Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This is an ongoing draft that collects important quotes on end-point security and exploitation.
- It attempts to address common misconceptions about the post-Snowden era of mass surveillance and it also attempts to
- provide sources to back the conjecture: "End-to-end encryption isn't sufficient enough to block mass surveillance."
- The important claims that prove this, that need backing up include, but are not limited to:
- I Software exploits have minimal distribution cost after they have been developed
- II Subpoenas are used to compel back doors into proprietary software/hardware
- That way, mass adopted proprietary operating systems can not be secured.
- Is encrypting data useful against the government?
- Mathius1: Is encrypting my email any good at defeating the NSA surveillance?
- Is my data protected by standard encryption?
- "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.
- Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." [1]
- Does NSA practice stealing of encryption keys?
- The ACLU’s Soghoian said technology executives are already deeply concerned about the prospect of clandestine
- agents on the payroll to gain access to highly sensitive data, including encryption keys, that could make the
- NSA’s work “a lot easier.” “As more and more communications become encrypted, the attraction for intelligence
- agencies of stealing an encryption key becomes irresistible,” he said. “It’s such a juicy target.” [2]
- ---
- Edward Snowden:
- "--encryption works. [The only way to get around that is with super computers that do not exist.]
- Or you break into the computer and try to steal their keys and bypass the encryption. And that happens today
- and that happens every day. That happens every day. That is the way around it.
- Now, there are still ways to protect encrypted data that no one can break. That is by making sure the keys
- are never exposed. If the key itself can’t be observed, the key can’t be stolen. And any cryptographer any
- mathematician in the world will tell you that the math is sound. The only way to get through encryption on a
- target basis particularly when you start railing encryption, not using one algorithm but every algorithm you
- are using key slipping you are using all kinds of sophisticated techniques to make sure that no one person,
- no single point of failure exist there is no way in there is no way around it. That is going to continue to
- be the case I think until our understanding of mathematics and physics changes fundamentally.
- Christopher Soghoian:
- I will just add that I think Ed’s right. If the government really wants to get into your computer if they
- want to figure out what you are saying and who you are saying it to they will find a way. But that won’t
- involve breaking the encryption, that will involve hacking into your device. Whether your phone or your
- laptop they will take advantage of either vulnerabilities that haven’t been patched or vulnerabilities that
- no one knows about.
- But hacking technologies don’t scale. If you are a target of the NSA it is going to be game over no matter
- what. Unless you are taking really, really sophisticated steps to protect yourself - but most people that
- will be beyond their reach. But encryption makes bulk surveillance too expensive. Really the goal here isn’t
- to blind the NSA. The goal isn’t to stop the government from going after legitimate surveillance targets. The
- goal here is to make it so that they cannot spy on innocent people because they can. Right now so many of our
- communications our telephone calls, our text messages, our emails, our instant message are just there for the
- taking. And if we start using encrypted communication services suddenly it becomes too expensive for the NSA
- to spy on everyone. Suddenly they will need to actually have a good reason to dedicate those resources to
- either try and break the encryption or to try and hack into your device. So encryption technology even if
- imperfect has the potential to raise the cost of surveillance to the point that it no longer becomes
- economically feasible for the government to to spy on everyone.[9]
- Author note:
- Soghoian does not take into account what The Intercept reported on how
- the NSA is automating exploitation and exfiltration of encryption keys:
- "Top-secret documents reveal that the National Security Agency is dramatically expanding its
- ability to covertly hack into computers on a mass scale by using automated systems that
- reduce the level of human oversight in the process.
- In some cases the NSA has masqueraded as a fake Facebook server, using the social media site
- as a launching pad to infect a target’s computer and exfiltrate files from a hard drive.
- But the NSA recognized that managing a massive network of implants is too big a job for
- humans alone. The agency’s solution was TURBINE. Developed as part of TAO unit, it is
- described in the leaked documents as an “intelligent command and control capability” that
- enables “industrial-scale exploitation.”" [4]
- Definition of 'mass surveillance' should not be bulk collection from fiber and internet companies,
- but bulk collection in general; i.e. what can be automated. If current understanding of targeted
- surveillance can be done in similar scale as mass surveillance, it should be considered to be part of
- it. Jacob Applebaum said
- "Targeted attacks, because they are automated, are not
- less in scale, it's just different in methodology."[3]
- It's agreeable NSA should not be blinded, but unfortunately the cost of automatable remote
- exploitation is too low. Once technology that prevents remote exploitation is mitigated, targeted
- surveillance can still be done through signals intelligence such as TEMPEST / TAWDRYYARD or with
- side-channel attacks, hidden cameras, HUMINT ops etc.
