Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/8/2014
05:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Leaked NSA Hacking Tools, Tactics, In Focus

Enterprises worry about NSA 'copycat' spying scenarios

The NSA's catalog of custom hacking tools for popular networking and consumer products recently leaked by former contractor Edward Snowden provided a rare glimpse at the arsenal at the fingertips of the spy agency's hackers.

But the tools were not unlike many techniques and weapons employed by criminals or other espionage cyberattackers, experts say. Take DROPOUT JEEP, the NSA-built hacking tool included in its recently published catalog in 2008 that hacks iPhones. DROPOUT JEEP is technically a remote access Trojan or RAT, says Lucas Zaichkowsky, enterprise defense architect at incident response and forensics firm AccessData.

Zaichkowsky says based on the leaked information and diagrams, NSA hackers are operating the RAT backdoor for their intelligence-gathering operations. The RAT backdoor likely has a small footprint and can be updated with plugins for various functions, he says.

"They're just jailbreaking the iPhone," Zaichkowsky says. "It's a remote administrative tool ... it can take pictures, do keystroke recording," not unlike other RATs, he says.

The version leaked by Snowden is for attacks that require close proximity to the target, but the NSA's description of the tool says a remote installation capability was on the horizon. The documents were published late last month by Der Spiegel, exposing the NSA's elite hacking team, called the Tailored NSA's Tailored Access Operations (TAO) Group, and the agency's homegrown hacking tools.

Apple has reportedly denied providing the NSA with any backdoors to its products. "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products," the company said in statement. "We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

"My initial thought was that Apple didn't give them [access]," Zaichkowsky says. "[The NSA] may have found some network-based exploits and sent specially crafted packets over the network," he says. "If there isn't proper input validation, then you end up jailbreaking the iPhone, exploiting it, and getting kernel-mode or root access" on the targeted iPhone, he says.

[Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks. See NSA Elite Hacking Team Operations Exposed.]

The actual damage these NSA operations revelations have had -- and will have -- on security has been debated within the security community since the Snowden leaks began this past summer. While the scope of the NSA's operations is under scrutiny, the agency is basically doing its own bug-hunting not unlike an advanced attacker would do, experts say.

"Any attacker could be finding zero-days. It's less bad if we know our people know what those exploits are and are keeping an eye out, instead of having no clue those exploits exist," Zaichkowsky says. NSA needs more external checks and balances surrounding its operations, however, he says.

But the fallout has already been felt not only within the U.S. as vendors have expressed concerns about the NSA's operations, but also overseas.

Ron Gula, CEO and CTO of Tenable, says he has seen European and Asian markets going sour on U.S.-based cloud firms in the wake of the NSA revelations. That has actually boosted Tenable's business, he says. "Since our stuff is inside the network, we have been able to switch out with some of our competitors who are cloud-based," he says. But that's only a temporary trend, he says.

The bigger worry of most enterprises in the wake of the leaked NSA documents outlining some controversial and widespread spying operations, as well as backdoors in popular products, is copycat scenarios, Gula says. "More organizations are going to be interested in 'becoming' NSA," he says. "There are technologies out there that take a movie of your desktop and play it later. That has dramatic ramifications for HR and IT security, with competitive intel [at risk]."

Most enterprises are just as worried about their top researchers being hired away, and being attacked by APTs, he says.

Not much is likely to change at NSA until any legal proceedings occur, says privacy expert Mark Weinstein, CEO of Sgrouples. "It's business as usual right now," Weinstein says. "This really has to work through our court systems. The courts are going to have to redefine what the Fourth Amendment means ... and it's going to take a couple of years" to hash out, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KaranK771
50%
50%
KaranK771,
User Rank: Apprentice
3/25/2014 | 10:43:45 AM
re: Leaked NSA Hacking Tools, Tactics, In Focus
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
1/9/2014 | 6:48:13 PM
re: Leaked NSA Hacking Tools, Tactics, In Focus
"The courts are going to have to redefine what the Fourth Amendment means ...
" . Why? The fourth ammendment, like the second ammendment, is very plain, and is timeless. Regardless of the evolution of technology, HOW we communicate and HOW we store information, our privacy is still protected. The fourth ammendment prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause. The concept and meaning of "privacy" is not bound to any technology or other advancement in society. The fourth ammendment governs the actions of PEOPLE, not any tecnology or storage or communication medium. It prevents your government and fellow citizens from simply taking what they want, from stealing your personal information and invading your life. It is the people, your elected officials who have not only miserably failed to defend the Constitution of the United States, but have blatantly betrayed you through executive orders and subversive legislation like the Patriot Act and Homeland Security Act that allow them to circumvent your constitutional rights any time they choose. And they justify it with their ambiguous "War on Terror", specifically designed to NEVER END, giving the president war powers for eternity. Where is your OUTRAGE America? The deeds of this government are horrific, and we simply stand by and let it happen. The ONLY reason the NSA gets away with this is because the executive and legislative branches want it to, and the judicial branch is bought and paid for ... they don't care. Here's the punchline... all of this was built with YOUR MONEY and they use it ON YOU. Pretty funny, huh? The only people who want to change the fourth ammendment are the same ones that are spying on you. The same people who are making it illegal for you to defend yourself. Anyone remember a country called Germany?...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.
CVE-2020-13404
PUBLISHED: 2020-08-05
The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection.
CVE-2020-15112
PUBLISHED: 2020-08-05
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime pa...