Attacks/Breaches
12/30/2013
06:10 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%

NSA's TAO

NSA's Q-branch upgrades Omega laser watch with Huawei backdoors

This week the Internet's all aflutter with the latest NSA disclosures about the uber-hacking group -- the Office of Tailored Access Operations, or "TAO" for short. Der Spiegel's latest NSA articles reveal some of the inner workings of the TAO team and their tools. It's pretty interesting stuff, and I'm sure the legacy conspiracy nuts are trading in their tinfoil hats for "I told you so" t-shirts today.

As more details leak about the 50-page catalog of hacking goodies that the NSA, CIA, FBI, DHS, etc., government entities could purchase for "lawful intercept" work, I get the feeling that a lot of product managers at the vendors for which these tools exploit vulnerabilities or frailties in their products will be a little wobbly in the knees department right about now. I suspect that there will be plenty of additional discussion in the coming months about the "lawful" part of the lawful intercept concept, too.

In many ways, TAO reminds me of a digital "Q" branch from the Ian Fleming's James Bond series. I can just imagine a grey-mustached Q handing out USB dongles with embedded wireless transmitters to go with the Omega watch with the laser, or the exploding pen.

In light of the recent revelations, it would seem that the NSA TAO team has been very successful in completing their objectives. I suppose it's quite refreshing to know that at least one part of the U.S. government is capable and functioning as it's supposed to?

While this glimpse in to the shadowy world of modern spying and espionage is as exciting as cut scenes from an upcoming James Bond movie, I don't believe that it changes the paradigm that much. These are simply the tools of the trade for the cyberdomain. In fact, the tools that have been disclosed thus far are already close to a decade old -- and clearly have been in service for some time. Anyone who has attended a Black Hat conference in the past 10 years would be familiar with all of the concepts and attack vectors. What makes it different is how the NSA has successfully made the leap from theory to reality; clearly, having a sufficiently sized budget makes that leap much easier.

Of the documents produced thus far, the most surprising revelations to me have been about how small the TAO team is, and the proportion of which are civilian contractors. Given the size and budget of the DoD (and NSA, in particular), how advanced their adversaries are, and how successful they appear to have been in their missions, I'd have expected the team to be five to 10 times the size. Perhaps the absolute numbers get a bit fuzzy when it comes to the civilian contractors ... and the contracting firms they belong to.

It is inevitable that many people are going to be upset with the NSA's newly disclosed capabilities. Those previously mentioned vulnerable vendor product managers are probably working with their marketing and PR teams right now, crafting indignant responses to the U.S. government, while seeking to calm customer fears that their companies hadn't been negligent in dealing with the vulnerabilities they knew about, and have never knowingly placed backdoors into their products (all of which could get a bit hand-wavy in the case of RSA and the $10 million they supposedly received for weakening random number generators).

While many likely also fear that the NSA is out of control and needs to be reeled in through new legislative restrictions or the honing of existing laws -- and I'm sure that much of the software industry is allocating additional funds to lobby against the hacking of their products -- I think it is critical that folks take a step back and look around. The past six months of NSA leaks have certainly dumped a lot of the agency's dirty linen on the pavement, but let's be clear: The NSA (and, by default, the U.S. government) isn't the only the only countries to have invested in these kinds of cyberspying and espionage tools. I think you'd be hard-pressed to find a country that isn't already doing it. If you're thinking that Pakistan's ISI isn't spying on India and exploiting its computer vulnerable systems, or that France's DGSE isn't doing the same to Chinese systems in Central Africa, then let me tell you about a bridge I'd like to sell you.

My fear is that the reaction to all of these NSA disclosures will have legislators and committees curtailing many vital parts of the NSA's capabilities, leaving the U.S. high and mighty on the ethical front, but shackled and third-rate in areas of statecraft and cybersecurity.

In the meantime, if Q has a few of those Omega laser watches spare, I wouldn't mind one as a late Christmas present. He can keep the Huawei backdoor; I have one of those already.

-- Gunter Ollmann, CTO IOActive Inc.

Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/30/2014 | 4:10:31 PM
re: NSA's TAO
Of course countries spy on their adversaries. What troubles me is how much the NSA has invested in surveilling U.S. citizens. That's dangerous.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.