Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/8/2014
05:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Leaked NSA Hacking Tools, Tactics, In Focus

Enterprises worry about NSA 'copycat' spying scenarios

The NSA's catalog of custom hacking tools for popular networking and consumer products recently leaked by former contractor Edward Snowden provided a rare glimpse at the arsenal at the fingertips of the spy agency's hackers.

But the tools were not unlike many techniques and weapons employed by criminals or other espionage cyberattackers, experts say. Take DROPOUT JEEP, the NSA-built hacking tool included in its recently published catalog in 2008 that hacks iPhones. DROPOUT JEEP is technically a remote access Trojan or RAT, says Lucas Zaichkowsky, enterprise defense architect at incident response and forensics firm AccessData.

Zaichkowsky says based on the leaked information and diagrams, NSA hackers are operating the RAT backdoor for their intelligence-gathering operations. The RAT backdoor likely has a small footprint and can be updated with plugins for various functions, he says.

"They're just jailbreaking the iPhone," Zaichkowsky says. "It's a remote administrative tool ... it can take pictures, do keystroke recording," not unlike other RATs, he says.

The version leaked by Snowden is for attacks that require close proximity to the target, but the NSA's description of the tool says a remote installation capability was on the horizon. The documents were published late last month by Der Spiegel, exposing the NSA's elite hacking team, called the Tailored NSA's Tailored Access Operations (TAO) Group, and the agency's homegrown hacking tools.

Apple has reportedly denied providing the NSA with any backdoors to its products. "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products," the company said in statement. "We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

"My initial thought was that Apple didn't give them [access]," Zaichkowsky says. "[The NSA] may have found some network-based exploits and sent specially crafted packets over the network," he says. "If there isn't proper input validation, then you end up jailbreaking the iPhone, exploiting it, and getting kernel-mode or root access" on the targeted iPhone, he says.

[Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks. See NSA Elite Hacking Team Operations Exposed.]

The actual damage these NSA operations revelations have had -- and will have -- on security has been debated within the security community since the Snowden leaks began this past summer. While the scope of the NSA's operations is under scrutiny, the agency is basically doing its own bug-hunting not unlike an advanced attacker would do, experts say.

"Any attacker could be finding zero-days. It's less bad if we know our people know what those exploits are and are keeping an eye out, instead of having no clue those exploits exist," Zaichkowsky says. NSA needs more external checks and balances surrounding its operations, however, he says.

But the fallout has already been felt not only within the U.S. as vendors have expressed concerns about the NSA's operations, but also overseas.

Ron Gula, CEO and CTO of Tenable, says he has seen European and Asian markets going sour on U.S.-based cloud firms in the wake of the NSA revelations. That has actually boosted Tenable's business, he says. "Since our stuff is inside the network, we have been able to switch out with some of our competitors who are cloud-based," he says. But that's only a temporary trend, he says.

The bigger worry of most enterprises in the wake of the leaked NSA documents outlining some controversial and widespread spying operations, as well as backdoors in popular products, is copycat scenarios, Gula says. "More organizations are going to be interested in 'becoming' NSA," he says. "There are technologies out there that take a movie of your desktop and play it later. That has dramatic ramifications for HR and IT security, with competitive intel [at risk]."

Most enterprises are just as worried about their top researchers being hired away, and being attacked by APTs, he says.

Not much is likely to change at NSA until any legal proceedings occur, says privacy expert Mark Weinstein, CEO of Sgrouples. "It's business as usual right now," Weinstein says. "This really has to work through our court systems. The courts are going to have to redefine what the Fourth Amendment means ... and it's going to take a couple of years" to hash out, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KaranK771
50%
50%
KaranK771,
User Rank: Apprentice
3/25/2014 | 10:43:45 AM
re: Leaked NSA Hacking Tools, Tactics, In Focus
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
1/9/2014 | 6:48:13 PM
re: Leaked NSA Hacking Tools, Tactics, In Focus
"The courts are going to have to redefine what the Fourth Amendment means ...
" . Why? The fourth ammendment, like the second ammendment, is very plain, and is timeless. Regardless of the evolution of technology, HOW we communicate and HOW we store information, our privacy is still protected. The fourth ammendment prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. The concept and meaning of "privacy" is not bound to any technology or other advancement in society. The fourth ammendment governs the actions of PEOPLE, not any tecnology or storage or communication medium. It prevents your government and fellow citizens from simply taking what they want, from stealing your personal information and invading your life. It is the people, your elected officials who have not only miserably failed to defend the Constitution of the United States, but have blatantly betrayed you through executive orders and subversive legislation like the Patriot Act and Homeland Security Act that allow them to circumvent your constitutional rights any time they choose. And they justify it with their ambiguous "War on Terror", specifically designed to NEVER END, giving the president war powers for eternity. Where is your OUTRAGE America? The deeds of this government are horrific, and we simply stand by and let it happen. The ONLY reason the NSA gets away with this is because the executive and legislative branches want it to, and the judicial branch is bought and paid for ... they don't care. Here's the punchline... all of this was built with YOUR MONEY and they use it ON YOU. Pretty funny, huh? The only people who want to change the fourth ammendment are the same ones that are spying on you. The same people who are making it illegal for you to defend yourself. Anyone remember a country called Germany?...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.