[148847] in cryptography@c2.net mail archive
Re: [Cryptography] TAO, NSA crypto backdoor program
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_l)
Tue Dec 31 03:30:46 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <448D56B3-59F3-426A-94D5-FA3D4AC68322@sxpert.org>
From: =?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?= <l@odewijk.nl>
Date: Tue, 31 Dec 2013 05:22:20 +0100
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============0907940066903266985==
Content-Type: multipart/alternative; boundary=047d7bf0c2bc4cf47c04eecce9ed
--047d7bf0c2bc4cf47c04eecce9ed
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
This actually took about 5 hours. I hope it will be useful to anyone. I
sure feel up to date with the NSA 5 years ago. Some things are impressive.
Their prices too though. Their level of determination and systematic
approaches too. Miniaturization skill is good too, but not quite james
bond. Particularly the use of RAGEMASTER and the other radar thingies. The
exploitation of routers is just the tip of the iceberg of exploits. GSM
exploits should really be commonly accepted to exist by now.
Feel free to ask me questions, forward this mail to others, reformat it
into wiki format or something, correct me if I'm wrong, ask me for my
Bitcoin address because I'm your personal hero. Anything. I'm going to bed.
2013/12/30 Raphael Jacquot <sxpert@sxpert.org>
> On 30 Dec 2013, at 15:59, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
> A while back Bruce told me that the Snowden docs show NSA uses every
> attack imaginable.
> Here is the latest installment. The phrase that comes to mind is 'have
> they no decency?'
>
> I was speechless about their acting physically. I realized shortly after
that until now I've seen the NSA as an overfunded academic project to find
exploits everywhere, but that all they want is all the information in any
possible way. The return on investment of those projects presented is
occasionally very low. That's the scariest part. They might even have
exploited this and that rare thing.
Then I realized I never trusted hardware one bit, that PCB-track radio is
real and fun and exploitable, and that I have always been confused by the
lack of in-system paranoia. I think the whole thing is quite funny because
against consumers it seems an ineffective budget spend. It's probably
focused on companies though. Anyway, it's all kind of fun to me at the
moment. Guess it'd be different if I actually used these products.
Anyone see the irony of America banning Chinese router stuff and meanwhile
exploiting all of its own products?
the full gadget catalogue is here
>
> http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-e=
xploits-for-nearly-every-major-software-hardware-firmware/
>
I'm impressed. I also considered physical to be uselessly aggressive
compared to the wealth of software hacks. Curious.
This does seriously harm the NSA's interests. This gives us clear insight
into their recent capabilities. I think this is not data from our good old
source. This is probably someone else. Luckily I'm not American and I
believe that justifies fully all that I'm doing now.
ANT =3D Advanced or Access Network Technology
Allow me to recap the available tools:
DEITYBOUNCE - Dell PowerEdge BIOS exploit to get software onto target.
Re-implants the exploit when the OS loads using the BIOS exploit. Unclear
if it can be installed just by plugging a USB in, or whether the Non-tech
agent needs to boot into it. Uses ARKSTREAM for implanting itself on the
BIOS. (2007)
IRONCHEF - Similar to DEITYBOUNCE. Additionally communicates over a
bidirectional radio that's also to be implanted into the system. For the HP
Proliant 380DL G5 it uses an I2c connected radio called WAGONBED. IRONCHEF
can be remote controlled to read/write to the target system. Especially to
replace the spy-software placed on it if it's cleared. (2007)
FEEDTHROUGH - is something to persist ZESTYLEAK and BANANAGLEE in Juniper
Netscreen firewalls. Across reboots and software upgrades. Also a BIOS
level attack (see image). There exists something called a "DNT Implant
Communications Protocol" for remote access and control. It employs a hiding
method on the target platforms. (2008)
GOURMETTROUGH* - persists BANANAGLEE on Juniper firewalls. Some platforms
it can "beacon" regardless of OS. ANT has to configure on non-automated
platforms. Can also place a "Persistent BackDoor" (PBD) if configured by an
expert. (2008)
HALLUXWATER - persistent remote control for Huawei Eudemon firewalls. Has
to be installed as a boot ROM (BIOS) upgrade. Uses PIT (TURBOPANDA
Insertion Tool) to read/write memory, execute local or delivered code.
Survives automatic bootROM (BIOS) upgrades. (2008)
JETPLOW - persists BANANAGLEE on Cisco PIX and Cisco ASA firewalls. Can
also install BANANAGLEE protocol compatible PBDs. Boot time modifies the
OS. Can remotely self-upgrade. Can be added to an existing BANANAGLEE
thingy. (2008)
SOUFFLETROUGH - persists BANANAGLEE for Juniper SSG 500 and SSG 300 series
firewalls. "Advanced" PBD capability. Boot time modifies the OS. Can
fallback to BANANAGLEE compatible PBD. *TAKES ADVANTAGE OF Intel's System
Management Mode* for enhanced reliability and covertness. Can remotely
self-upgrade. Can be added to an existing BANANAGLEE thingy. (2008)
HEADWATER - PBD for some Huawei routers. Goes into the boot ROM via an
upgrade (makes no sense, "Read Only Memory"), works after reboot. Uses
DNT's HAMMERMILL Insertion Tool (HIT) for controll of the PBD. Can
capture/analyze all passing IP packets. *Cover name for NSA/CIA Huawei
exploiting is TURBOPANDA*. (2008)
SCHOOLMONTANA - persists VALIDATOR for Juniper J-Series routers. The
routers run JUNOS a *custom FreeBSD* by Juniper. BIOS mod that modifies the
OS in memory to run VALIDATOR and "provide persistent kernel modifications
to support implant execution"***. Injects at the end of the "System
Management Mode". Cover term for DNT implants for Juniper J-Series
routers. (2008)
SIERRAMONTANA - SCHOOLMONTANA for Juniper M-Series routers. (2008)
STUCCOMONTANA - SCHOOLMONTANA for Juniper T-Series routers. (2008)
CTX4000 - Continuous Wave (CW) radar unit. (ab)Used to collect VAGRANT and
DROPMIRE data. Reads 1 to 2 GHz at up to 45 MHz per second. Can go from 2
to 1000 Watts. Can be remotely controlled. They use a bloody radar to pick
up signal intel. This is so cool. An aluminum hat probably won't save your
PC when it's getting blasted with this baby. (Last 3 sentences are pure
speculation) (2008)
LOUDAUTO - Audio based RF retro-reflector. A little microphone's analog
output is PPM'ed (Pulse Position Modulation) a square wave (standard in RC
control too!). Those pulses are pulsed towards a FET (Field Effect
Transistor). So when a pulse is sent the FET turns on for a moment. The FET
can be seen on a CW radar well enough to reconstruct the pulses going into
it, and thus the audio in the room. NSA prides the use of COTS hardware, no
trace back to the NSA. Additionally these units consume next to no power!