- The problem is, the skill-set and technology of the NSA and LEA in general is underestimated by this
- talk. There was a time you had to have the LEA officer tap the phone cable outside the building: that
- can still be the case, and it's the perfect balance between security and privacy.
- But nobody is going to waste a precious 0-day vulnerability on average citizen's computer!
- "For example, Conficker exploiting the vulnerability CVE-2008-4250 managed to infect approximately 370
- thousand machines without being detected over more than two months. This example illustrates the
- effectiveness of zero-day vulnerabilities for conducting stealth cyber attacks." [5]
- ---
- "What's certain is that criminal hackers copied Duqu's previously unheard-of method for breaking into
- computers and rolled it into "exploit kits," including one called Blackhole and another called Cool, that
- were sold to hackers worldwide. Microsoft had by then issued a patch for the vulnerability. Nevertheless,
- hackers used it last year to attack 16 out of every 1,000 U.S. computers and an even greater proportion in
- some other countries, according to Finland-based security firm F-Secure."[6]
- But 0-days are fixed almost immediately after discovery!
- The zero-day attacks we identify lasted between 19 days (CVE-2010-0480) and 30 months
- (CVE-2010-2568), and the average duration of a zero-day attack is 312 days. [5]
- But surely anti-virus programs will protect me!
- Another limitation of our method is that, if the exploit files created for the zero-day vulnerabilities are
- polymorphic, the file hashes may be different in the anti-virus telemetry in binary reputation data. Most
- of the zero-day exploits that we could not identify were polymorphic-- [5]
- But once the window of exposure is closed, that's the end of it. The NSA has to spend more money to get another one!
- 1. Cost of exploits is low for a great power such as the US.
- The starting rate for a zero-day is around $50,000, some buyers said.[6]
- 2. It's already being done at largest scale of any government.
- Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become
- the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for
- breaking into computers.[6]
- ---
- This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities'
- from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the
- Post's Barton Gellman and Ellen Nakashima.[7]
- 3. NSA's doing research on software exploits on it's own.
- The ANT division doesn't just manufacture surveillance hardware. It also develops software for
- special tasks. The ANT developers have a clear preference for planting their malicious code in
- so-called BIOS, software located on a computer's motherboard that is the first thing to load when a
- computer is turned on.[8]
- Related: leaked slide
- http://leaksource.files.wordpress.com/2013/12/nsa-ant-deitybounce.jpg?w=1208&h=1562
- Unit Cost: $0
- --------------------------------------------------------
- Conclusion
- The NSA is in possession of large quantities of 0-day exploits against all types of systems,
- and is progressing towards compromising end-point devices at massive scale, to exfiltrate
- plaintexts of interest along with encryption keys and signing keys. These types of attacks
- render current implementations of end-to-end encrypted systems such as PGP, OTR, ZRTP etc.
- useless against mass surveillance.
- --------------------------------------------------------
- Sources
- [1] Edward Snowden The Guardian (06/17/13)
- http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower
- [2] Glenn Greenwald The Intercept (10/10/14)
- https://firstlook.org/theintercept/2014/10/10/core-secrets/
- [3] Jacob Appelbaum ITWeb Security Summit (05/28/14)
- https://www.youtube.com/watch?v=FScSpFZjFf0&t=37m35s
- [4] Ryan Gallagher & Glenn Greenwald The Intercept (03/12/14)
- https://firstlook.org/theintercept/2014/03/12/nsa-plans-infect-millions-computers-malware/
- [5] Leyla Bilge, Tudor Dumitras Symantec Research Labs (10/16/12)
- http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
- [6] Joseph Menn Reuters (05/10/13)
- http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510
- [7] Brian Fung The Washington Post (08/31/13)
- http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/
- [8] Jacob Appelbaum et al. Spiegel Online (12/29/13)
- http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
- [9] Edward Snowden et.al. SXSW Conference ~(03/11/14)
- https://www.youtube.com/watch?v=YxPKoXTKDc8#t=48m53s
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement