Jump to content
Sign Up To Remove Ads!


This topic is now archived and is closed to further replies. Want this topic removed from the archive?

Fourth echelon

Snowden Leaks Confirm Existence of ECHELON

Recommended Posts

NSA documents obtained by whistleblower Edward Snowden confirm the existence of ECHELON, a secret surveillance network spying on satellite communications. Set up by the US and the UK in the 1960s, ECHELON was the precursor of today’s global dragnet.

The revelations vindicated the work of British investigative journalistDuncan Campbell, who first wrote about ECHELON’s existence in 1988 and continued writing about the program for the next 27 years.

NSA newsletters cited by The Intercept confirm that the program was set up in 1966, just a year after the first communication satellites were launched into Earth orbit. The dragnet was codenamed FROSTING, and consisted of two sub-programs. While TRANSIENT was targeting Soviet Union’s satellite communications, Western satellite signals were to be harvested by ECHELON. Eventually, all satellite surveillance was merged into FORNSAT, a global program exposed by the Snowden revelations.



Share this post

Link to post
Share on other sites
 rbear    240

The NSA's Porn-Surveillance Program: Not Safe for Democracy

Its targets extend beyond suspected terrorists—and some rhetoric that the First Amendment would protect is singled out.

Let's think through the troubling implications of the latest surveillance-state news. "The National Security Agency has been gathering records of online sexual activity and evidence of visits to pornographic websites as part of a proposed plan to harm the reputations of those whom the agency believes are radicalizing others through incendiary speeches," Glenn Greenwald, Ryan Gallagher, and Ryan Grim report




Global spy system ECHELON confirmed at last – by leaked Snowden filesOrigins of automated surveillance


Special Report Duncan Campbell has spent decades unmasking Britain's super-secretive GCHQ, its spying programmes, and its cosy relationship with America's NSA. Today, he retells his life's work exposing the government's over-reaching surveillance, and reveals documents from the leaked Snowden files confirming the history of the fearsome ECHELON intercept project. This story is also published simultaneously today by The Intercept, as is - at long last - Duncan's Register Christmas Lecture from last year.

AfterAfter 27 Years, Reporter Who Exposed ECHELON Finds Vindication in Snowden Archive

Link^Reporter Who Exposed ECHELON Finds Vindication in Snowden A

Share this post

Link to post
Share on other sites
 Guitar Doc    1,571

 New Zealand Journalist and cover-up exposer Nikki Hager also revealed echelon  to the British parliament. He found the system was being tested in used in NZ via the US spy base at  Waihopai (just out side of Blenheim in NZ. ALL of our electronic communications go through there). NIkiki also wrote on the GMO testing in NZ and many exposers of cover-up in hard print. Most are available for purchase.


Secret power was published 1996. http://www.nickyhager.info/echelon-a-story-about-how-information-spreads-or-doesnt/

Nikki references Duncan Campbell's article on echelon in the above links detailing his writing of Secret Power which was done in secrecy.


I saw Nikki and two other NZ jorno's break into Waihopai spy base walk across the land marked as land-mined and attempt to film the echelon in use through one of the windows.

There are two US spy bases in NZ used to intercept electronic communications around the world. A friend of mine was an ex army officer who went into Coms and told me he had used the equipment in the spy base during an international exercise which is funny because NZ politicians have not been allowed to see the equipment. He told me it was simply the most sophisticated radio com gear in use able to detect any radio frequency being emitted on earth and in space. That is parallel to phone line intercepts.


Former PM David Lange (deceased) bequeathed to the NZ public his papers (a collection) upon his death. Concealed within them was on of 14 reports only the NZ SIS (CIA, FBI, NSA rolled into one) give each year to the Prime Minster of NZ as to what they have been doing. Very cleverly it became public property afterwards so could not be censored. What it revealed was the USA was primarily at that point in time using Waihopai spying on the United Nations communications.


I am surprised Duncan Campbell thought he wasn't already vindicated as it is well acknowledged in NZ the system operates here. Despite that any reader of Tom Clancy novels will note Tom Clancy had exposed Echelon as existing and being used by the US govt in his novel Patriot Games (pub 1987) when he revealed all calls in and out of the USA were tagged by a system unnamed which we later see worked exactly as echelon. Tom stated he had information from real people within the military intelligence community as background for his novels. 

