Snowden Documents Show NSA Can't Keep Its Eyes On Its Own Papers; Harvests Data From Other Surveillance Agencies

Privacy

from the METAPHORCOLLISION:-the-NSA's-haystack-sipping-program dept

Wed, Jan 21st 2015 9:24am — Tim Cushing

Another pile of Snowden documents has been released by Der Spiegel, detailing more of previously revealed NSA/GCHQ activities -- like the harvesting of exploits and hardware shipment "interdiction" -- along with some new stuff, including the NSA's piggybacking on other countries' surveillance to further buttress its massive haystacks.

The report digs deeper into the NSA's Tailored Access Operations, noting that the agency's plans for its targets' hardware are even more aggressive than previously indicated. A document [pdf link] details different offerings for NSA "interns," who will be tasked with a variety of operations to not only compromise hardware integrity, but possibly disable or destroy it.

Potential interns are also told that research into third party computers might include plans to "remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware." Using a program called Passionatepolka, for example, they may be asked to "remotely brick network cards." With programs like Berserkr they would implant "persistent backdoors" and "parasitic drivers". Using another piece of software called Barnfire, they would "erase the BIOS on a brand of servers that act as a backbone to many rival governments."

Despite "tailored" being one of the key words in Tailored Access Operations, the exploits used aren't necessarily targeted. Because the same holes can be exploited by criminals or other "bad guys," non-targeted persons are at risk. And because some of the exploits are by nature self-replicating (documents obtained show the NSA seeking out and deploying trojans and worms), the potential for unintentional collateral damage is always present.

In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or "brick" the control center of a hospital as a result of a programming error, people who don't even own a mobile phone could be affected.

One of the most fascinating documents is a presentation that borrows a famous line from There Will Be Blood. [pdf link]

The NSA doesn't do all of its own dirty work. Its haystacking efforts also take advantage of surveillance programs deployed by anyone outside of its Five Eyes partnership -- including nominally "friendly" countries like Germany. A combination of hacking and exploits allows the NSA to pursue what it calls "fourth party collections."

Some of this is along the lines of what's expected from a national intelligence service -- like the targeting of "unfriendly" countries.

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack's point of origin to China, but also in tapping intelligence information from other Chinese attacks -- including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. "NSA is able to tap into Chinese SIGINT collection," a report on the success in 2011 stated.

But it goes further than that. Allies outside the Five Eyes partnership are not immune from the NSA's piggybacking. And the NSA goes further than simply utilizing man-in-the-middle attacks to "make copies" of anything interesting other countries' surveillance networks have picked up. The presentation lays out the NSA's use of "fourth party collections" to deploy its own exploits (called "victim stealing") or collect new exploits being deployed by other surveillance agencies.

The stuff the NSA pulls from other surveillance networks is then routed away from the agency in order to cover its tracks. Anything that might lead back to the agency is obscured, which could easily result in innocent persons or companies being targeted by irritated foreign surveillance agencies who happen to notice their networks have been accessed by others.

In technical terms, the ROC [Remote Operations Center] lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin -- the act of exporting the data that has been gleaned. But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.

Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.

This isn't as deep as the rabbit hole gets, however. The documents leaked by Ed Snowden also detail yet another layer of the NSA's collection-by-proxy efforts. A Q&A pulled from the NSA's internal message boards [pdf link] contains the following discussion:

Is there "fifth party" collection?

"Fourth party collection" refers to passively or actively obtaining data from some other actor's CNE [computer network exploitation] activity against a target. Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two's CNE activity against a target that NSA, Actor One, and Actor Two all care about?

-----

Yes. There was a project that I was working last year with regard to the South Korean CNE program. While we aren't super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them.

At that point, our access to NK was next to nothing but we were able to make some inroads to the SK CNE program. We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data. Thats fourth party. However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you dont want to rely on an untrusted actor to do your work for you). But some of the work that was done there was able to help us gain access.

I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized there was another actor that was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win.

The NSA's long straw surveillance also repurposes vernacular from another arena where the war is neverending and the foes declared so dangerous that every Constitutional violation is justified. Those who are used without their knowledge as "hosts" for information gathered by the NSA's "fourth party" efforts have been given an unflattering nickname.

The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called "unwitting data mules."

When the NSA discusses its efforts with its oversight, very few details are given on the means and methods. The general attitude seems to be that if something like this occurs outside of the US, it doesn't matter. The NSA may make minimal efforts to preserve American citizens' rights, but it has absolutely no concern for anyone located outside of America's borders.

As Der Spiegel notes, the NSA is operating in a "legal vacuum." The tracks left behind by its milkshake drinking cause it no great concern. While it does make some effort to obfuscate its origins (by saddling uninvolved "data mules" with the consequences), it generally remains unconcerned about being caught in the act. There's no legal process that can truly hold the NSA accountable for its extraterritorial actions -- at least nothing that couldn't easily be deflected by one of the most powerful nations in the world.

