<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">This actually took about 5 hours. I hope it will be useful to anyone. I sure feel up to date with the NSA 5 years ago. Some things are impressive. Their prices too though. Their level of determination and systematic approaches too. Miniaturization skill is good too, but not quite james bond. Particularly the use of RAGEMASTER and the other radar thingies. The exploitation of routers is just the tip of the iceberg of exploits. GSM exploits should really be commonly accepted to exist by now.<br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote">Feel free to ask me questions, forward this mail to others, reformat it into wiki format or something, correct me if I'm wrong, ask me for my Bitcoin address because I'm your personal hero. Anything. I'm going to bed.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">2013/12/30 Raphael Jacquot <span dir="ltr"><<a href="mailto:sxpert@sxpert.org" target="_blank">sxpert@sxpert.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word"><div class="im"><div><div>
On 30 Dec 2013, at 15:59, Phillip Hallam-Baker <<a href="mailto:hallam@gmail.com" target="_blank">hallam@gmail.com</a>> wrote:</div><blockquote type="cite"><div dir="ltr"><div>A while back Bruce told me that the Snowden docs show NSA uses every attack imaginable. </div>
<div>Here is the latest installment. The phrase that comes to mind is 'have they no decency?'</div></div></blockquote></div></div></div></blockquote><div>I was speechless about their acting physically. I realized shortly after that until now I've seen the NSA as an overfunded academic project to find exploits everywhere, but that all they want is all the information in any possible way. The return on investment of those projects presented is occasionally very low. That's the scariest part. They might even have exploited this and that rare thing.</div>
<div><br></div><div>Then I realized I never trusted hardware one bit, that PCB-track radio is real and fun and exploitable, and that I have always been confused by the lack of in-system paranoia. I think the whole thing is quite funny because against consumers it seems an ineffective budget spend. It's probably focused on companies though. Anyway, it's all kind of fun to me at the moment. Guess it'd be different if I actually used these products.</div>
<div><br>Anyone see the irony of America banning Chinese router stuff and meanwhile exploiting all of its own products?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div style="word-wrap:break-word">the full gadget catalogue is here<div><a href="http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/" target="_blank">http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/</a></div>
</div></blockquote><div><br></div><div>I'm impressed. I also considered physical to be uselessly aggressive compared to the wealth of software hacks. Curious.<br><br>This does seriously harm the NSA's interests. This gives us clear insight into their recent capabilities. I think this is not data from our good old source. This is probably someone else. Luckily I'm not American and I believe that justifies fully all that I'm doing now.<br>
<br>ANT = Advanced or Access Network Technology<br><br>Allow me to recap the available tools:</div><div><br></div><div>DEITYBOUNCE - Dell PowerEdge BIOS exploit to get software onto target. Re-implants the exploit when the OS loads using the BIOS exploit. Unclear if it can be installed just by plugging a USB in, or whether the Non-tech agent needs to boot into it. Uses ARKSTREAM for implanting itself on the BIOS. (2007)</div>
<div><br></div><div>IRONCHEF - Similar to DEITYBOUNCE. Additionally communicates over a bidirectional radio that's also to be implanted into the system. For the HP Proliant 380DL G5 it uses an I2c connected radio called WAGONBED. IRONCHEF can be remote controlled to read/write to the target system. Especially to replace the spy-software placed on it if it's cleared. (2007)</div>
<div><br></div><div>FEEDTHROUGH - is something to persist ZESTYLEAK and BANANAGLEE in Juniper Netscreen firewalls. Across reboots and software upgrades. Also a BIOS level attack (see image). There exists something called a "DNT Implant Communications Protocol" for remote access and control. It employs a hiding method on the target platforms. (2008)</div>