(~0.000045 watts!). "Part of the ANGRYNEIGHBOR family of radar
retro-reflectors." (2008)
NIGHTSTAND - Wifi interceptor. Runs Fedora Core 3. Undetectable! N
targets. Works on all WIN-old. *Up to eight miles (12km!) of
effectivity.* Anti-encryption
capabilities undisclosed. (2008)
NIGHTWATCH - VAGRANT receiver. Fancied up rugged laptop loaded with some
signal processing units. Hook it up to CTX4000 or PHOTOANGLO or a general
purpose receiver. Manual signal finding and frame averaging for visibility.
Has built-in forward to NSAW****, which has "analysists". To be replaced by
VIEWPLATE. (2008)
PHOTOANGLO - NSA/GCHQ project to replace CTX4000 with a nicer radar.
Frequencies ('later' aka 'now') up to 4 GHz (x2). Bandwidth up to 450Mhz
(x10). Slim form factor. <10lbs/4.5kg. Otherwise the same as CTX4000.
Connects to NIGHTWATCH, LFS-2 or VIEWPLATE. 40kdollar cost. (2008, planned
for Q1 2009)
SPARROW II - Embedded computer running BLINDDATE tools. WLAN B/G, CF card,
USB, 4x Mini PCI for GPS and multiple WLAN cards. IBM Power PC 405GPR. 16MB
flash, 64MB SDRAM. Linux 2.4. 2 Hrs of battery life. 6kdollar. Can be
traced to the NSA somehow, so "operational restrictions exist for equipment
deployment". Possibly due to PowerPC usage, those things are kinda rare.
(2008)
TAWDRYYARD - Beacon RF retro-reflector. Toggles a FET to provide a good
Radar profile. Used to find RAGEMASTER units. Part of the ANGRYNEIGHBOR
family of radar retro-reflectors. Extremely low power consumption. (2008)
GINSU - an addition to BULLDOZER that provides persistence to KONGUR.
BULLDOZER is a physical PCI device. KONGUR is a software exploit for
windows 9x to Vista (and thus 7, maybe 8). Reinstalls on reboot, if KONGUR
was removed by upgrades or reinstall.
HOWLERMONKEY - short to medium range radio transceivers. To be used in
other products. Works in CONJECTURE or SPECULATION networks. Compatible
with STRIKEZONE devices that run a "HOWLERMONKEY personality" (assuming it
means wireless protocol). PCBs are layed out according to needs. 16mm by
16mm is totally possible. Run around 800 USD/each (call for quote I guess).
IRATEMONK - Provides persistence by modifying the Hard Drive firmware to
substitute the MBR (the partition table). I suppose it boots itself first,
then continues with the real OS. Image contains extremely complicated
diagram of operations, showing the following systems: SERUM, RETURNSPRING,
SLICKERVICAR, WISTFULTOIL, OIM/JMSQ, SEAGULLFARO, TUNING FORK, SSG, CDR
Diode (high/low?), UNITEDRAKE. ROC. SERUM looks lke a processing cluster,
OIM/JSMQ looks like a database, TUNING FORK might be something that
prioritizes data, SSG's pipe is called "scaling" and is also a database.
CDR Diode might operationally split the NSA's systems and the outside
world, a defense unit. UNITEDRAKE must then be a supranational database,
the united part supports that idea. Somehow UNITEDRAKE or STRAITBAZZARE are
used with SLICKERVICAR "to upload the hard drive firmware onto the target
machine to implant IRATEMONK and its payload". Works on FAT, NTFS, EXT3,
UFS with many WD, Seagate, Maxtor and Samsung drives (which controller?).
I've actually read an post about "hey guys, look, isn't this the most
preposterous ridiculous hack?". I believe it was about harddrives. Seems
the NSA took note!
JUNIORMINT - Is a SoC. ARM9 + FPGA (Xilinx XC4VLX25), add 128MB ddr2 , 64MB
SDRAM and 32MB flash. "Uses the TAO standard implant architecture".
"Dramatic performance improvement over HC12 microcontroller designs."
"Ultra-miniature Flip Chip Module (FCM) will be available for challenging
concealments". FCM <https://en.wikipedia.org/wiki/Flip_chip> is highly
unusual! These things might be extremely small! (call for quote) (2008, PCB
by 2009, FCM by 2010)
*SOMEBODY REPLICATE THIS INTO A <100$ OPEN SOURCE PROJECT*
(the http://papilio.cc/ that I have is only close ;) )
MAESTRO-II - like JUNIORMINT but slower. Says it is a "Multi-Chip-Module",
meaning everything is connected tightly. ($3-4k each) (2008)
SOMBERKNAVE - When an XP machine is not using wifi (it's not connected)
attempts to connect to an access point and allow OLYMPUS or VALIDATOR to
call home. VALIDATOR will also download OLYMPUS if it can. (costs $50k for
some reason) (2008)
SWAP - BIOS and hard drive's Host Protected Area exploits allow periodic
execution before the OS loads. Works on Windows, Linux, FreeBSD, Solaris
(everything except Mac?) with FAT32, NTFS, EXT2, EXT3 or UFS 1.0. ARKSTREAM
flashes the BIOS and TWISTEDKILT writes SWAP into the Host Protected Area
on the harddrive.