Share this post

Link to post
Share on other sites
 rbear    240

Xkeyscore: NSA's Google for the World's Private Communications

One of the National Security Agency’s most powerful tools of mass surveillance makes tracking someone’s Internet usage as easy as entering an email address, and provides no built-in technology to prevent abuse. Today, The Intercept is publishing 48 top-secret and other classified documents about XKEYSCORE dated up to 2013, which shed new light on the breadth, depth and functionality of this critical spy system — one of the largest releases yet of documents provided by NSA whistleblower Edward Snowden.

BEHIND THE CURTAIN A Look at the Inner Workings of NSA's XKEYSCORE Second in a series. Part 1 here.

The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.

NSA Files Decoded

Here is a source with some slides, here is one that expands on what you'd gather from the slides and is more microsoft specific. A bit more wordy but some good information. Oh man, here's some more.. Getting spied on costs us money too, NSA's PRISM program pays compliance costs

Reading over the more NSA files in NSA Files Decoded would be good. Reading through this would also be good, it'll help give you broader view of what's going on and the extent of it.

Don't even get me started on BitLocker, deliberately weakened crypto libraries, Microsoft oneDrive, the rest of their cloud services, hotmail / outlook, etc. everything is either broken or being collected from. Do some searching, read some articles and slides, take a gander through WikiLeaks, etc

The much  in this thread are links, some in title, some in text. Please review all the documents. 

Share this post

Link to post
Share on other sites
 rbear    240

These Ex-Israeli Surveillance Agents Hijack Your Browser To Profit From Ads

At the start of last month, Google and Stanford University researchers released a report on a largely legal yet dubious practice in the advertising industry. It’s called ad injection.

The process effectively intercepts users’ traffic to inject content, namely, those irritating adverts and popups that seem to come from nowhere. Media rightly jumped on the report, highlighting the companies named as the top ad injectors. What went unnoticed, until now, is that most of the searchable organisations involved in this potentially dangerous business are based in Israel. They also happen to have links to the nation’s military and its top signals intelligence agency, the Israeli equivalent of the NSA or GCHQ: Unit 8200, which works out of the Israel Defense Forces (IDF).

Ad injection is an old business that started taking off at the turn of the Millennium. It forms part of the convoluted world of personal data trading and marketing. The software used to inject ads arrives not quite as malware, but via what are known as “potentially unwanted programs”, often bundled into application downloads or offered as directly-downloaded browser extensions. The Stanford and Google researchers, who collected data on the industry during the summer of last year, flagged 50,870 Chrome extensions as unwanted ad injectors, 38 per cent of which they decided were malware harmful to the security of users’ data.

Once on a user’s browser, the injector will effectively hijack a browser session and insert adverts on the page when a partnered website is visited. In most cases, the software has complete control over what appears on the user’s screen, to the extent it might hijack mouse clicks or force other interactions on the site. The user simply has to trust the software won’t do anything malicious.

Injectors also increase the chances of infection from malicious ads, which launch exploits on people’s computers when the browser parses their content, as the ad chain isn’t particularly well monitored, partly because of the huge number of companies involved. If a criminal hacker can find a weak link in that chain, they can have their ads injected into people’s web sessions, hence repeated cases of so-called “malvertising”.

A vulnerable ad injector could be exploited by hackers to kill security protections in the browser, notes Udi Yavo, CTO at Israeli security company enSilo, and they can relay plenty of information back to the software author, including usernames and passwords.

Yavo believes ad injectors “run the fine line between ads and malware”. “I would even make the claim that the behavior of the two is nearly identical. The difference between the two is simply the author’s intention. While the first is considered a form of revenue-generation through the media, the second is pure cybercrime,” he tells FORBES.

The number of those affected by ad injection is astonishing – more than five per cent of unique daily IP addresses accessing Google, representing tens of millions of users, according to the research report. And people hate it. Of more than 100,000 Chrome user complaints in July 2014, nearly 20 per cent were about ad injection. It’s the real scourge of the web, according to its actual users.

The providers make a lot of money too. When the Yontoo browser plugin modified 4.5 million users’ private Facebook sessions to include ads, it reportedly earned the creator $8 million. That particular piece of intrusive kit was run by serial entrepreneur Arie Trouw, who built Sambreel Holdings, yet another maligned ad injection specialist.

But his entities have far less coverage than a handful of Israeli businesses full of former intelligence officials. It appears their offensive cyber and big data skills honed during their years at Unit 8200 have made them particularly adept at the practice.


So, who are they? I recently reported on one of those firms, Superfish, and its links to the surveillance industrial complex. After it was spotted sitting on Lenovo PCs intercepting traffic throughout late 2014, breaking web encryption along the way, essentially destroying any trust users could have had in their online sessions, it emerged that not only its founder Adi Pinhas was formerly of 8200, he was also employed by Verint, which was linked to NSA surveillance. The company that actually created the encryption-breaking tech behind Superfish, Komodia, was also connected to Israeli intelligence services via its owner Barak Weichselbaum.

Superfish was dominating the ad injection game before the Lenovo caused it much strife. Google and Stanford found the firm injected ads into more than 16,000 websites and was making tens of millions in revenue a year doing so. By the researchers’ extrapolations, Superfish appeared in 3.92 per cent of Google views. It has been irritating Apple Mac, Microsoft Internet Explorer and Mozilla Firefox users as far back as 2010. Many complaints about its Window Shopper tool can be found in cursory Google searches.

The Superfish tech, designed to show “visual ads” (essentially image-led adverts), installs a “little man-in-the-middle proxy” on the user’s computer and configures the browser to go through it so it can inject content into pages, explains Lee Brotherston, researcher at Leviathan Security. Sometimes this injection includes a piece of front-end web code called an iframe that points the browser to the Superfish web server to insert content dynamically. According to Google’s study, the tool also reports every site a user visits, their language and country back to Superfish’s server.

The company did not respond to requests for comment on its practices. It is imminently going out of business, according to a post on its website.

Jolly Wallet

Despite Superfish’s dominance there are many others. Ranked by the researchers as the second most popular ad injecting program with 2.4 per cent of Google views, Jolly Wallet doesn’t actually install software on the users’ hard drive and wasn’t classed by the study as an ad injector per se. It does, however, typically come packaged in a browser extension with permissions to read and alter all web content, its aim being to present cashback offers across different sites. It also often runs alongside other injection libraries.

Like Superfish, web denizens have complained about the tool being installed on their computers without their apparent knowledge, pointing to another issue with ad injectors: they often appear on systems from unknown sources.

Jolly Wallet was created by Radyoos, which was co-founded in 2011 by Roy Zisapel, who is also CEO of security provider Radware. He doesn’t advertise his connections to Unit 8200, though in an article from 2011 Zisapel notes he was part of the division. Zisapel seems to be using his experience in both offensive and defensive cyber to profit in two huge markets. He declined to be interviewed for this article.

Jolly Wallet on Walmart
Jolly Wallet in action on the Walmart website


According to one spyware removal advice site, Jolly Wallet can deliver ads from another Israeli firm, VisAdd, though it was not possible to confirm the connection. VisAdd is a strange, ostensibly shady entity. It has a static website that reveals almost nothing about what services the firm offers. ‘Who Is?’ searches reveal nothing. It’s only through looking at the VisAdd privacy policy in Google caches of the site that it’s possible to tell the firm was born in Israel.

But it was growing when Google looked at the firm last year, growing from 0.5 per cent of page views at the start of the research to 1.4 per cent at the time of writing earlier this year. The script scans for specific keywords including “add to basket”, “free shipping”, and “product review” in multiple languages and when detected payloads are dropped onto the user’s browser. It would also hoover up information on user clicks and surfing behavior. Anyone who wants to remove the tool via the VisAdd site can try, though the service provided does nothing whatsoever.

There’s no evidence the firm is connected to Israeli government surveillance, but given its location, it’d be no surprise if it was controlled by Unit 8200 alumni.

VisAdd website
The website of Israeli ad injection provider VisAdd provides almost no information about the company. Nor does its removal tool actually work.

No Problem PPC

No Problem PPC is ranked as the seventh most popular ad injector, with 0.44 per cent of Google pageviews. The company’s main service allows website owners to connect visitors with contractors and small businesses they might be looking for. If the user is interested they can offer up information and call listed companies provided by the widget. Useful, no?