<div><br></div><div>GOURMETTROUGH* - persists BANANAGLEE on Juniper firewalls. Some platforms it can "beacon" regardless of OS. ANT has to configure on non-automated platforms. Can also place a "Persistent BackDoor" (PBD) if configured by an expert. (2008)</div>
<div><br></div><div>HALLUXWATER - persistent remote control for Huawei Eudemon firewalls. Has to be installed as a boot ROM (BIOS) upgrade. Uses PIT (TURBOPANDA Insertion Tool) to read/write memory, execute local or delivered code. Survives automatic bootROM (BIOS) upgrades. (2008)</div>
<div><br></div><div>JETPLOW - persists BANANAGLEE on Cisco PIX and Cisco ASA firewalls. Can also install BANANAGLEE protocol compatible PBDs. Boot time modifies the OS. Can remotely self-upgrade. Can be added to an existing BANANAGLEE thingy. (2008)</div>
<div><br></div><div>SOUFFLETROUGH - persists BANANAGLEE for Juniper SSG 500 and SSG 300 series firewalls. "Advanced" PBD capability. Boot time modifies the OS. Can fallback to BANANAGLEE compatible PBD. <b>TAKES ADVANTAGE OF Intel's System Management Mode</b> for enhanced reliability and covertness. Can remotely self-upgrade. Can be added to an existing BANANAGLEE thingy. (2008)</div>
<div><br></div><div>HEADWATER - PBD for some Huawei routers. Goes into the boot ROM via an upgrade (makes no sense, "Read Only Memory"), works after reboot. Uses DNT's HAMMERMILL Insertion Tool (HIT) for controll of the PBD. Can capture/analyze all passing IP packets. <b>Cover name for NSA/CIA Huawei exploiting is TURBOPANDA</b>. (2008)</div>
<div><br></div><div>SCHOOLMONTANA - persists VALIDATOR for Juniper J-Series routers. The routers run JUNOS a <b>custom FreeBSD</b> by Juniper. BIOS mod that modifies the OS in memory to run VALIDATOR and "provide persistent kernel modifications to support implant execution"***. Injects at the end of the "System Management Mode". Cover term for DNT implants for Juniper J-Series routers. (2008)</div>
<div><br></div><div>SIERRAMONTANA - SCHOOLMONTANA for Juniper M-Series routers. (2008)</div><div><br></div><div>STUCCOMONTANA - SCHOOLMONTANA for Juniper T-Series routers. (2008)</div><div><br></div><div>CTX4000 - Continuous Wave (CW) radar unit. (ab)Used to collect VAGRANT and DROPMIRE data. Reads 1 to 2 GHz at up to 45 MHz per second. Can go from 2 to 1000 Watts. Can be remotely controlled. They use a bloody radar to pick up signal intel. This is so cool. An aluminum hat probably won't save your PC when it's getting blasted with this baby. (Last 3 sentences are pure speculation) (2008)</div>
<div><br></div><div>LOUDAUTO - Audio based RF retro-reflector. A little microphone's analog output is PPM'ed (Pulse Position Modulation) a square wave (standard in RC control too!). Those pulses are pulsed towards a FET (Field Effect Transistor). So when a pulse is sent the FET turns on for a moment. The FET can be seen on a CW radar well enough to reconstruct the pulses going into it, and thus the audio in the room. NSA prides the use of COTS hardware, no trace back to the NSA. Additionally these units consume next to no power! (~0.000045 watts!). "Part of the ANGRYNEIGHBOR family of radar retro-reflectors." (2008)</div>
<div><br></div><div>NIGHTSTAND - Wifi interceptor. Runs Fedora Core 3. Undetectable! N targets. Works on all WIN-old. <b>Up to eight miles (12km!) of effectivity.</b> Anti-encryption capabilities undisclosed. (2008)</div>
<div><br></div><div>NIGHTWATCH - VAGRANT receiver. Fancied up rugged laptop loaded with some signal processing units. Hook it up to CTX4000 or PHOTOANGLO or a general purpose receiver. Manual signal finding and frame averaging for visibility. Has built-in forward to NSAW****, which has "analysists". To be replaced by VIEWPLATE. (2008)</div>
<div><br></div><div>PHOTOANGLO - NSA/GCHQ project to replace CTX4000 with a nicer radar. Frequencies ('later' aka 'now') up to 4 GHz (x2). Bandwidth up to 450Mhz (x10). Slim form factor. <10lbs/4.5kg. Otherwise the same as CTX4000. Connects to NIGHTWATCH, LFS-2 or VIEWPLATE. 40kdollar cost. (2008, planned for Q1 2009)</div>
<div><br></div><div>SPARROW II - Embedded computer running BLINDDATE tools. WLAN B/G, CF card, USB, 4x Mini PCI for GPS and multiple WLAN cards. IBM Power PC 405GPR. 16MB flash, 64MB SDRAM. Linux 2.4. 2 Hrs of battery life. 6kdollar. Can be traced to the NSA somehow, so "operational restrictions exist for equipment deployment". Possibly due to PowerPC usage, those things are kinda rare. (2008)</div>