TRINITY - like MAESTRO-II but more powerfull. (100 @ $625k)
WISTFULTOLL - plugin for UNITEDRAKE and STRAITBIZZARE for getting Windows
Management Instrumentation (WMI) and Registry stuff. Can work standalone
from a USB drive and get data out that way, or through
UNITEDRAKE/STRAITBIZZARE. (good fit for COTTONMOUTH too!)
SURLYSPAWN - Data RF retro-reflector. Depending on the level of the
data-line signal it shifts the square wave it produces. Thus becomes
frequency shift keyed (FSK). Presumably the square wave is fed into a FET
again, but the document doesn't mention it. That FET is visibile on radar
and that allows the data to be transferred. Power consumption isn't
mentioned and it's dated "2007, declassify on 2032" but it's date says
2009. Peculiar. Another ANGRYNEIGHBOR type radar reflector.
DROPOUTJEEP - STRAITBIZARRE for iPhone. Compliant with FREEFLOW and
therefore supported in the TURBULENCE architecture. Communicates over SMS
or GPRS data connections in a covert and encrypted way. Close access
methods are first deployment methods, later the remote installation will be
made. Can do anything with the phone. Anything. (Maybe even activate the
vibrator on funny moments) (In development in 2008, no date seems to be
planned)
GOPHERSET - SIM card rootkit. This is crazy. Phase 2+ simcards can make
requests (like sent sms) and are actually minicomputers. This is called the
SIM Toolkit (STK). It can also request Phonebooks, SMS and call logs. It
can be installed through *over the air provisioning* or a USB smartcard
reader. A straw of hope is given when sometimes security keys are required.
How does a company refuse to work with the NSA again? (was finished but
unused in 2007)
MONKEYCALENDAR - As GOPHERSET but gets location data that it politely
requests from the handset.
PICASSO - a modified phone that just leaks everything over SMS. Even room
audio. Seems to be targeted for infiltrators. If someone has had an Eastcom
760c+, Samsung E600, X450, C140 (Arabic or not), suspect him strongly.
(This is why this hurts the NSA)
TOTECHASER - Sattelite phone (Thuraya 2520) exploit. They were still
working on it. Looking for a good deployment tactic, remote too. Mostly
location, contact list and call history at that moment.
TOTEGHOSTLY 2.0 - Windows Mobile STRAITBIZZARE. CHIMNEYPOOL framework.
Compliant with the FREEFLOW project, supported in the TURBULENCE
architecture. A FRIEZERAMP interface using HTTPSlink2 transport module
handles encrypted communications.
CANDYGRAM - A GSM tower "repeater" that texts up to 200 agents when a
target enters the vicinity of it. "GSM Telephone Tripwire". Wonder what
they ever used this for, SMS isn't very synchronized so operations
shouldn't depend upon it. Maybe it's synchronized if the NSA wants it to be=
?
CROSSBEAM - Connects a modified (WASABI, it looks like from the picture)
GSM product to a WAGONBED controller board (old version of JUNIORMINT?).
Used to intercept GSM voice and data. CHIMNEYPOOL compliant. Can also
contain a DSP (ROCKYKNOB) that's usefull in some cases. I think it just
listens to nearby conversation and then sends it home. It's a bit unclear
if it's implanted into a tower or carried around or something. Confusing.
CYCLONE Hx9 - GSM(900MHz) Network in a box. TYPHON feature base and
applications, whichever those might be. Hella strong (>32km range). Can
even voip with it. NSA can rent it for 70k / 2 months.
EBSR - Active GSM base station and phone. Also a find-a-phone active unit.
Smallish and portableish (1W). Has LANDSHARK/CANDYGRAM capabilities.
Operational Restrictions exist for equipment deployment.
ENTOURAGE - Software defined radio used to find the directional origin of a
radio message. Actually pretty hard to deploy. Uses the HOLLOWPOINT
platform. Has "ARTEMIS-like" capability for certain waveforms. Works with
NEBULA for find-a-phone in the GALAXY program. Complicated radio stuff.
($70k) (2009)
GENESIS - regular feature phone except it contains a Software Defined Radio
and additional system memory. Connects over Ethernet cable to a laptop for
downloading collected Radio info. Could be used to find-a-phone like
WATERWITCH, 16GB of internal storage and does well with the ladies. They
want to extend it to be WATERWITCH without depending on TYPHON (or similar
device).
NEBULA - Many protocol Network in a Box. Applications unclear. Operational
restrictions exist for equipment deployment. (apparently it's not so sneaky=
)
TYPHON HX - Tricked out GSM Base Station Router. Network in a box. Can
geolocate users. You'd say it does more (listening in on conversations at
least) but it doesn't seem clear.
WATERWITCH - E-ink find-my-TYPHON-connected phone device. Last mile stuff.
Like parking backwards but towards a phone. Depends upon the TYPHON.
COTTONMOUTH-I - USB connector with HOWLERMONKEY transceiver, TRINITY and a
USB 1.1 hub. It can be remotely upgraded. It can pretend to be any USB
device, and thus use USB exploits to exploit the OS (persistently). It can
also communicate through a wireless mesh using the SPECULATION protocol. It
communicates with DNT's STRAITBIZARRE covertly.