But the company’s tool has been seen bundled with other apps as a browser extension, Brotherston says. And, as with the others listed here, there are a number of removal walkthroughs for No Problem PPC. Company founder Daniel Shaked, an IDF reserve for nearly 12 years, notes over email the firm offers up its JavaScript to free software providers, and this has been used to deliver all kinds of ads, including “deceptive” ones, though this has “nothing to do with us”. Shaked says No Problem doesn’t push out ads, it only connects web users with professionals, first online then over the phone, and it makes money where it facilitates that final call.


Also see, Forbes has malicious ads search results as many sites/etc are compromised


Share this post

Link to post
Share on other sites
 rbear    240


NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware

After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.

When it comes to modern firewalls for corporate computer networks, the world’s second largest network equipment manufacturer doesn’t skimp on praising its own work. According to Juniper Networks’ online PR copy, the company’s products are “ideal” for protecting large companies and computing centers from unwanted access from outside. They claim the performance of the company’s special computers is “unmatched” and their firewalls are the “best-in-class.” Despite these assurances, though, there is one attacker none of these products can fend off — the United States’ National Security Agency.

Specialists at the intelligence organization succeeded years ago in penetrating the company’s digital firewalls. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell and Apple’s iPhone.

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets’ data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA’s department for Tailored Access Operations (TAO). In cases where TAO’s usual hacking and data-skimming methods don’t suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such “implants,” as they are referred to in NSA parlance, have played a considerable role in the intelligence agency’s ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows “TAO personnel to see what is displayed on the targeted monitor,” for example, is available for just $30. But an “active GSM base station” — a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones — costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn’t just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are “remotely installable” — in other words, over the Internet. Others require a direct attack on an end-user device — an “interdiction,” as it is known in NSA jargon — in order to install malware or bugging equipment.

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. “Cisco does not work with any government to modify our equipment, nor to implement any so-called security ‘back doors’ in our products,” the company said in a statement. Contacted by SPIEGEL reporters, officials at Western Digital, Juniper Networks and Huawei also said they had no knowledge of any such modifications. Meanwhile, Dell officials said the company “respects and complies with the laws of all countries in which it operates.”

Many of the items in the software solutions catalog date from 2008, and some of the target server systems that are listed are no longer on the market today. At the same time, it’s not as if the hackers within the ANT division have been sleeping on the job. They have continued to develop their arsenal. Some pages in the 2008 catalog, for example, list new systems for which no tools yet exist. However, the authors promise they are already hard at work developing new tools and that they will be “pursued for a future release”.



Surveillance by Algorithm

Increasingly, we are watched not by people but by algorithms. Amazon and Netflix track the books we buy and the movies we stream, and suggest other books and movies based on our habits. Google and Facebook watch what we do and what we say, and show us advertisements based on our behavior. Google even modifies our web search results based on our previous behavior. Smartphone navigation apps watch us as we drive, and update suggested route information based on traffic congestion. And the National Security Agency, of course, monitors our phone calls, emails and locations, then uses that information to try to identify terrorists.

Documents provided by Edward Snowden and revealed by the Guardian today show that the UK spy agency GHCQ, with help from the NSA, has been collecting millions of webcam images from innocent Yahoo users. And that speaks to a key distinction in the age of algorithmic surveillance: is it really okay for a computer to monitor you online, and for that data collection and analysis only to count as a potential privacy invasion when a person sees it? I say it's not, and the latest Snowden leaks only make more clear how important this distinction is.

The robots-vs-spies divide is especially important as we decide what to do about NSA and GCHQ surveillance. The spy community and the Justice Department have reported back early on President Obama's request for changing how the NSA "collects" your data, but the potential reforms --FBI monitoringholding on to your phone records and more -- still largely depend on what the meaning of "collects" is.

Indeed, ever since Snowden provided reporters with a trove of top secret documents, we've been subjected to all sorts of NSA word games. And the word "collect" has a very special definition, according to the Department of Defense (DoD). A 1982 procedures manual (pdf; page 15) says: "information shall be considered as 'collected' only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties." And "data acquired by electronic means is 'collected' only when it has been processed into intelligible form."

Director of National Intelligence James Clapper likened the NSA's accumulation of data to a library. All those books are stored on the shelves, but very few are actually read. "So the task for us in the interest of preserving security and preserving civil liberties and privacy," says Clapper, "is to be as precise as we possibly can be when we go in that library and look for the books that we need to open up and actually read." Only when an individual book is read does it count as "collection," in government parlance.

