... they don't care. Here's the punchline... all of this was built with YOUR MONEY and they use it ON YOU. Pretty funny, huh? The only people who want to change the fourth ammendment are the same ones that are spying on you. The same people who are making it illegal for you to defend yourself. Anyone remember a country called Germany?...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.