It can break air-gapped networks.
it "will be a GENIE-compliant implant based on CHIMNEYPOOL."
It fits INSIDE of a NORMAL USB-A connector! Can be made to be in a keyboard
too, then it's called MOCCASIN. (1000k per 50 units) (available 2009)
COTTONMOUTH-II - Functionality as COTTONMOUTH-I except a 2.0 USB hub.
Sneaked into a double USB port connector common on motherboards today. Must
be wire-connected to a wireless transmitter elsewhere in the case.
COTTONMOUTH-III - As COTTONMOUTH-II but with a build in transmitter. Is on
the back of the double USB port instead of worked into it. Can be connected
to a long range transmitter elsewhere in the case, but it definitely part
of the local mesh network.
FIREWALK - Connects to the back of the Ethernet + USB stack that's common
on motherboards. Intercepts IP packets on up to Gigabit Ethernet ports or
even creates them. Connects through HOWLERMONKEY transceivers. Can create
an Ethernet tunnel to the ROC or an "intermediate redirector node such as
DNT's DANDERSPRITZ tool.".
RAGEMASTER - Taps the *red channel* on a monitor and becomes as visible to
radar as the signal is strong, IOW: makes the monitor's contents radar
visible. *Is not essential for VAGRANT*, just makes it easier. Advice: when
displaying sensitive data, do it in many colors! Add colorful noise to the
letters, making sure that humans pick it up through the noise. Think of the
colorblind too though. This all will make reconstruction harder. Radar
connects to LFS-2 and a monitor, NIGHTWATCH, GOTHAM or VIEWPLATE. (30$)
(2008)
Language oddities / intel spills :
"Through interdiction" [x can be implanted], what does this mean, really?
It *should* mean legally approved physical action *I think. *(from IRONCHEF
and others)
"the customer" seems like the NSA is selling this to customers. Who are the
customers? Do they consider other 3letters customers? Are they their own
customers? Naive? Maybe they sell it to companies? (from FEEDTHROUHG)
(note: seems like it's NSA divisions other than ANT, never know though
especially TAO**)
"DNT's BANANAGLEE and CES's ZESTYLEAK" - there seem to be at least two
companies, DNT and CES, with which the NSA works intimately.
CNO means Computer Network Operations
CNA means Computer Network Attacks
PBD means Persistent BackDoor
DNT means Data Network Technologies
* GOURMET is a French word for appreciating delicious stuff (or something
like that) and a Dutch style of eating that has you cooking mini-foods on a
baking plate and eating it right away. I'm not sure this is an
international phenomena, so I thought I'd clarify. (Dutch people in the
NSA? Wouldn't surprise me)
** From another
article<http://leaksource.wordpress.com/2013/12/30/nsas-tailored-access-ope=
rations-elite-hacking-unit-revealed/>:
"Tailored Access Operations, or TAO. This is the NSA=E2=80=99s top operativ=
e unit".
This is counter to the believe that "The NSA has no field agents". I doubt
it's the "top operative unit", since it's publicly known. Maybe there's a
little TAO elite circle? Someone make a movie about a TAO unit or two! ~280
operations per year for 2000 agents. Agent count going up (afai can tell).
"NSA works together with other intelligence agencies such as the CIA and
FBI, which in turn maintain informants on location who are available to
help with sensitive missions."; expendable agents! Nice! *Has military
agents*, useful for what again?
*** May I recommend the paranoid and heroic people of *BSD to consider a
method of sanity checking the OS itself while it's running? How to beat the
BIOS, will be the paper's name.
**** all I can find is Naval blahblahblah. The Navy shouldn't be leading in
this operation. I'm not sure who's meant with NSAW.
--047d7bf0c2bc4cf47c04eecce9ed
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">This=
actually took about 5 hours. I hope it will be useful to anyone. I sure fe=
el up to date with the NSA 5 years ago. Some things are impressive. Their p=
rices too though. Their level of determination and systematic approaches to=
o. Miniaturization skill is good too, but not quite james bond. Particularl=
y the use of RAGEMASTER and the other radar thingies. The exploitation of r=
outers is just the tip of the iceberg of exploits. GSM exploits should real=
ly be commonly accepted to exist by now.<br>
</div><div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">Feel =
free to ask me questions, forward this mail to others, reformat it into wik=
i format or something, correct me if I'm wrong, ask me for my Bitcoin a=
ddress because I'm your personal hero. Anything. I'm going to bed.<=
/div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote"><br></div><=
div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">2013/12/30 R=
aphael Jacquot <span dir=3D"ltr"><<a href=3D"mailto:sxpert@sxpert.org" t=
arget=3D"_blank">sxpert@sxpert.org</a>></span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div style=3D"word-wrap:break-word"><div class=3D"im"><div=
><div>
On 30 Dec 2013, at 15:59, Phillip Hallam-Baker <<a href=3D"mailto:hallam=
@gmail.com" target=3D"_blank">hallam@gmail.com</a>> wrote:</div><blockqu=
ote type=3D"cite"><div dir=3D"ltr"><div>A while back Bruce told me that the=
Snowden docs show NSA uses every attack imaginable.=C2=A0</div>
<div>Here is the latest installment. The phrase that comes to mind is '=
have they no decency?'</div></div></blockquote></div></div></div></bloc=
kquote><div>I was speechless about their acting physically. I realized shor=