NSA Milkshake (PDF)NSA Milkshake (Text)

Fifth Party Rabbit Hole (PDF)Fifth Party Rabbit Hole (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: gchq, nsa, surveillance, tailored access operations, tao

36 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 21 Jan 2015 @ 9:52am

It's even scarier when you think about how old these documents are getting from when Snowden liberated them and how much more time the NSA has had to do even more and bigger evil things.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 1:56pm
  
  Re:
  Your not the only one
  [ link to this | view in chronology ]
Nastybutler77 (profile), 21 Jan 2015 @ 9:53am

Wow. So I guess we really are the bad guy.
[ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 9:54am

How many more US Internet based business's will see profit losses this week, Keep building that wall NSA sooner or later no one will do business with-in any five eyes country, The US being first on the list .. for the NSA its a good thing they stopped the crime because they killed all Internet commerce.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 10:18am
  
  Re:
  Would say that UK is probably first on the list. GCHQ is even more rabid and far more vocal in their anti-freedom fighting than NSA, which is quite an achievement.
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jan 2015 @ 2:00pm
    
    Re: Re:
    security cameras as surveillance cameras, sleep walked into license plate recognition, no doubt efforts into facial recognition, oyster cards as another alternative to tracking...oh yeah, i think uk has em beat
    [ link to this | view in chronology ]
- Pronounce (profile), 21 Jan 2015 @ 1:41pm
  
  Re: 5 Eyes Business Loss Due to Spying
  It's always wise to diversify your business holdings. For cloud business this may look like investment in storage locations inside the firewall of viable economies. So then the major impact by unfriendly business policy is most significantly felt by the local employees and not the corporate office at large.
  [ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 10:05am

What will the NSA do when they find they are reading their own traffic via a another spy agency?
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 10:12am
  
  Re: Who hacks the hacking hackers?
  What will the NSA do when they find they are reading their own traffic via a another spy agency?
  Use the other agency's system to hack into an NSA computer and use the hacked computer to attack the other agency. When the other agency complains, point out the attack came from a hacked computer, could have been anybody, and obviously was not the NSA because it is never so direct and never gets caught doing its own dirty work. Then ask why analysis of the hack shows that the complaining agency had access to that server.
  [ link to this | view in chronology ]
- Pronounce (profile), 21 Jan 2015 @ 1:53pm
  
  Re:
  If their performance during the Sony Hack is any indication the answer to this question is, "Nothing".
  
  It seems the only point of all this spying is to see who can pwn whom, and get more funding.
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jan 2015 @ 2:05pm
    
    Re: Re:
    http://www.ibtimes.co.uk/john-mcafee-i-know-who-hacked-sony-pictures-it-wasnt-north-korea-1483581
    
    "Mc Afee: 'I know who hacked Sony Pictures - and it wasn't North Korea'
    [ link to this | view in chronology ]
    - KoD (profile), 21 Jan 2015 @ 2:16pm
      
      Re: Re: Re:
      While I think McAfee is probably right, that dude is kind of nuts.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 21 Jan 2015 @ 2:32pm
        
        Re: Re: Re: Re:
        He also deliberately plays up how nuts he is and makes fun of himself about it. That's one of the reasons he's AWESOME.
        
        And yes, I think he's probably right.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2015 @ 3:01am
        
        Re: Re: Re: Re: Re:
        He also deliberately plays up how nuts he is and makes fun of himself about it. That's one of the reasons he's AWESOME.
        I love to play up how nuts I am, and make fun of myself all the time. That's one of the reasons I'm AWESO... no, wait, that's one of the reasons they doubled my Trileptal.
        [ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 2:12pm
  
  Re:
  ????
  
  Implicate themselves?
  
  Whoahh, inception, man
  [ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 10:10am

Another defense lawyer angle
"Your honour, my client is nothing more than an unwitting data mule for the American National Security Agency. He did not commit the hacking alleged by the prosecution and indeed lacks the technical capacity even to attempt such a thing, which is why he was so successfully abused by the Americans."
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 2:19pm
  
  Re: Another defense lawyer angle
  Judge
  "Wait, you mean, this was an intelligence service who framed your client, and your client had nothing whatsoever to do with what he's being accused of.....oh, ahem, well,.....thats diffrent...."
  
  Turns to jury
  
  "!?GUILTY, court dismissed"
  
  Quickly walks out, whispering sorry,sorry,sorry in to his turned off phone
  [ link to this | view in chronology ]
pixelpusher220 (profile), 21 Jan 2015 @ 10:20am

Not new?
I thought it was already well established that Country A hoover's up all data outside Country A, Country B hoovers up all data outside Country B. A and B share data and now they are both 'legal' because they didn't 'collect' their own country's data?
(obviously the 'only' outside is theoretical only!)