So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.

This is why Clapper claims -- to this day -- that he didn't lie in a Senate hearing when he replied "no" to this question: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?"

If the NSA collects -- I'm using the everyday definition of the word here -- all of the contents of everyone's e-mail, it doesn't count it as being collected in NSA terms until someone reads it. And if it collects -- I'm sorry, but that's really the correct word -- everyone's phone records or location information and stores it in an enormous database, that doesn't count as being collected -- NSA definition -- until someone looks at it. If the agency uses computers to search those emails for keywords, or correlates that location information for relationships between people, it doesn't count as collection, either. Only when those computers spit out a particular person has the data -- in NSA terms -- actually been collected.

If the modern spy dictionary has you confused, maybe dogs can help us understand why this legal workaround, by big tech companies and the government alike, is still a serious invasion of privacy.

Back when Gmail was introduced, this was Google's defense, too, about its context-sensitive advertising. Google's computers examine each individual email and insert an advertisement nearby, related to the contents of your email. But no person at Google reads any Gmail messages; only a computer does. In the words of one Google executive: "Worrying about a computer reading your email is like worrying about your dog seeing you naked."

But now that we have an example of a spy agency seeing people naked -- there are a surprising number of sexually explicit images in the newly revealed Yahoo image collection -- we can more viscerally understand the difference.

To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. You might be told that the computer isn't saving a copy of the video, but you have no assurance that that's true. You might be told that the computer won't alert a person if it perceives something of interest, but you can't know if that's true. You do know that the computer is making decisions based on what it receives, and you have no way of confirming that no human being will access that decision.

When a computer stores your data, there's always a risk of exposure. There's the risk of accidental exposure, when some hacker or criminal breaks in and steals the data. There's the risk of purposeful exposure, when the organization that has your data uses it in some manner. And there's the risk that another organization will demand access to the data. The FBI can serve a National Security Letter on Google, demanding details on your email and browsing habits. There isn't a court order in the world that can get that information out of your dog.

Of course, any time we're judged by algorithms, there's the potential for false positives. You are already familiar with this; just think of all the irrelevant advertisements you've been shown on the Internet, based on some algorithm misinterpreting your interests. In advertising, that's okay. It's annoying, but there's little actual harm, and you were busy reading your email anyway, right? But that harm increases as the accompanying judgments become more important: our credit ratings depend on algorithms; how we're treated at airport security does, too. And most alarming of all, drone targeting is partly based on algorithmic surveillance.

The primary difference between a computer and a dog is that the computer interacts with other people in the real world, and the dog does not. If someone could isolate the computer in the same way a dog is isolated, we wouldn't have any reason to worry about algorithms crawling around in our data. But we can't. Computer algorithms are intimately tied to people. And when we think of computer algorithms surveilling us or analyzing our personal data, we need to think about the people behind those algorithms. Whether or not anyone actually looks at our data, the very fact that they even could is what makes it surveillance.

This is why Yahoo called GCHQ's webcam-image collection "a whole new level of violation of our users' privacy." This is why we're not mollified by attempts from the UK equivalent of the NSA to apply facial recognition algorithms to the data, or to limit how many people viewed the sexually explicit images. This is why Google's eavesdropping is different than a dog's eavesdropping, and why the NSA's definition of "collect" makes no sense whatsoever.





Share this post

Link to post
Share on other sites
 rbear    240

COTTONMOUTH-I: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant which will provide a wireless bridge into a target network as well as the ability to load exploit software onto target PCs.

(TS//SI//REL) CM-I will provide air-gap bridging, software persistence capability, "in-field" re-programmability, and covert communications with a host software implant over the USB. The RF link will enable command and data infiltration and exfiltration. CM-I will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE) through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-I will be a GENIE-compliant implant based on CHIMNEYPOOL.

(TS//SI//REL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and HOWLERMONKEY (HM) RF Transceiver within the USB Series-A cable connector. MOCCASIN is the version permanently connected to a USB keyboard. Another version can be made with an unmodified USB connector at the other end. CM-I has the ability to communicate to other CM devices over the RF link using an over-the-air protocol called SPECULATION.

Status: Availability -- January 2009

Unit Cost: 50 units: $1,015K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.