tly after that until now I've seen the NSA as an overfunded academic pr=
oject to find exploits everywhere, but that all they want is all the inform=
ation in any possible way. The return on investment of those projects prese=
nted is occasionally very low. That's the scariest part. They might eve=
n have exploited this and that rare thing.</div>
<div><br></div><div>Then I realized I never trusted hardware one bit, that =
PCB-track radio is real and fun and exploitable, and that I have always bee=
n confused by the lack of in-system paranoia. I think the whole thing is qu=
ite funny because against consumers it seems an ineffective budget spend. I=
t's probably focused on companies though. Anyway, it's all kind of =
fun to me at the moment. Guess it'd be different if I actually used the=
se products.</div>
<div><br>Anyone see the irony of America banning Chinese router stuff and m=
eanwhile exploiting all of its own products?</div><div><br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width=
:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-lef=
t:1ex">
<div style=3D"word-wrap:break-word">the full gadget catalogue is here<div><=
a href=3D"http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-cata=
log-of-exploits-for-nearly-every-major-software-hardware-firmware/" target=
=3D"_blank">http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-ca=
talog-of-exploits-for-nearly-every-major-software-hardware-firmware/</a></d=
iv>
</div></blockquote><div><br></div><div>I'm impressed. I also considered=
physical to be uselessly aggressive compared to the wealth of software hac=
ks. Curious.<br><br>This does seriously harm the NSA's interests. This =
gives us clear insight into their recent capabilities. I think this is not =
data from our good old source. This is probably someone else. Luckily I'=
;m not American and I believe that justifies fully all that I'm doing n=
ow.<br>
<br>ANT =3D Advanced or Access Network Technology<br><br>Allow me to recap =
the available tools:</div><div><br></div><div>DEITYBOUNCE - Dell PowerEdge =
BIOS exploit to get software onto target. Re-implants the exploit when the =
OS loads using the BIOS exploit. Unclear if it can be installed just by plu=
gging a USB in, or whether the Non-tech agent needs to boot into it. Uses A=
RKSTREAM for implanting itself on the BIOS. (2007)</div>
<div><br></div><div>IRONCHEF - Similar to DEITYBOUNCE. Additionally communi=
cates over a bidirectional radio that's also to be implanted into the s=
ystem. For the HP Proliant 380DL G5 it uses an I2c connected radio called W=
AGONBED. IRONCHEF can be remote controlled to read/write to the target syst=
em. Especially to replace the spy-software placed on it if it's cleared=
. =C2=A0(2007)</div>
<div><br></div><div>FEEDTHROUGH - is something to persist ZESTYLEAK and BAN=
ANAGLEE in Juniper Netscreen firewalls. Across reboots and software upgrade=
s. Also a BIOS level attack (see image). There exists something called a &q=
uot;DNT Implant Communications Protocol" for remote access and control=
. It employs a hiding method on the target platforms. (2008)</div>
<div><br></div><div>GOURMETTROUGH* - persists BANANAGLEE on Juniper firewal=
ls. Some platforms it can "beacon" regardless of OS. ANT has to c=
onfigure on non-automated platforms. Can also place a "Persistent Back=
Door" (PBD) if configured by an expert. (2008)</div>
<div><br></div><div>HALLUXWATER - persistent remote control for Huawei Eude=
mon firewalls. Has to be installed as a boot ROM (BIOS) upgrade. Uses PIT (=
TURBOPANDA Insertion Tool) to read/write memory, execute local or delivered=
code. Survives automatic bootROM (BIOS) upgrades. (2008)</div>
<div><br></div><div>JETPLOW - persists BANANAGLEE on Cisco PIX and Cisco AS=
A firewalls. Can also install BANANAGLEE protocol compatible PBDs. Boot tim=
e modifies the OS. Can remotely self-upgrade. Can be added to an existing B=
ANANAGLEE thingy.=C2=A0(2008)</div>
<div><br></div><div>SOUFFLETROUGH - persists BANANAGLEE for Juniper SSG 500=
and SSG 300 series firewalls. "Advanced" PBD capability. Boot ti=
me modifies the OS. Can fallback to BANANAGLEE compatible PBD. <b>TAKES ADV=
ANTAGE OF Intel's System Management Mode</b>=C2=A0for enhanced reliabil=
ity and covertness. Can remotely self-upgrade. Can be added to an existing =
BANANAGLEE thingy.=C2=A0(2008)</div>
<div><br></div><div>HEADWATER - PBD for some Huawei routers. Goes into the =
boot ROM via an upgrade (makes no sense, "Read Only Memory"), wor=
ks after reboot. Uses DNT's HAMMERMILL Insertion Tool (HIT) for control=
l of the PBD. Can capture/analyze all passing IP packets. <b>Cover name for=
NSA/CIA Huawei exploiting is TURBOPANDA</b>. (2008)</div>
<div><br></div><div>SCHOOLMONTANA - persists VALIDATOR for Juniper J-Series=
routers. The routers run JUNOS a=C2=A0<b>custom FreeBSD</b>=C2=A0by Junipe=
r. BIOS mod that modifies the OS in memory to run VALIDATOR and "provi=
de persistent kernel modifications to support implant execution"***. I=
njects at the end of the "System Management Mode". Cover term for=
DNT implants for Juniper J-Series routers.=C2=A0(2008)</div>
<div><br></div><div>SIERRAMONTANA - SCHOOLMONTANA for Juniper M-Series rout=
ers.=C2=A0(2008)</div><div><br></div><div>STUCCOMONTANA - SCHOOLMONTANA for=
Juniper T-Series routers.=C2=A0(2008)</div><div><br></div><div>CTX4000 - C=
ontinuous Wave (CW) radar unit. (ab)Used to collect VAGRANT and DROPMIRE da=
