Risk
10/11/2013
01:00 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

NSA Hack Attacks: Good Value For Money?

Leaked operations manual reveals NSA attack techniques that are not significantly better than common cybercrime capabilities, despite their high cost to government.

Do the National Security Agency's online espionage capabilities provide good value for money?

Recent reports have disclosed that the NSA uses a fleet of high-latency -- codenamed "Quantum" -- servers to redirect targeted systems to another fleet of servers, codenamed "FoxAcid," that launch tailored drive-by attacks. The agency's malware reportedly targets a range of vulnerabilities, from publicly known flaws to zero-day bugs that only the NSA possesses.

That information comes via former NSA contractor Edward Snowden's leak of top secret documents that detail many of the agency's operating practices. What's struck some information security experts is just how similar the NSA's techniques are to those of cybercrime gangs and advanced persistent attack (APT) groups sponsored or run by other nations.

"The NSA's system for deploying malware isn't particularly novel," according to an overview of the NSA system published by the Electronic Frontier Foundation staff technologist Dan Auerbach.

[ Want to know more about NSA cyber spying operations? See NSA Discloses Cellphone Location Tracking Tests . ]

In fact, some security experts would go farther than that. "We could replicate the NSA's capabilities for about $30k on the Russian private blackhat forums," tweeted the Bangkok-based vulnerability broker known as the GrugQ. "US taxpayers, you're being ripped off!"

Exactly what is the return on investment generated by the NSA's hacking techniques? Of course, precise numbers are secret, but in August The Washington Post published a document leaked by Snowden that revealed the secret 2013 "black budget" for the U.S. intelligence community to be $52.6 billion. Of that, $10.8 billion went to the NSA to support its mandate to protect U.S. government systems and obtain foreign signals intelligence, in part via what the budget documents referred to as "offensive cyber operations." The NSA's security intelligence budget, for comparison's sake, was second only to the CIA's $14.7 billion allocation.

As befits an intelligence agency, most -- if not all -- of the NSA's premium hacking capabilities would have been built by NSA staff. But the GrugQ argued that a number of customized NSA hacking techniques might be just as easily fulfilled using off-the-shelf technology, albeit some of it from cybercrime syndicates. "NSA is like a nation state cybercrime gang. Quantum == Traff, FoxAcid == BlackHole Exploit kit++, Implants == Zeus++," he tweeted, referring to the ability to hack into boxes handling network traffic ("traff"), as well as such malware families as the Zeus banking Trojan and automated Blackhole crimewire toolkit.

Unlike most criminal gangs operating online, however, the NSA also employs a sophisticated risk management model that decides which exploits best fit any given target, and tailors the attack sophistication to the value of the target, according to BT chief security technology officer Bruce Schneier, who's been working with the Guardian to review information leaked by Snowden. "FoxAcid has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target," he said in a blog post that was previously published by the Atlantic.

For example, high-value targets might get hit with a very valuable zero-day vulnerability, unless their operational security is considered good enough to detect the exploit, in which case it may be held in reserve. For low-value targets, even if they're technically sophisticated, however, the agency might use a known vulnerability.

"According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options," said Schneier. "The documentation mentions United Rake, Peddle Cheap, Packet Wrench and Beach Head -- all delivered from a FoxAcid subsystem called Ferret Cannon."

Those terms appear to be geek-espionage insider-speak for the agency's actual online attack capabilities, and many of the names have left security experts guessing. "Ferret cannon is a hint at capability, dire scallop -- bypasses AV? -- is a hint ... they seem suggestive at least," tweeted the GrugQ.

What also struck Schneier was that the operating procedures for the Tailored Access Operations (TAO) personnel who launch cyberattacks are quite conservative. "They're super cautious about what they do," he said, so as to not tip off their targets.

But if the NSA excels at infiltrating targeted systems while avoiding detection -- and anecdotal evidence suggests this to be the case -- Schneier identified a glaring weakness in its risk-management model. "The organization seems to be good enough at assessing the risk of discovery -- for example, if the target of an intelligence-gathering effort discovers that effort -- but to have completely ignored the risks of those efforts becoming front-page news," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
screwbird
50%
50%
screwbird,
User Rank: Apprentice
10/31/2013 | 3:06:57 PM
re: NSA Hack Attacks: Good Value For Money?
yupGǪfoodstamp funding has been cut massively over the last 5 years! you nailed that one!
JakobS797
50%
50%
JakobS797,
User Rank: Apprentice
10/14/2013 | 8:07:57 PM
re: NSA Hack Attacks: Good Value For Money?
I bet we could make progress on saving money if we defunded this horrible idea. The only thing we have to fear is our own government.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/12/2013 | 1:52:11 PM
re: NSA Hack Attacks: Good Value For Money?
As it turns out most of the NSA programs exist only because their leaders and sponsors need a reason to have a job. They produce zero results, only accumulate more data that needs to be processed making the hay stack only bigger to find the same amount of needles. And then there is ineptitude in execution as can be seen in the NSA's Utah data center that doesn't even work right. The NSA is a giant waste of tax payer money and one of the big reasons of federal debt spiraling out of control. But yeah, that gets addressed by cutting food stamps....
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web