Which is why the laws should be written to make 'possession' of data from inside the country illegal as well as the collection.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 2:22pm
  
  Re: Not new?
  Remember that time when our respective governments were claiming that they were'nt spying on us
  [ link to this | view in chronology ]
DannyB (profile), 21 Jan 2015 @ 11:13am

Could the NSA collect disinformation?
Could the other intelligence agencies who know the NSA is peeking, or allow them to do so, deliberately give the NSA disinformation that the NSA would believe to be genuine surveillance results?
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 1:33pm
  
  Re: Could the NSA collect disinformation?
  That's been going on as long as there has been intelligence gathering. It's not enough to obtain information; one must also obtain the information's accuracy.
  
  And the folks who decide the information's accuracy don't always get it right.
  [ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 2:26pm
  
  Re: Could the NSA collect disinformation?
  dont worry, they'll only put the most effort into verifying the validity of something untill they get the result they want and no further
  [ link to this | view in chronology ]
John Fenderson (profile), 21 Jan 2015 @ 11:23am

I am shallow
As despicable as I find the actions of the NSA, my outrage is amped up even further by the jovial, joking tone taken by many of these internal documents. It's bad enough to spy on us all, they don't have to take such obvious joy in doing so. That just multiplies the evil.
[ link to this | view in chronology ]
- Pronounce (profile), 21 Jan 2015 @ 1:45pm
  
  Re: I am shallow
  Oh, hahaha, you have no clue how arrogant these people are. The talk behind closed doors is that of a wolf looking at a flock of sheep and gleefully deciding whom to kill. But unlike a wolf who is following their natural instinct these individuals get a rush and high watching the flock flee and squirm as they go for a kill.
  
  Watch the glee on that dude's game video of him pwning people with head-shots. His enjoyment is on par with what I'm talking about.
  [ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 2:43pm
  
  Re: I am shallow
  Really, i keep getting the impression that its written by for lack of a better word geeks, with a shiny toy and being very excited, or at least, technilogical savvy people in suits playing with the nice shiny new toys they've had their geek department create......now dont get me wrong, technilogical smart dudes or geeks, i have major respect for, i think you as the inovators of the technological world, and am forever greatfull ........but geeks putting their intellectual minds into something that is bad, is still geeks putting their intellectual minds into something that is bad........masse surveilance specifically i mean but not limited
  [ link to this | view in chronology ]
  - John Fenderson (profile), 21 Jan 2015 @ 3:37pm
    
    Re: Re: I am shallow
    I am a great big honkin' geek myself. Being a geek doesn't excuse this at all.
    
    Really, there is a subset of the geek sphere that I routinely see this sort of sociopathic behavior in: criminal hackers in general, but primarily the script kiddies. Even if the NSA wasn't doing anything controversial, that sort of attitude very badly on the agency. It makes it look like they hired a bunch of adolescent crooks.
    [ link to this | view in chronology ]
Padpaw (profile), 21 Jan 2015 @ 12:42pm

secretly making war on the whole world.

They were right exposing their crimes will make things worse for America only because the people running things are evil warmongering monsters apparently
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jan 2015 @ 3:55pm
  
  Re:
  Secret wars.....exactly what i was thinking
  [ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 1:15pm

Their using our lives as their fucking game
[ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 1:53pm

The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called "unwitting data mules."

So add, commiting a crime and implicating someone else to the list
[ link to this | view in chronology ]
M. Alan Thomas II (profile), 21 Jan 2015 @ 1:55pm

So the NSA knows that (1) nation-states can render IP tracking of a "cyberattack" irrelevant if they've compromised the backbone or even simply hacked the scapegoat and (2) if one nation-state has found a 0 day or other security flaw, another nation-state can hijack it or the resulting data flows for their own purposes.

Now if only we could convince policy-makers of this....
[ link to this | view in chronology ]
Pronounce (profile), 21 Jan 2015 @ 2:01pm

Is it Incompetence or Arrogance?
GCQH hacks media. NSA hacks intelligence agencies. So why in the world does Der Spiegel even still have access to the Snowden docs?

It's obvious that the media agencies like Der Spiegel, Techdirt, Last Week Tonight with John Oliver, aren't *THAT* big of a deal (in terms of funding) to these agencies otherwise they'd have a NK DDoS or Charlie Hebdo "accident".
[ link to this | view in chronology ]
- That One Guy (profile), 21 Jan 2015 @ 6:36pm
  
  Re: Is it Incompetence or Arrogance?
  I imagine anyone who has the Snowden documents is very careful to keep multiple backups, on systems and devices with absolutely no connection whatsoever to the internet.
  [ link to this | view in chronology ]
KoD (profile), 21 Jan 2015 @ 2:12pm

As much as I would hate to glorify these people wiping their ass with our Constitution, that is some impressive shit.
[ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 4:04pm

So how can they be sure that someone else is not exploiting their backbone while their exploiting someone elses backbone........this is not gonna end well
[ link to this | view in chronology ]
derp, 22 Jan 2015 @ 8:55pm

NSA spying scandal is old news. Je ne suis pas Charlie.
[ link to this | view in chronology ]