<div><br></div><div>TAWDRYYARD - Beacon RF retro-reflector. Toggles a FET to provide a good Radar profile. Used to find RAGEMASTER units. Part of the ANGRYNEIGHBOR family of radar retro-reflectors. Extremely low power consumption. (2008)</div>
<div><br></div><div>GINSU - an addition to BULLDOZER that provides persistence to KONGUR. BULLDOZER is a physical PCI device. KONGUR is a software exploit for windows 9x to Vista (and thus 7, maybe 8). Reinstalls on reboot, if KONGUR was removed by upgrades or reinstall.</div>
<div><br></div><div>HOWLERMONKEY - short to medium range radio transceivers. To be used in other products. Works in CONJECTURE or SPECULATION networks. Compatible with STRIKEZONE devices that run a "HOWLERMONKEY personality" (assuming it means wireless protocol). PCBs are layed out according to needs. 16mm by 16mm is totally possible. Run around 800 USD/each (call for quote I guess).</div>
<div><br></div><div>IRATEMONK - Provides persistence by modifying the Hard Drive firmware to substitute the MBR (the partition table). I suppose it boots itself first, then continues with the real OS. Image contains extremely complicated diagram of operations, showing the following systems: SERUM, RETURNSPRING, SLICKERVICAR, WISTFULTOIL, OIM/JMSQ, SEAGULLFARO, TUNING FORK, SSG, CDR Diode (high/low?), UNITEDRAKE. ROC. SERUM looks lke a processing cluster, OIM/JSMQ looks like a database, TUNING FORK might be something that prioritizes data, SSG's pipe is called "scaling" and is also a database. CDR Diode might operationally split the NSA's systems and the outside world, a defense unit. UNITEDRAKE must then be a supranational database, the united part supports that idea. Somehow UNITEDRAKE or STRAITBAZZARE are used with SLICKERVICAR "to upload the hard drive firmware onto the target machine to implant IRATEMONK and its payload". Works on FAT, NTFS, EXT3, UFS with many WD, Seagate, Maxtor and Samsung drives (which controller?).</div>
<div><br></div><div>I've actually read an post about "hey guys, look, isn't this the most preposterous ridiculous hack?". I believe it was about harddrives. Seems the NSA took note!</div><div><br></div>
<div>
JUNIORMINT - Is a SoC. ARM9 + FPGA (Xilinx XC4VLX25), add 128MB ddr2 , 64MB SDRAM and 32MB flash. "Uses the TAO standard implant architecture". "Dramatic performance improvement over HC12 microcontroller designs." "Ultra-miniature Flip Chip Module (FCM) will be available for challenging concealments". <a href="https://en.wikipedia.org/wiki/Flip_chip">FCM</a> is highly unusual! These things might be extremely small! (call for quote) (2008, PCB by 2009, FCM by 2010)</div>
<div><br></div><div><b>SOMEBODY REPLICATE THIS INTO A <100$ OPEN SOURCE PROJECT</b></div><div>(the <a href="http://papilio.cc/">http://papilio.cc/</a> that I have is only close ;) )</div><div><br></div><div><br></div>
<div>
MAESTRO-II - like JUNIORMINT but slower. Says it is a "Multi-Chip-Module", meaning everything is connected tightly. ($3-4k each) (2008) </div><div><br></div><div>SOMBERKNAVE - When an XP machine is not using wifi (it's not connected) attempts to connect to an access point and allow OLYMPUS or VALIDATOR to call home. VALIDATOR will also download OLYMPUS if it can. (costs $50k for some reason) (2008)</div>
<div><br></div><div>SWAP - BIOS and hard drive's Host Protected Area exploits allow periodic execution before the OS loads. Works on Windows, Linux, FreeBSD, Solaris (everything except Mac?) with FAT32, NTFS, EXT2, EXT3 or UFS 1.0. ARKSTREAM flashes the BIOS and TWISTEDKILT writes SWAP into the Host Protected Area on the harddrive.</div>
<div><br></div><div>TRINITY - like MAESTRO-II but more powerfull. (100 @ $625k)</div><div><br></div><div>WISTFULTOLL - plugin for UNITEDRAKE and STRAITBIZZARE for getting Windows Management Instrumentation (WMI) and Registry stuff. Can work standalone from a USB drive and get data out that way, or through UNITEDRAKE/STRAITBIZZARE. (good fit for COTTONMOUTH too!)</div>
<div><br></div><div>SURLYSPAWN - Data RF retro-reflector. Depending on the level of the data-line signal it shifts the square wave it produces. Thus becomes frequency shift keyed (FSK). Presumably the square wave is fed into a FET again, but the document doesn't mention it. That FET is visibile on radar and that allows the data to be transferred. Power consumption isn't mentioned and it's dated "2007, declassify on 2032" but it's date says 2009. Peculiar. Another ANGRYNEIGHBOR type radar reflector.</div>
