{"id":77994,"date":"2016-08-22T12:00:44","date_gmt":"2016-08-22T11:00:44","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=77994"},"modified":"2016-08-20T14:34:43","modified_gmt":"2016-08-20T13:34:43","slug":"the-nsa-leak-is-real-snowden-documents-confirm","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2016\/08\/the-nsa-leak-is-real-snowden-documents-confirm\/","title":{"rendered":"The NSA Leak Is Real, Snowden Documents Confirm"},"content":{"rendered":"

Leia em portugu\u00eas \u27f6<\/a><\/p>\n

19 Aug 2016 – <\/em>On Monday [15 Aug], a hacking\u00a0group calling\u00a0itself the \u201cShadowBrokers\u201d announced an auction for what it claimed were \u201ccyber weapons\u201d made by the NSA.\u00a0Based on never-before-published\u00a0documents provided by the whistleblower Edward Snowden, The Intercept<\/em> can confirm that the arsenal\u00a0contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.<\/p>\n

\"Photo:<\/a>

Photo: Ulrich Baumgarten\/Getty Images<\/p><\/div>\n

The provenance of the code\u00a0has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear\u00a0how the software leaked, one thing is now beyond speculation: The malware is covered with\u00a0the NSA\u2019s virtual fingerprints and clearly originates from the agency.<\/p>\n

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual\u00a0instructs NSA operators to track their use of one\u00a0malware program using\u00a0a specific 16-character string, \u201cace02468bdf13579.\u201d\u00a0That exact same string appears throughout the ShadowBrokers leak in code\u00a0associated with\u00a0the same program, SECONDDATE.<\/p>\n

SECONDDATE plays a specialized\u00a0role inside a complex global system built by the\u00a0U.S. government to infect and monitor what one document estimated to be millions of computers around the world<\/a>. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA\u2019s offensive software have been available to the public, providing a glimpse\u00a0at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don\u2019t always have the last word when it comes to computer exploitation.<\/p>\n

But malicious software of this sophistication doesn\u2019t just pose a threat to foreign governments, Johns Hopkins University cryptographer Matthew Green told\u00a0The Intercept<\/em>:<\/p>\n

The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lockpicking tools lying around a high school cafeteria. It\u2019s worse, in fact, because many of these exploits are not available through any other means, so they\u2019re just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable.<\/em><\/p>\n

So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there\u2019s no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets.<\/em><\/p>\n

The NSA did not respond to questions concerning ShadowBrokers, the Snowden documents, or\u00a0its malware.<\/p>\n

A Memorable\u00a0SECONDDATE<\/strong><\/p>\n

The offensive tools released by ShadowBrokers are organized under a litany of code names such as POLARSNEEZE and ELIGIBLE BOMBSHELL,\u00a0and their\u00a0exact purpose is still being assessed. But we do know more about one of the weapons: SECONDDATE.<\/p>\n

SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web\u00a0server. That server, in turn, is designed to infect them with malware. SECONDDATE\u2019s\u00a0existence was first reported by The Intercept<\/em> in 2014<\/a>, as part of a look at a global computer exploitation\u00a0effort code-named TURBINE. The\u00a0malware\u00a0server, known as FOXACID, has also been described<\/a> in previously released Snowden documents.<\/p>\n

Other documents released by The Intercept<\/em> today not only tie\u00a0SECONDDATE to the ShadowBrokers leak but also provide new detail on how it fits into the NSA\u2019s broader surveillance and infection network. They also show how SECONDDATE has been used, including to spy on Pakistan and a computer system in Lebanon.<\/p>\n

The top-secret manual that authenticates the SECONDDATE found in the wild as the same one used within the NSA is a 31-page document titled \u201cFOXACID SOP for Operational Management<\/a>\u201d and marked as a draft. It dates to no earlier than 2010. A section within the manual describes administrative tools for tracking how victims are\u00a0funneled into FOXACID, including a set of tags used to catalogue servers. When such a tag is created in relation to a SECONDDATE-related infection, the document says, a certain distinctive identifier must be used:<\/p>\n

<\/a><\/p>\n

 <\/p>\n

The\u00a0same SECONDDATE MSGID string appears\u00a0in 14 different files\u00a0throughout the ShadowBrokers leak, including in a\u00a0file titled SecondDate-3021.exe. Viewed through a code-editing program (screenshot below), the NSA\u2019s secret number can be found hiding in plain sight:<\/p>\n

\"seconddate<\/a><\/p>\n

 <\/p>\n

All told, throughout\u00a0many\u00a0of the folders contained in the ShadowBrokers\u2019 package (screenshot below), there are 47 files with SECONDDATE-related names,\u00a0including different versions of the raw code\u00a0required to execute a SECONDDATE attack, instructions for how to use it,\u00a0and other related files.<\/p>\n

\"seconddate<\/a><\/p>\n

 <\/p>\n

After viewing the code, Green told\u00a0The Intercept<\/em> the MSGID string\u2019s occurrence in both an NSA training document and this week\u2019s leak is \u201cunlikely to be a coincidence.\u201d Computer security researcher Matt Suiche,\u00a0founder of UAE-based cybersecurity startup Comae Technologies, who has been particularly vocal in his analysis of the ShadowBrokers this week, told\u00a0The Intercept\u00a0<\/em>\u201cthere is no way\u201d the MSGID string\u2019s appearance in both places is a coincidence.<\/p>\n

Where SECONDDATE Fits In<\/strong><\/p>\n

This overview jibes with previously unpublished classified files\u00a0provided by Snowden that\u00a0illustrate how SECONDDATE is a component of BADDECISION, a broader NSA\u00a0infiltration tool. SECONDDATE helps the NSA pull off a \u201cman in the middle\u201d attack against users on a wireless network, tricking them\u00a0into thinking they\u2019re talking to a safe website when in reality they\u2019ve been sent a malicious payload from an\u00a0NSA server.<\/p>\n

According to one December\u00a02010 PowerPoint presentation titled \u201cIntroduction to BADDECISION<\/a>,\u201d that tool is also designed to send users of a wireless network, sometimes referred to as an 802.11 network, to FOXACID malware servers. Or, as the presentation puts it, BADDECISION is an \u201c802.11 CNE [computer network exploitation] tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server.\u201d As another top-secret slide<\/a> puts it, the attack homes in on \u201cthe greatest vulnerability to your computer: your web browser.\u201d<\/p>\n

<\/a><\/p>\n

 <\/p>\n

One slide points out that the attack works on users with an encrypted wireless connection to the internet.<\/p>\n

That\u00a0trick, it seems, often involves\u00a0BADDECISION and SECONDDATE, with the latter described as a \u201ccomponent\u201d for the former.\u00a0A series of diagrams in the \u201cIntroduction to BADDECISION\u201d\u00a0presentation show how an NSA operator \u201cuses SECONDDATE to inject a redirection payload at [a] Target Client,\u201d invisibly hijacking a user\u2019s web browser as the user attempts to visit a benign website (in the example given, it\u2019s CNN.com). Executed correctly, the file explains, a \u201cTarget Client continues normal webpage browsing, completely unaware,\u201d lands on a malware-filled NSA server, and becomes infected with as much of that malware as possible \u2014 or as the presentation puts it, the user will be left \u201cWHACKED!\u201d In the other top-secret presentations, it\u2019s put plainly: \u201cHow do we redirect the target to the FOXACID server without being noticed<\/a>\u201d? Simple: \u201cUse NIGHTSTAND or BADDECISION.\u201d<\/p>\n

The sheer number of interlocking tools available to crack a computer is dizzying. In the FOXACID manual<\/a>,\u00a0government hackers are told\u00a0an NSA hacker\u00a0ought to be familiar with using SECONDDATE along with similar man-in-the-middle wi-fi attacks code-named MAGIC SQUIRREL and MAGICBEAN.\u00a0A top-secret presentation<\/a> on FOXACID lists\u00a0further ways to redirect targets to the malware server system.<\/p>\n

\"seconddate<\/a><\/p>\n

 <\/p>\n

To position themselves within range of a vulnerable wireless network, NSA operators can use\u00a0a mobile antenna system running software code-named BLINDDATE, depicted in the field in what appears to be\u00a0Kabul. The software can even be attached to a drone. BLINDDATE in turn can run BADDECISION, which allows for a SECONDDATE attack:<\/p>\n

\"seconddate<\/a><\/p>\n

 <\/p>\n

Elsewhere in\u00a0these files, there are at least two\u00a0documented cases of SECONDDATE being used to successfully infect computers overseas: An April 2013 presentation<\/a> boasts of successful attacks against computer systems in both Pakistan and Lebanon. In the first, NSA hackers used SECONDDATE to breach \u201ctargets in Pakistan\u2019s National Telecommunications Corporation\u2019s (NTC) VIP Division,\u201d which contained documents pertaining to\u00a0\u201cthe backbone of Pakistan\u2019s Green Line communications network\u201d used by \u201ccivilian and military leadership.\u201d<\/p>\n

In the latter, the NSA used SECONDDATE to pull off a man-in-the-middle attack in Lebanon\u00a0\u201cfor the first time ever,\u201d infecting a Lebanese ISP to extract \u201c100+ MB of Hizballah Unit 1800 data,\u201d a special subset of the terrorist\u00a0group dedicated to aiding<\/a>\u00a0Palestinian militants.<\/p>\n

SECONDDATE is just one method that the NSA uses to get its\u00a0target\u2019s\u00a0browser pointed at a FOXACID server. Other methods include sending spam\u00a0that attempts to exploit bugs in popular web-based email providers or\u00a0entices targets to click on malicious links that lead to a FOXACID\u00a0server. One\u00a0document<\/a>, a newsletter for the NSA\u2019s Special Source Operations division, describes how NSA software\u00a0other than SECONDDATE was used to repeatedly direct targets in Pakistan to FOXACID malware web servers, eventually infecting\u00a0the targets\u2019 computers.<\/p>\n

A Potentially Mundane Hack<\/strong><\/p>\n

Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered\u00a0some context and a relatively mundane possible\u00a0explanation for the leak: that the NSA headquarters\u00a0was not hacked, but rather one of the computers the agency\u00a0uses to plan and execute\u00a0attacks was compromised. In a series of tweets<\/a>, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it\u2019s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to\u00a0embarrass the agency.<\/p>\n

\n

6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.<\/p>\n

— Edward Snowden (@Snowden) August 16, 2016<\/a><\/p><\/blockquote>\n