Advertisement
Guest User

Untitled

a guest
Oct 17th, 2014
139
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.00 KB | None
  1. This is an ongoing draft that collects important quotes on end-point security and exploitation.
  2.  
  3. It attempts to address common misconceptions about the post-Snowden era of mass surveillance and it also attempts to
  4. provide sources to back the conjecture: "End-to-end encryption isn't sufficient enough to block mass surveillance."
  5.  
  6. The important claims that prove this, that need backing up include, but are not limited to:
  7. I Software exploits have minimal distribution cost after they have been developed
  8. II Subpoenas are used to compel back doors into proprietary software/hardware
  9. That way, mass adopted proprietary operating systems can not be secured.
  10.  
  11.  
  12.  
  13. Is encrypting data useful against the government?
  14.  
  15. Mathius1: Is encrypting my email any good at defeating the NSA surveillance?
  16. Is my data protected by standard encryption?
  17.  
  18. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.
  19. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." [1]
  20.  
  21.  
  22.  
  23. Does NSA practice stealing of encryption keys?
  24.  
  25. The ACLU’s Soghoian said technology executives are already deeply concerned about the prospect of clandestine
  26. agents on the payroll to gain access to highly sensitive data, including encryption keys, that could make the
  27. NSA’s work “a lot easier.” “As more and more communications become encrypted, the attraction for intelligence
  28. agencies of stealing an encryption key becomes irresistible,” he said. “It’s such a juicy target.” [2]
  29.  
  30. ---
  31.  
  32. Edward Snowden:
  33. "--encryption works. [The only way to get around that is with super computers that do not exist.]
  34. Or you break into the computer and try to steal their keys and bypass the encryption. And that happens today
  35. and that happens every day. That happens every day. That is the way around it.
  36.  
  37. Now, there are still ways to protect encrypted data that no one can break. That is by making sure the keys
  38. are never exposed. If the key itself can’t be observed, the key can’t be stolen. And any cryptographer any
  39. mathematician in the world will tell you that the math is sound. The only way to get through encryption on a
  40. target basis particularly when you start railing encryption, not using one algorithm but every algorithm you
  41. are using key slipping you are using all kinds of sophisticated techniques to make sure that no one person,
  42. no single point of failure exist there is no way in there is no way around it. That is going to continue to
  43. be the case I think until our understanding of mathematics and physics changes fundamentally.
  44.  
  45. Christopher Soghoian:
  46. I will just add that I think Ed’s right. If the government really wants to get into your computer if they
  47. want to figure out what you are saying and who you are saying it to they will find a way. But that won’t
  48. involve breaking the encryption, that will involve hacking into your device. Whether your phone or your
  49. laptop they will take advantage of either vulnerabilities that haven’t been patched or vulnerabilities that
  50. no one knows about.
  51.  
  52. But hacking technologies don’t scale. If you are a target of the NSA it is going to be game over no matter
  53. what. Unless you are taking really, really sophisticated steps to protect yourself - but most people that
  54. will be beyond their reach. But encryption makes bulk surveillance too expensive. Really the goal here isn’t
  55. to blind the NSA. The goal isn’t to stop the government from going after legitimate surveillance targets. The
  56. goal here is to make it so that they cannot spy on innocent people because they can. Right now so many of our
  57. communications our telephone calls, our text messages, our emails, our instant message are just there for the
  58. taking. And if we start using encrypted communication services suddenly it becomes too expensive for the NSA
  59. to spy on everyone. Suddenly they will need to actually have a good reason to dedicate those resources to
  60. either try and break the encryption or to try and hack into your device. So encryption technology even if
  61. imperfect has the potential to raise the cost of surveillance to the point that it no longer becomes
  62. economically feasible for the government to to spy on everyone.[9]
  63.  
  64. Author note:
  65. Soghoian does not take into account what The Intercept reported on how
  66. the NSA is automating exploitation and exfiltration of encryption keys:
  67.  
  68. "Top-secret documents reveal that the National Security Agency is dramatically expanding its
  69. ability to covertly hack into computers on a mass scale by using automated systems that
  70. reduce the level of human oversight in the process.
  71.  
  72. In some cases the NSA has masqueraded as a fake Facebook server, using the social media site
  73. as a launching pad to infect a target’s computer and exfiltrate files from a hard drive.
  74.  
  75. But the NSA recognized that managing a massive network of implants is too big a job for
  76. humans alone. The agency’s solution was TURBINE. Developed as part of TAO unit, it is
  77. described in the leaked documents as an “intelligent command and control capability” that
  78. enables “industrial-scale exploitation.”" [4]
  79.  
  80.  
  81. Definition of 'mass surveillance' should not be bulk collection from fiber and internet companies,
  82. but bulk collection in general; i.e. what can be automated. If current understanding of targeted
  83. surveillance can be done in similar scale as mass surveillance, it should be considered to be part of
  84. it. Jacob Applebaum said
  85.  
  86. "Targeted attacks, because they are automated, are not
  87. less in scale, it's just different in methodology."[3]
  88.  
  89.  
  90. It's agreeable NSA should not be blinded, but unfortunately the cost of automatable remote
  91. exploitation is too low. Once technology that prevents remote exploitation is mitigated, targeted
  92. surveillance can still be done through signals intelligence such as TEMPEST / TAWDRYYARD or with
  93. side-channel attacks, hidden cameras, HUMINT ops etc.
