The Biggest NSA "Backdoor Exploit" Ever

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

The Biggest NSA "Backdoor Exploit" Ever

Post by Pigeon » Tue Feb 17, 2015 11:50 am

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd

Link


User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Royal » Wed Feb 18, 2015 4:36 am

One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.


The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system.


Mother of God...

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Royal » Wed Feb 18, 2015 6:37 am

Image

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Pigeon » Thu Feb 19, 2015 1:43 am

When did the government separate from the citizens?

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Royal » Thu Feb 19, 2015 5:11 am

Pigeon wrote:When did the government separate from the citizens?
Sounds like a riddle.

But probably when they saw Tyranny of the majority.... and/or thought the populace cannot effectively vote for a functioning government.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Royal » Thu Feb 19, 2015 5:17 am

Curious about this virus/trojan stuff.

If the Malicious code is communicating information out, would there be a way to add on additional code to piggyback to a source?

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Pigeon » Fri Feb 20, 2015 2:41 am

It seems as though it was used to protect certain area(s) of the disk from erasure. Although I have to wonder what else could be placed in the code that manages the disk.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Pigeon » Sat Feb 21, 2015 7:45 pm

It wasn't the first time the operators—dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group's extensive library.

In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency.

First is the group's known aptitude for conducting interdictions, such as installing covert implant firmware in a Cisco Systems router as it moved through the mail.

Second, a highly advanced keylogger in the Equation Group library refers to itself as "Grok" in its source code. The reference seems eerily similar to a line published last March in an Intercept article headlined "How the NSA Plans to Infect 'Millions' of Computers with Malware." The article, which was based on Snowden-leaked documents, discussed an NSA-developed keylogger called Grok.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

Link


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Pigeon » Sat Feb 21, 2015 8:25 pm

He explained that nls_933w.dll contains a driver that drops the malware; the driver is used to interact with the hard drive from the kernel level, Kamluk said.

In a report about Equation, the module has two functions: reprogramming the HDD firmware with a custom payload; it also provides an API into hidden storage sectors of the hard drive.

This not only gives the attackers eternal persistence that allows them to survive disk formatting and operating system reinstalls, but they also have undetectable persistent storage inside the hard drive.

“This module gives us a clear understanding of their capabilities,” Kamluk said. He explained that nls_933w.dll contains a driver that drops the malware; the driver is used to interact with the hard drive from the kernel level, Kamluk said. “It’s not that the code that was so sophisticated; it used certain sequences of ATA commands to interact with the hard drive, but the sophisticated part was not exposed.

It was the [reprogrammed] firmware itself,” Kamluk said. “To master writing the firmware, it takes years to do that. We just saw that the level of sophistication is high because of what they’re capable of doing, but we don’t have the firmware itself.” Kamluk said that the Equation group is not necessarily exploiting a vulnerability in the traditional sense, but a weakness in the design of the hard drives and how they allow vendors to push firmware updates.

“They left the door open and it may have been open for many years. The trick is that you have to have the full description, full reference of what is the current firmware on the hard drive and how it works. You have to know how to properly write and interact with the equipment to be able to successfully deploy new code. This is extremely complicated and requires a lot of skills and internal knowledge.”

Kamluk speculates the attackers likely had access to internal, proprietary manuals and documentation for each respective vendor. Likely these manuals were stolen, either by an insider or from a separate malware attack.

See more at: Inside nls_933w.dll, the Equation APT Persistence Module


User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: The Biggest NSA "Backdoor Exploit" Ever

Post by Royal » Sat Jul 16, 2016 1:55 am

We Can’t Let Our Toasters Become Smarter Than We Are
On the promises and perils of the Internet of Things.

So much is already so smart. Today, if you were so inclined, you could buy smart bread makers that let you remotely check the status of your bread. Or a smart thermostat that would learn your family’s behaviors and intelligently manage the temperature of your home. You could even purchase smart toys that listen to what your children are saying and respond.

But in the not too distant future, everything will be this smart, and everything this smart will be connected. This Internet of Things (IoT) represents the third wave of computing. The first wave focused on computation — making the basics of computing work. The second wave centered on networking — connecting all of these computers together in a global network. The third wave, of which we are in the early stages, aims to make computers part of the physical world in which we live. Computation, communication, and sensation are being woven into everyday objects, all of which contain, and indeed are, computers.

IoT offers tremendous potential to society in a wide array of fields. Consider the case of health care: in the early 20th century, the primary global-health issue was controlling infectious diseases like tuberculosis and diphtheria. Now, in the early 21st century, people in developed countries need to manage chronic conditions like heart disease and diabetes, which require sustained changes in people’s behaviors in terms of diet, exercise, and medication. The World Health Organization estimates that 60 percent of all deaths worldwide are now due to chronic conditions. IoT systems can offer meaningful interventions here by helping people achieve desired changes. The combination of smartphones, wearable devices, and new kinds of home monitoring systems make it possible to accurately track a person’s sleep patterns, physical activities, food intake, and medication. This information might be used by individuals to understand their own patterns, as well as by doctors and health coaches to offer personalized interventions that are just within a person’s grasp. But with great potential benefit comes great potential peril, and we need to ensure that IoT systems are built with security and safety in mind.
What Makes Security for IoT Different?

Security for IoT shares much in common with today’s security concerns for desktop computers, cloud computing, and enterprise systems. But one difference lies in the many ways in which these problems will be exacerbated by IoT. For example, ransomware, in which an attacker holds your data or your computer systems hostage, takes on new meaning if the attacker can take control of parts of your smart home or the autonomous vehicle you are in. Spyware will also be much harder to detect, since it might be in any of the devices you use.

IoT also poses some challenges for security that are unlike that which we have encountered in earlier waves of computing. The most obvious challenge is scale. Soon there will be hundreds of networked devices per person. And while it is relatively easy to configure a security policy for a single device, the same cannot be said for securing hundreds of devices, each of which might have a different user interface.

A second major challenge is the diversity of IoT devices. Some devices, such as tablets and glasses, will have a great deal of computational power and can run security software. The vast majority of devices, however, will be low-end systems and cannot use conventional security software.

A third major challenge is managing security in the face of emergent behaviors, which are unexpected behaviors that arise due to complex interactions between devices. A friend told me that a person once annoyed a bunch of people wearing Google Glass by shouting out “OK Glass, take a picture,” causing everyone’s wearable to take a picture. That is a trivial example. But what if the same logic were used by an attacker who has found a software vulnerability in a smart toaster and causes it to burn some toast? The networked smoke detector sets off an alert and automatically opens up the windows, allowing a thief to easily enter. This is a contrived scenario, but it demonstrates the challenges of understanding the overall safety and security properties of a system when it is comprised of parts that were not explicitly designed to work with one another.

A fourth and final challenge is that most IoT manufacturers have little experience with cybersecurity. Traditional software companies that are also looking to develop IoT hardware already understand the need for good security practices. However, many hardware manufacturers — which include makers of automobiles, household appliances, toys, lighting, medical equipment, and more — often do not yet realize that they also need to be software companies. This means having employees who understand good software engineering processes, using tools for developing and testing secure software, knowing how to create and distribute software patches, and having experience in best practices and in avoiding common mistakes. But that is exactly what they need to be and do.
A Path Forward to a Secure Internet of Things




...

https://psmag.com/we-cant-let-our-toast ... .wok2rgw0k


Post Reply