01:00 PM

NSA Hack Attacks: Good Value For Money?

Leaked operations manual reveals NSA attack techniques that are not significantly better than common cybercrime capabilities, despite their high cost to government.

Do the National Security Agency's online espionage capabilities provide good value for money?

Recent reports have disclosed that the NSA uses a fleet of high-latency -- codenamed "Quantum" -- servers to redirect targeted systems to another fleet of servers, codenamed "FoxAcid," that launch tailored drive-by attacks. The agency's malware reportedly targets a range of vulnerabilities, from publicly known flaws to zero-day bugs that only the NSA possesses.

That information comes via former NSA contractor Edward Snowden's leak of top secret documents that detail many of the agency's operating practices. What's struck some information security experts is just how similar the NSA's techniques are to those of cybercrime gangs and advanced persistent attack (APT) groups sponsored or run by other nations.

"The NSA's system for deploying malware isn't particularly novel," according to an overview of the NSA system published by the Electronic Frontier Foundation staff technologist Dan Auerbach.

[ Want to know more about NSA cyber spying operations? See NSA Discloses Cellphone Location Tracking Tests . ]

In fact, some security experts would go farther than that. "We could replicate the NSA's capabilities for about $30k on the Russian private blackhat forums," tweeted the Bangkok-based vulnerability broker known as the GrugQ. "US taxpayers, you're being ripped off!"

Exactly what is the return on investment generated by the NSA's hacking techniques? Of course, precise numbers are secret, but in August The Washington Post published a document leaked by Snowden that revealed the secret 2013 "black budget" for the U.S. intelligence community to be $52.6 billion. Of that, $10.8 billion went to the NSA to support its mandate to protect U.S. government systems and obtain foreign signals intelligence, in part via what the budget documents referred to as "offensive cyber operations." The NSA's security intelligence budget, for comparison's sake, was second only to the CIA's $14.7 billion allocation.

As befits an intelligence agency, most -- if not all -- of the NSA's premium hacking capabilities would have been built by NSA staff. But the GrugQ argued that a number of customized NSA hacking techniques might be just as easily fulfilled using off-the-shelf technology, albeit some of it from cybercrime syndicates. "NSA is like a nation state cybercrime gang. Quantum == Traff, FoxAcid == BlackHole Exploit kit++, Implants == Zeus++," he tweeted, referring to the ability to hack into boxes handling network traffic ("traff"), as well as such malware families as the Zeus banking Trojan and automated Blackhole crimewire toolkit.

Unlike most criminal gangs operating online, however, the NSA also employs a sophisticated risk management model that decides which exploits best fit any given target, and tailors the attack sophistication to the value of the target, according to BT chief security technology officer Bruce Schneier, who's been working with the Guardian to review information leaked by Snowden. "FoxAcid has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target," he said in a blog post that was previously published by the Atlantic.

For example, high-value targets might get hit with a very valuable zero-day vulnerability, unless their operational security is considered good enough to detect the exploit, in which case it may be held in reserve. For low-value targets, even if they're technically sophisticated, however, the agency might use a known vulnerability.

"According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options," said Schneier. "The documentation mentions United Rake, Peddle Cheap, Packet Wrench and Beach Head -- all delivered from a FoxAcid subsystem called Ferret Cannon."

Those terms appear to be geek-espionage insider-speak for the agency's actual online attack capabilities, and many of the names have left security experts guessing. "Ferret cannon is a hint at capability, dire scallop -- bypasses AV? -- is a hint ... they seem suggestive at least," tweeted the GrugQ.

What also struck Schneier was that the operating procedures for the Tailored Access Operations (TAO) personnel who launch cyberattacks are quite conservative. "They're super cautious about what they do," he said, so as to not tip off their targets.

But if the NSA excels at infiltrating targeted systems while avoiding detection -- and anecdotal evidence suggests this to be the case -- Schneier identified a glaring weakness in its risk-management model. "The organization seems to be good enough at assessing the risk of discovery -- for example, if the target of an intelligence-gathering effort discovers that effort -- but to have completely ignored the risks of those efforts becoming front-page news," he said.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
10/12/2013 | 1:52:11 PM
re: NSA Hack Attacks: Good Value For Money?
As it turns out most of the NSA programs exist only because their leaders and sponsors need a reason to have a job. They produce zero results, only accumulate more data that needs to be processed making the hay stack only bigger to find the same amount of needles. And then there is ineptitude in execution as can be seen in the NSA's Utah data center that doesn't even work right. The NSA is a giant waste of tax payer money and one of the big reasons of federal debt spiraling out of control. But yeah, that gets addressed by cutting food stamps....
User Rank: Apprentice
10/31/2013 | 3:06:57 PM
re: NSA Hack Attacks: Good Value For Money?
yupGǪfoodstamp funding has been cut massively over the last 5 years! you nailed that one!
User Rank: Apprentice
10/14/2013 | 8:07:57 PM
re: NSA Hack Attacks: Good Value For Money?
I bet we could make progress on saving money if we defunded this horrible idea. The only thing we have to fear is our own government.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.