Share this post

Link to post
Share on other sites
 rbear    240


Air-gapped systems, which are isolated from the Internet and are not connected to other systems that are connected to the Internet, are used in situations that demand high security because they make siphoning data from them difficult.

Air-gapped systems are used in classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure. Even journalists use them to prevent intruders from remotely accessing sensitive data. To siphon data from an air-gapped system generally requires physical access to the machine, using removable media like a USB flash drive or a firewire cable to connect the air-gapped system directly to another computer.

But security researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that’s in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique.

In a video demonstration produced by the researchers, they show how they were able to send a command from one computer to an adjacent air-gapped machine to re-position a missile-launch toy the air-gapped system controlled.

cont: http://www.wired.com/2015/03/stealing-data-computers-using-heat/

Share this post

Link to post
Share on other sites
 rbear    240

“Funtenna” software hack turns a laser printer into a covert radio

Researcher demonstrates how attacker could exfiltrate data over airwaves.

It turns out that embedded computing devices can be used to broadcast data covertly in all sorts of ways, as demonstrated in this video from Ang Cui's Funtenna project.

LAS VEGAS—During the Cold War, Soviet spies were able to monitor the US Embassy in Moscow by using a radioretroreflector bug—a device powered, like modern RFID tags, by a directed radio signal. But that was too old school for Ang Cui, chief scientist at Red Balloon Security and a recent PhD graduate of Columbia University. He wanted to see if he could do all of that with software.

Building on a long history of research into TEMPEST emanations—the accidental radio signals given off by computing systems’ electrical components—Cui set out to create intentional radio signals that could be used as a carrier to broadcast data to an attacker even in situations where networks were “air-gapped” from the outside world. The result of the work of his research team is Funtenna, a software exploit he demonstrated at Black Hat today that can turn a device with embedded computing power into a radio-based backchannel to broadcast data to an attacker without using Wi-Fi, Bluetooth, or other known (and monitored) wireless communications channels.

Cui has previously demonstrated a number of ways to exploit embedded systems, including printers and voice-over-IP phones. In 2012, he demonstrated an exploit of Cisco phones that turned on the microphone and transformed phones into a remote listening device. Michael Ossmann of Great Scott Gadgets, a hardware hacker who has done some development of exploits based on concepts from the NSA's surveillance "playset,"  suggested to Cui that he could turn the handset cord of the phone into a “funtenna”—an improvised broadcast antenna generating radio frequency signals programmatically.

With just seven lines of code injected into the embedded computer of an otherwise unmodified laser printer, Cui was able to turn the printer into a radio transmitter by simply leveraging the electrical properties of existing input and output ports on the printer. By rapidly flipping the power state of general purpose input/output (GPIO) pins, Pulse Width Modulation (PWM) outputs, and UART (serial) outputs on a Pantum P2502W laser printer—“the cheapest laser printer we could find,” Cui said—the Funtenna hack was able to create a modulated radio signal as a result of the magnetic fields created by the voltage and resulting electromagnetic waves.

Share this post

Link to post
Share on other sites
 rbear    240

Spies in the Xerox Machine

Spies in the Xerox machine: how an engineer helped the CIA snoop on Soviet diplomats.

Popular Science
January 1, 1997 | Stover, Dan


During the dark days of the Cold War, when the world trembled at the sight of aerial photos of nuclear missile sites in Cuba, when secret agents slipped back and forth through the Iron Curtain, and swift U-2 airplanes flew dangerous intelligence missions, the United States' most effective spy may have been the most unexpected: a Xerox repairman.

It was 1962, the Cold War was in full swing, and the CIA was looking for new ways to gather intelligence on the Soviets. Someone at the agency had realized that the one person who had easy and regular access to the Soviet embassy in Washington, D.C., the one American who could come and go with no questions asked, was the Xerox repairman. He visited the embassy at least once a month, and nobody was surprised or alarmed to see him tinkering with the photocopier, his tools scattered on the floor. At the CIA, this seemed like an opportunity too good to pass up.

So the agency went to the source, the Xerox Corp., to find the brainpower to bug a machine. Ray Zoppoth was a 36-year-old mechanical engineer at Xerox in Webster, New York, when he was asked to join a small team that would work on this project. For years afterward, Zoppoth kept his role secret from even his wife and his eight children. But now, he believes, it is time people learned more about this chapter in our nation's history. That's why he decided to tell his story to POPULAR SCIENCE.