ta. Reads 1 to 2 GHz at up to 45 MHz per second. Can go from 2 to 1000 Watt=
s. Can be remotely controlled. They use a bloody radar to pick up signal in=
tel. This is so cool. An aluminum hat probably won't save your PC when =
it's getting blasted with this baby. (Last 3 sentences are pure specula=
tion)=C2=A0(2008)</div>
<div><br></div><div>LOUDAUTO - Audio based RF retro-reflector. A little mic=
rophone's analog output is PPM'ed (Pulse Position Modulation) a squ=
are wave (standard in RC control too!). Those pulses are pulsed towards a F=
ET (Field Effect Transistor). So when a pulse is sent the FET turns on for =
a moment. The FET can be seen on a CW radar well enough to reconstruct the =
pulses going into it, and thus the audio in the room. NSA prides the use of=
COTS hardware, no trace back to the NSA. Additionally these units consume =
next to no power! (~0.000045 watts!). "Part of the ANGRYNEIGHBOR famil=
y of radar retro-reflectors."=C2=A0(2008)</div>
<div><br></div><div>NIGHTSTAND - Wifi interceptor. Runs Fedora Core 3. =C2=
=A0Undetectable! N targets. Works on all WIN-old. <b>Up to eight miles (12k=
m!) of effectivity.</b>=C2=A0Anti-encryption capabilities undisclosed.=C2=
=A0(2008)</div>
<div><br></div><div>NIGHTWATCH - VAGRANT receiver. Fancied up rugged laptop=
loaded with some signal processing units. Hook it up to CTX4000 or PHOTOAN=
GLO or a general purpose receiver. Manual signal finding and frame averagin=
g for visibility. Has built-in forward to NSAW****, which has "analysi=
sts". To be replaced by VIEWPLATE.=C2=A0(2008)</div>
<div><br></div><div>PHOTOANGLO - NSA/GCHQ project to replace CTX4000 with a=
nicer radar. Frequencies ('later' aka 'now') up to 4 GHz (=
x2). Bandwidth up to 450Mhz (x10). Slim form factor. <10lbs/4.5kg. Other=
wise the same as CTX4000. Connects to NIGHTWATCH, LFS-2 or VIEWPLATE. 40kdo=
llar cost. (2008, planned for Q1 2009)</div>
<div><br></div><div>SPARROW II - Embedded computer running BLINDDATE tools.=
WLAN B/G, CF card, USB, 4x Mini PCI for GPS and multiple WLAN cards. IBM P=
ower PC 405GPR. 16MB flash, 64MB SDRAM. Linux 2.4. 2 Hrs of battery life. 6=
kdollar. Can be traced to the NSA somehow, so "operational restriction=
s exist for equipment deployment". Possibly due to PowerPC usage, thos=
e things are kinda rare. (2008)</div>
<div><br></div><div>TAWDRYYARD - Beacon RF retro-reflector. Toggles a FET t=
o provide a good Radar profile. Used to find RAGEMASTER units. Part of the =
ANGRYNEIGHBOR family of radar retro-reflectors. Extremely low power consump=
tion.=C2=A0(2008)</div>
<div><br></div><div>GINSU - an addition to BULLDOZER that provides persiste=
nce to KONGUR. BULLDOZER is a physical PCI device. KONGUR is a software exp=
loit for windows 9x to Vista (and thus 7, maybe 8). Reinstalls on reboot, i=
f KONGUR was removed by upgrades or reinstall.</div>
<div><br></div><div>HOWLERMONKEY - short to medium range radio transceivers=
. To be used in other products. Works in CONJECTURE or SPECULATION networks=
. Compatible with STRIKEZONE devices that run a "HOWLERMONKEY personal=
ity" (assuming it means wireless protocol). PCBs are layed out accordi=
ng to needs. 16mm by 16mm is totally possible. Run around 800 USD/each (cal=
l for quote I guess).</div>
<div><br></div><div>IRATEMONK - Provides persistence by modifying the Hard =
Drive firmware to substitute the MBR (the partition table). I suppose it bo=
ots itself first, then continues with the real OS. Image contains extremely=
complicated diagram of operations, showing the following systems: SERUM, R=
ETURNSPRING, SLICKERVICAR, WISTFULTOIL, OIM/JMSQ, SEAGULLFARO, TUNING FORK,=
SSG, CDR Diode (high/low?), UNITEDRAKE. ROC. SERUM looks lke a processing =
cluster, OIM/JSMQ looks like a database, TUNING FORK might be something tha=
t prioritizes data, SSG's pipe is called "scaling" and is als=
o a database. CDR Diode might operationally split the NSA's systems and=
the outside world, a defense unit. UNITEDRAKE must then be a supranational=
database, the united part supports that idea. Somehow UNITEDRAKE or STRAIT=
BAZZARE are used with SLICKERVICAR "to upload the hard drive firmware =
onto the target machine to implant IRATEMONK and its payload". Works o=
n FAT, NTFS, EXT3, UFS with many WD, Seagate, Maxtor and Samsung drives (wh=
ich controller?).</div>
<div><br></div><div>I've actually read an post about "hey guys, lo=
ok, isn't this the most preposterous ridiculous hack?". I believe =
it was about harddrives. Seems the NSA took note!</div><div><br></div>
<div>
JUNIORMINT - Is a SoC. ARM9 + FPGA (Xilinx XC4VLX25), add 128MB ddr2 , 64MB=
SDRAM and 32MB flash. "Uses the TAO standard implant architecture&quo=
t;. "Dramatic performance improvement over HC12 microcontroller design=
s." "Ultra-miniature Flip Chip Module (FCM) will be available for=
challenging concealments". <a href=3D"https://en.wikipedia.org/wiki/F=
lip_chip">FCM</a>=C2=A0is highly unusual! These things might be extremely s=
mall! (call for quote) (2008, PCB by 2009, FCM by 2010)</div>
<div><br></div><div><b>SOMEBODY REPLICATE THIS INTO A <100$ OPEN SOURCE =
PROJECT</b></div><div>(the=C2=A0<a href=3D"http://papilio.cc/">http://papil=
io.cc/</a>=C2=A0that I have is only close ;) )</div><div><br></div><div><br=
></div>
<div>
MAESTRO-II - like JUNIORMINT but slower. Says it is a "Multi-Chip-Modu=
le", meaning everything is connected tightly. ($3-4k each) (2008)=C2=
=A0</div><div><br></div><div>SOMBERKNAVE - When an XP machine is not using =
