Attacks/Breaches
1/8/2014
05:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Leaked NSA Hacking Tools, Tactics, In Focus

Enterprises worry about NSA 'copycat' spying scenarios

The NSA's catalog of custom hacking tools for popular networking and consumer products recently leaked by former contractor Edward Snowden provided a rare glimpse at the arsenal at the fingertips of the spy agency's hackers.

But the tools were not unlike many techniques and weapons employed by criminals or other espionage cyberattackers, experts say. Take DROPOUT JEEP, the NSA-built hacking tool included in its recently published catalog in 2008 that hacks iPhones. DROPOUT JEEP is technically a remote access Trojan or RAT, says Lucas Zaichkowsky, enterprise defense architect at incident response and forensics firm AccessData.

Zaichkowsky says based on the leaked information and diagrams, NSA hackers are operating the RAT backdoor for their intelligence-gathering operations. The RAT backdoor likely has a small footprint and can be updated with plugins for various functions, he says.

"They're just jailbreaking the iPhone," Zaichkowsky says. "It's a remote administrative tool ... it can take pictures, do keystroke recording," not unlike other RATs, he says.

The version leaked by Snowden is for attacks that require close proximity to the target, but the NSA's description of the tool says a remote installation capability was on the horizon. The documents were published late last month by Der Spiegel, exposing the NSA's elite hacking team, called the Tailored NSA's Tailored Access Operations (TAO) Group, and the agency's homegrown hacking tools.

Apple has reportedly denied providing the NSA with any backdoors to its products. "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products," the company said in statement. "We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

"My initial thought was that Apple didn't give them [access]," Zaichkowsky says. "[The NSA] may have found some network-based exploits and sent specially crafted packets over the network," he says. "If there isn't proper input validation, then you end up jailbreaking the iPhone, exploiting it, and getting kernel-mode or root access" on the targeted iPhone, he says.

[Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks. See NSA Elite Hacking Team Operations Exposed.]

The actual damage these NSA operations revelations have had -- and will have -- on security has been debated within the security community since the Snowden leaks began this past summer. While the scope of the NSA's operations is under scrutiny, the agency is basically doing its own bug-hunting not unlike an advanced attacker would do, experts say.

"Any attacker could be finding zero-days. It's less bad if we know our people know what those exploits are and are keeping an eye out, instead of having no clue those exploits exist," Zaichkowsky says. NSA needs more external checks and balances surrounding its operations, however, he says.

But the fallout has already been felt not only within the U.S. as vendors have expressed concerns about the NSA's operations, but also overseas.

Ron Gula, CEO and CTO of Tenable, says he has seen European and Asian markets going sour on U.S.-based cloud firms in the wake of the NSA revelations. That has actually boosted Tenable's business, he says. "Since our stuff is inside the network, we have been able to switch out with some of our competitors who are cloud-based," he says. But that's only a temporary trend, he says.

The bigger worry of most enterprises in the wake of the leaked NSA documents outlining some controversial and widespread spying operations, as well as backdoors in popular products, is copycat scenarios, Gula says. "More organizations are going to be interested in 'becoming' NSA," he says. "There are technologies out there that take a movie of your desktop and play it later. That has dramatic ramifications for HR and IT security, with competitive intel [at risk]."

Most enterprises are just as worried about their top researchers being hired away, and being attacked by APTs, he says.

Not much is likely to change at NSA until any legal proceedings occur, says privacy expert Mark Weinstein, CEO of Sgrouples. "It's business as usual right now," Weinstein says. "This really has to work through our court systems. The courts are going to have to redefine what the Fourth Amendment means ... and it's going to take a couple of years" to hash out, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KaranK771
50%
50%
KaranK771,
User Rank: Apprentice
3/25/2014 | 10:43:45 AM
re: Leaked NSA Hacking Tools, Tactics, In Focus
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
1/9/2014 | 6:48:13 PM
re: Leaked NSA Hacking Tools, Tactics, In Focus
"The courts are going to have to redefine what the Fourth Amendment means ...
" . Why? The fourth ammendment, like the second ammendment, is very plain, and is timeless. Regardless of the evolution of technology, HOW we communicate and HOW we store information, our privacy is still protected. The fourth ammendment prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. The concept and meaning of "privacy" is not bound to any technology or other advancement in society. The fourth ammendment governs the actions of PEOPLE, not any tecnology or storage or communication medium. It prevents your government and fellow citizens from simply taking what they want, from stealing your personal information and invading your life. It is the people, your elected officials who have not only miserably failed to defend the Constitution of the United States, but have blatantly betrayed you through executive orders and subversive legislation like the Patriot Act and Homeland Security Act that allow them to circumvent your constitutional rights any time they choose. And they justify it with their ambiguous "War on Terror", specifically designed to NEVER END, giving the president war powers for eternity. Where is your OUTRAGE America? The deeds of this government are horrific, and we simply stand by and let it happen. The ONLY reason the NSA gets away with this is because the executive and legislative branches want it to, and the judicial branch is bought and paid for ... they don't care. Here's the punchline... all of this was built with YOUR MONEY and they use it ON YOU. Pretty funny, huh? The only people who want to change the fourth ammendment are the same ones that are spying on you. The same people who are making it illegal for you to defend yourself. Anyone remember a country called Germany?...
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web