As Zoppoth tells it, having the repairman try to smuggle documents out of a foreign embassy would have been much too risky. Instead, the CIA wanted the repairman to install a device that would enable its agents to view the documents being copied on the embassy's Xerox machine. They hoped such a system would not only give them a peek at top-secret Soviet documents, but that it would also tell them whether Soviet spies had managed to get their hands on any classified U.S. documents.

The CIA contacted John Dessauer, a vice president at Xerox, and asked for his help. Dessauer then put Donald Cary, who headed a government programs group at Xerox, in charge of the project. Cary recruited Zoppoth and three other engineers: Kent Hemphill, an optical engineer; Douglas Webb, an electrical engineer; and James Young, an electronics expert who specialized in imaging technologies. Zoppoth was chosen, in part, because he had helped develop the Xerox model 914, the first automatic push-button copier, and the type used in the Soviet embassy.

Because of its secret nature, the project could not be undertaken at the facility where Zoppoth and the others worked. Instead, the project leaders rented an abandoned one-lane bowling alley in a small shopping center. With the installation of a security system, the windowless alley became an impromptu research lab.

There, progress notes spread across the alley floor, the engineers experimented with several methods for imaging the documents being copied on the embassy's model 914. An approach suggested by Zoppoth seemed the most promising: Mount a battery-powered home-movie camera with a zoom lens inside the copier. Aim the lens at the mirror used to reflect images onto the drum. Add a photocell that would prompt the camera to snap still frames whenever the photocopier lit up. And start taking pictures.

The engineers purchased a state-of-the-art Bell & Howell movie camera from a retail outlet. It was about seven inches long and held a spool of 8mm film. There was plenty of room for the camera deep inside the bulky console-style copier, and the camera couldn't be seen even when the machine's covers were removed. The camera's noise was drowned out by the sounds of the photocopier.

The team installed the camera in a machine at the bowling alley, and photographed sample documents. "We used the bathroom as our darkroom," Zoppoth recalls.

Next, they installed a camera in a machine at the main Xerox office in Webster. "When we developed the pictures, we found recipes and copies of music and cartoons and jokes and all kinds of things," Zoppoth says.

Finally, the engineers were ready to turn their invention over to the CIA. Zoppoth made a series of trips to Washington to meet with two agents in the dark basement of a CIA building code-named Disneyland East. Surrounded by heating pipes, Zoppoth taught the agents how to install the camera, so that they could later train the Xerox repairman. The repairman would place a camera inside the Xerox machine while he serviced it; the camera didn't appear out of place among his jumble of tools and spare parts. On his next visit, he would replace the camera with another one containing fresh film, then turn the exposed film over to the CIA.

The system went into service in 1963. It wasn't long before the CIA asked the Xerox team if a similar system could be built for a much smaller desktop copier, the model 813.

Hiding an off-the-shelf camera inside such a small machine was impossible, so the engineers designed a miniaturized camera that operated off the photocopier's own power supply and held only a partial roll of film. They also modified the 813's mirrors and cut away pieces of the machine. Parts needed for the camera were farmed out to several model shops, so that nobody outside the research team could recognize what was being built. In 1964, Zoppoth was awarded a secret patent for the tiny surveillance camera that was hidden inside the modified machine.

Judging by the number of parts ordered from Xerox, Zoppoth believes that spy cameras may have been installed in photocopiers all over the world, to keep an eye on U.S. allies as well as enemies. But in 1969, a chemical company that had come up with a similar idea for spying on a competitor was caught red-handed. After that, it seemed likely that the Soviets would scrutinize their own machines more closely. But whether the Soviets ever found a concealed camera, or whether the CIA ceased planting them in photocopy machines, is uncertain.

Although the cameras built by Zoppoth and his co-conspirators seem primitive compared with today's sophisticated microelectronics, the project remains classified. Zoppoth retired in 1979. Another team member confirms his story but is unwilling to speak about any of the details. Other members could not be located, or would not discuss the matter. The CIA and Xerox will neither confirm nor deny Zoppoth's account, possibly because the company has secret research contracts with the government to this day.



Share this post

Link to post
Share on other sites