  94.  
  95. The problem is, the skill-set and technology of the NSA and LEA in general is underestimated by this
  96. talk. There was a time you had to have the LEA officer tap the phone cable outside the building: that
  97. can still be the case, and it's the perfect balance between security and privacy.
  98.  
  99. But nobody is going to waste a precious 0-day vulnerability on average citizen's computer!
  100.  
  101. "For example, Conficker exploiting the vulnerability CVE-2008-4250 managed to infect approximately 370
  102. thousand machines without being detected over more than two months. This example illustrates the
  103. effectiveness of zero-day vulnerabilities for conducting stealth cyber attacks." [5]
  104.  
  105. ---
  106.  
  107. "What's certain is that criminal hackers copied Duqu's previously unheard-of method for breaking into
  108. computers and rolled it into "exploit kits," including one called Blackhole and another called Cool, that
  109. were sold to hackers worldwide. Microsoft had by then issued a patch for the vulnerability. Nevertheless,
  110. hackers used it last year to attack 16 out of every 1,000 U.S. computers and an even greater proportion in
  111. some other countries, according to Finland-based security firm F-Secure."[6]
  112.  
  113.  
  114.  
  115. But 0-days are fixed almost immediately after discovery!
  116.  
  117. The zero-day attacks we identify lasted between 19 days (CVE-2010-0480) and 30 months
  118. (CVE-2010-2568), and the average duration of a zero-day attack is 312 days. [5]
  119.  
  120.  
  121.  
  122. But surely anti-virus programs will protect me!
  123.  
  124. Another limitation of our method is that, if the exploit files created for the zero-day vulnerabilities are
  125. polymorphic, the file hashes may be different in the anti-virus telemetry in binary reputation data. Most
  126. of the zero-day exploits that we could not identify were polymorphic-- [5]
  127.  
  128.  
  129.  
  130. But once the window of exposure is closed, that's the end of it. The NSA has to spend more money to get another one!
  131.  
  132.  
  133. 1. Cost of exploits is low for a great power such as the US.
  134. The starting rate for a zero-day is around $50,000, some buyers said.[6]
  135.  
  136. 2. It's already being done at largest scale of any government.
  137. Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become
  138. the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for
  139. breaking into computers.[6]
  140.  
  141. ---
  142.  
  143. This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities'
  144. from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the
  145. Post's Barton Gellman and Ellen Nakashima.[7]
  146.  
  147.  
  148. 3. NSA's doing research on software exploits on it's own.
  149. The ANT division doesn't just manufacture surveillance hardware. It also develops software for
  150. special tasks. The ANT developers have a clear preference for planting their malicious code in
  151. so-called BIOS, software located on a computer's motherboard that is the first thing to load when a
  152. computer is turned on.[8]
  153.  
  154. Related: leaked slide
  155. http://leaksource.files.wordpress.com/2013/12/nsa-ant-deitybounce.jpg?w=1208&h=1562
  156. Unit Cost: $0
  157.  
  158.  
  159. --------------------------------------------------------
  160.  
  161. Conclusion
  162.  
  163. The NSA is in possession of large quantities of 0-day exploits against all types of systems,
  164. and is progressing towards compromising end-point devices at massive scale, to exfiltrate
  165. plaintexts of interest along with encryption keys and signing keys. These types of attacks
  166. render current implementations of end-to-end encrypted systems such as PGP, OTR, ZRTP etc.
  167. useless against mass surveillance.
  168.  
  169.  
  170. --------------------------------------------------------
  171.  
  172. Sources
  173.  
  174.  
  175. [1] Edward Snowden The Guardian (06/17/13)
  176.  
  177. http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower
  178.  
  179.  
  180.  
  181. [2] Glenn Greenwald The Intercept (10/10/14)
  182.  
  183. https://firstlook.org/theintercept/2014/10/10/core-secrets/
  184.  
  185.  
  186.  
  187. [3] Jacob Appelbaum ITWeb Security Summit (05/28/14)
  188.  
  189. https://www.youtube.com/watch?v=FScSpFZjFf0&t=37m35s
  190.  
  191.  
  192.  
  193. [4] Ryan Gallagher & Glenn Greenwald The Intercept (03/12/14)
  194.  
  195. https://firstlook.org/theintercept/2014/03/12/nsa-plans-infect-millions-computers-malware/
  196.  
  197.  
  198.  
  199. [5] Leyla Bilge, Tudor Dumitras Symantec Research Labs (10/16/12)
  200.  
  201. http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
  202.  
  203.  
  204.  
  205. [6] Joseph Menn Reuters (05/10/13)
  206.  
  207. http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510
  208.  
  209.  
  210.  
  211. [7] Brian Fung The Washington Post (08/31/13)
  212.  
  213. http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/
  214.  
  215.  
  216.  
  217. [8] Jacob Appelbaum et al. Spiegel Online (12/29/13)
  218.  
  219. http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
  220.  
  221.  
  222. [9] Edward Snowden et.al. SXSW Conference ~(03/11/14)
  223.  
  224. https://www.youtube.com/watch?v=YxPKoXTKDc8#t=48m53s
Advertisement
RAW Paste Data Copied
Advertisement