wifi (it's not connected) attempts to connect to an access point and al=
low OLYMPUS or VALIDATOR to call home. VALIDATOR will also download OLYMPUS=
if it can. (costs $50k for some reason) (2008)</div>
<div><br></div><div>SWAP - BIOS and hard drive's Host Protected Area ex=
ploits allow periodic execution before the OS loads. Works on Windows, Linu=
x, FreeBSD, Solaris (everything except Mac?) with FAT32, NTFS, EXT2, EXT3 o=
r UFS 1.0. ARKSTREAM flashes the BIOS and TWISTEDKILT writes SWAP into the =
Host Protected Area on the harddrive.</div>
<div><br></div><div>TRINITY - like MAESTRO-II but more powerfull. (100 @ $6=
25k)</div><div><br></div><div>WISTFULTOLL - plugin for UNITEDRAKE and STRAI=
TBIZZARE for getting Windows Management Instrumentation (WMI) and Registry =
stuff. Can work standalone from a USB drive and get data out that way, or t=
hrough UNITEDRAKE/STRAITBIZZARE. (good fit for COTTONMOUTH too!)</div>
<div><br></div><div>SURLYSPAWN - =C2=A0Data RF retro-reflector. Depending o=
n the level of the data-line signal it shifts the square wave it produces. =
Thus becomes frequency shift keyed (FSK). Presumably the square wave is fed=
into a FET again, but the document doesn't mention it. That FET is vis=
ibile on radar and that allows the data to be transferred. Power consumptio=
n isn't mentioned and it's dated "2007, declassify on 2032&quo=
t; but it's date says 2009. Peculiar. Another ANGRYNEIGHBOR type radar =
reflector.</div>
<div><br></div><div>DROPOUTJEEP - STRAITBIZARRE for iPhone. Compliant with =
FREEFLOW and therefore supported in the TURBULENCE architecture. Communicat=
es over SMS or GPRS data connections in a covert and encrypted way. Close a=
ccess methods are first deployment methods, later the remote installation w=
ill be made. Can do anything with the phone. Anything. (Maybe even activate=
the vibrator on funny moments) (In development in 2008, no date seems to b=
e planned)</div>
<div><br></div><div>GOPHERSET - SIM card rootkit. This is crazy. Phase 2+ s=
imcards can make requests (like sent sms) and are actually minicomputers. T=
his is called the SIM Toolkit (STK). It can also request Phonebooks, SMS an=
d call logs. It can be installed through <b>over the air provisioning</b>=
=C2=A0or a USB smartcard reader. A straw of hope is given when sometimes se=
curity keys are required. How does a company refuse to work with the NSA ag=
ain? (was finished but unused in 2007)</div>
<div><br></div><div>MONKEYCALENDAR - As GOPHERSET but gets location data th=
at it politely requests from the handset.</div><div><br></div><div>PICASSO =
- a modified phone that just leaks everything over SMS. Even room audio. Se=
ems to be targeted for infiltrators. If someone has had an Eastcom 760c+, S=
amsung E600, X450, C140 (Arabic or not), suspect him strongly. (This is why=
this hurts the NSA)</div>
<div><br></div><div>TOTECHASER - Sattelite phone (Thuraya 2520) exploit. Th=
ey were still working on it. Looking for a good deployment tactic, remote t=
oo. Mostly location, contact list and call history at that moment.</div>
<div><br></div><div>TOTEGHOSTLY 2.0 - Windows Mobile STRAITBIZZARE. CHIMNEY=
POOL framework. Compliant with the FREEFLOW project, supported in the TURBU=
LENCE architecture. A FRIEZERAMP interface using HTTPSlink2 transport modul=
e handles encrypted communications.</div>
<div><br></div><div>CANDYGRAM - A GSM tower "repeater" that texts=
up to 200 agents when a target enters the vicinity of it. "GSM Teleph=
one Tripwire". Wonder what they ever used this for, SMS isn't very=
synchronized so operations shouldn't depend upon it. Maybe it's sy=
nchronized if the NSA wants it to be?</div>
<div><br></div><div>CROSSBEAM - Connects a modified (WASABI, it looks like =
from the picture) GSM product to a WAGONBED controller board (old version o=
f JUNIORMINT?). Used to intercept GSM voice and data. CHIMNEYPOOL compliant=
. Can also contain a DSP (ROCKYKNOB) that's usefull in some cases. I th=
ink it just listens to nearby conversation and then sends it home. It's=
a bit unclear if it's implanted into a tower or carried around or some=
thing. Confusing.</div>
<div><br></div><div>CYCLONE Hx9 - GSM(900MHz) Network in a box. TYPHON feat=
ure base and applications, whichever those might be. Hella strong (>32km=
range). Can even voip with it. NSA can rent it for 70k / 2 months.</div>
<div><br></div><div>EBSR - Active GSM base station and phone. Also a find-a=
-phone active unit. Smallish and portableish (1W). Has LANDSHARK/CANDYGRAM =
capabilities. Operational Restrictions exist for equipment deployment.=C2=
=A0</div>
<div><br></div><div>ENTOURAGE - Software defined radio used to find the dir=
ectional origin of a radio message. Actually pretty hard to deploy. =C2=A0U=
ses the HOLLOWPOINT platform. Has "ARTEMIS-like" capability for c=
ertain waveforms. Works with NEBULA for find-a-phone in the GALAXY program.=
Complicated radio stuff. ($70k) (2009)</div>
<div><br></div><div>GENESIS - regular feature phone except it contains a So=
ftware Defined Radio and additional system memory. Connects over Ethernet c=
able to a laptop for downloading collected Radio info. Could be used to fin=
d-a-phone like WATERWITCH, 16GB of internal storage and does well with the =
ladies. They want to extend it to be WATERWITCH without depending on TYPHON=
(or similar device).</div>
<div><br></div><div>NEBULA - Many protocol Network in a Box. Applications u=
nclear. Operational restrictions exist for equipment deployment. (apparentl=
y it's not so sneaky)</div><div><br></div><div>TYPHON HX - Tricked out =
GSM Base Station Router. Network in a box. Can geolocate users. You'd s=
ay it does more (listening in on conversations at least) but it doesn't=
seem clear.</div>
<div><br></div><div>WATERWITCH - E-ink find-my-TYPHON-connected phone devic=
e. Last mile stuff. Like parking backwards but towards a phone. Depends upo=
n the TYPHON.</div><div><br></div><div>COTTONMOUTH-I - USB connector with H=
OWLERMONKEY transceiver, TRINITY and a USB 1.1 hub. It can be remotely upgr=
aded. It can pretend to be any USB device, and thus use USB exploits to exp=
loit the OS (persistently). It can also communicate through a wireless mesh=
using the SPECULATION protocol. It communicates with DNT's STRAITBIZAR=
RE covertly.</div>
<div>It can break air-gapped networks.</div><div>it "will be a GENIE-c=
ompliant implant based on CHIMNEYPOOL."</div><div>It fits INSIDE of a =
NORMAL USB-A connector! Can be made to be in a keyboard too, then it's =
called MOCCASIN. (1000k per 50 units) (available 2009)</div>
<div><br></div>COTTONMOUTH-II - Functionality as COTTONMOUTH-I except a 2.0=
USB hub. Sneaked into a double USB port connector common on motherboards t=
oday. Must be wire-connected to a wireless transmitter elsewhere in the cas=
e.</div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">COTTONMOUTH=
-III - As COTTONMOUTH-II but with a build in transmitter. Is on the back of=
the double USB port instead of worked into it. Can be connected to a long =
range transmitter elsewhere in the case, but it definitely part of the loca=
l mesh network.</div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">FIREWALK - =
Connects to the back of the Ethernet + USB stack that's common on mothe=
rboards. Intercepts IP packets on up to Gigabit Ethernet ports or even crea=
tes them. Connects through HOWLERMONKEY transceivers. Can create an Etherne=
t tunnel to the ROC or an "intermediate redirector node such as DNT=
9;s DANDERSPRITZ tool.".</div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">RAGEMASTER =
- Taps the <b>red channel</b>=C2=A0on a monitor and becomes as visible to r=
adar as the signal is strong, IOW: makes the monitor's contents radar v=
isible. <b>Is not essential for VAGRANT</b>, just makes it easier. Advice: =
when displaying sensitive data, do it in many colors! Add colorful noise to=
the letters, making sure that humans pick it up through the noise. Think o=
f the colorblind too though. This all will make reconstruction harder. Rada=
r connects to LFS-2 and a monitor, NIGHTWATCH, GOTHAM or VIEWPLATE. (30$) (=
2008)</div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote"><br></div><=
div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote"><div><br></d=
iv><div>Language oddities / intel spills :</div><div>"Through interdic=
tion" [x can be implanted], what does this mean, really? It <i>should<=
/i>=C2=A0mean legally approved physical action <i>I think. </i>(from IRONCH=
EF and others)</div>
<div><br></div><div>"the customer" seems like the NSA is selling =
this to customers. Who are the customers? Do they consider other 3letters c=
ustomers? Are they their own customers? Naive? Maybe they sell it to compan=
ies? (from FEEDTHROUHG) (note: seems like it's NSA divisions other than=
ANT, never know though especially TAO**)</div>
<div><br></div><div>"DNT's BANANAGLEE and CES's ZESTYLEAK"=
; - there seem to be at least two companies, DNT and CES, with which the NS=
A works intimately.</div><div><br></div><div>CNO means Computer Network Ope=
rations</div>
<div>CNA means Computer Network Attacks</div><div>PBD means Persistent Back=
Door</div><div>DNT means Data Network Technologies</div><div><br></div><div=
>* GOURMET is a French word for appreciating delicious stuff (or something =
like that) and a Dutch style of eating that has you cooking mini-foods on a=
baking plate and eating it right away. I'm not sure this is an interna=
tional phenomena, so I thought I'd clarify. (Dutch people in the NSA? W=
ouldn't surprise me)</div>
<br>** From another <a href=3D"http://leaksource.wordpress.com/2013/12/30/n=
sas-tailored-access-operations-elite-hacking-unit-revealed/">article</a>: &=
quot;Tailored Access Operations, or TAO. This is the NSA=E2=80=99s top oper=
ative unit". This is counter to the believe that "The NSA has no =
field agents". I doubt it's the "top operative unit", si=
nce it's publicly known. Maybe there's a little TAO elite circle? S=
omeone make a movie about a TAO unit or two! ~280 operations per year for 2=
000 agents. Agent count going up (afai can tell). "NSA works together =
with other intelligence agencies such as the CIA and FBI, which in turn mai=
ntain informants on location who are available to help with sensitive missi=
ons."; expendable agents! Nice! <b>Has military agents</b>, useful for=
what again?</div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">*** May I r=
ecommend the paranoid and heroic people of *BSD to consider a method of san=
ity checking the OS itself while it's running? How to beat the BIOS, wi=
ll be the paper's name.</div>
<div class=3D"gmail_quote"><br></div><div class=3D"gmail_quote">**** all I =
can find is Naval blahblahblah. The Navy shouldn't be leading in this o=
peration. I'm not sure who's meant with NSAW.</div></div></div>
--047d7bf0c2bc4cf47c04eecce9ed--
--===============0907940066903266985==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0907940066903266985==--