<div><br></div><div>DROPOUTJEEP - STRAITBIZARRE for iPhone. Compliant with FREEFLOW and therefore supported in the TURBULENCE architecture. Communicates over SMS or GPRS data connections in a covert and encrypted way. Close access methods are first deployment methods, later the remote installation will be made. Can do anything with the phone. Anything. (Maybe even activate the vibrator on funny moments) (In development in 2008, no date seems to be planned)</div>
<div><br></div><div>GOPHERSET - SIM card rootkit. This is crazy. Phase 2+ simcards can make requests (like sent sms) and are actually minicomputers. This is called the SIM Toolkit (STK). It can also request Phonebooks, SMS and call logs. It can be installed through <b>over the air provisioning</b> or a USB smartcard reader. A straw of hope is given when sometimes security keys are required. How does a company refuse to work with the NSA again? (was finished but unused in 2007)</div>
<div><br></div><div>MONKEYCALENDAR - As GOPHERSET but gets location data that it politely requests from the handset.</div><div><br></div><div>PICASSO - a modified phone that just leaks everything over SMS. Even room audio. Seems to be targeted for infiltrators. If someone has had an Eastcom 760c+, Samsung E600, X450, C140 (Arabic or not), suspect him strongly. (This is why this hurts the NSA)</div>
<div><br></div><div>TOTECHASER - Sattelite phone (Thuraya 2520) exploit. They were still working on it. Looking for a good deployment tactic, remote too. Mostly location, contact list and call history at that moment.</div>
<div><br></div><div>TOTEGHOSTLY 2.0 - Windows Mobile STRAITBIZZARE. CHIMNEYPOOL framework. Compliant with the FREEFLOW project, supported in the TURBULENCE architecture. A FRIEZERAMP interface using HTTPSlink2 transport module handles encrypted communications.</div>
<div><br></div><div>CANDYGRAM - A GSM tower "repeater" that texts up to 200 agents when a target enters the vicinity of it. "GSM Telephone Tripwire". Wonder what they ever used this for, SMS isn't very synchronized so operations shouldn't depend upon it. Maybe it's synchronized if the NSA wants it to be?</div>
<div><br></div><div>CROSSBEAM - Connects a modified (WASABI, it looks like from the picture) GSM product to a WAGONBED controller board (old version of JUNIORMINT?). Used to intercept GSM voice and data. CHIMNEYPOOL compliant. Can also contain a DSP (ROCKYKNOB) that's usefull in some cases. I think it just listens to nearby conversation and then sends it home. It's a bit unclear if it's implanted into a tower or carried around or something. Confusing.</div>
<div><br></div><div>CYCLONE Hx9 - GSM(900MHz) Network in a box. TYPHON feature base and applications, whichever those might be. Hella strong (>32km range). Can even voip with it. NSA can rent it for 70k / 2 months.</div>
<div><br></div><div>EBSR - Active GSM base station and phone. Also a find-a-phone active unit. Smallish and portableish (1W). Has LANDSHARK/CANDYGRAM capabilities. Operational Restrictions exist for equipment deployment. </div>
<div><br></div><div>ENTOURAGE - Software defined radio used to find the directional origin of a radio message. Actually pretty hard to deploy. Uses the HOLLOWPOINT platform. Has "ARTEMIS-like" capability for certain waveforms. Works with NEBULA for find-a-phone in the GALAXY program. Complicated radio stuff. ($70k) (2009)</div>
<div><br></div><div>GENESIS - regular feature phone except it contains a Software Defined Radio and additional system memory. Connects over Ethernet cable to a laptop for downloading collected Radio info. Could be used to find-a-phone like WATERWITCH, 16GB of internal storage and does well with the ladies. They want to extend it to be WATERWITCH without depending on TYPHON (or similar device).</div>
<div><br></div><div>NEBULA - Many protocol Network in a Box. Applications unclear. Operational restrictions exist for equipment deployment. (apparently it's not so sneaky)</div><div><br></div><div>TYPHON HX - Tricked out GSM Base Station Router. Network in a box. Can geolocate users. You'd say it does more (listening in on conversations at least) but it doesn't seem clear.</div>
<div><br></div><div>WATERWITCH - E-ink find-my-TYPHON-connected phone device. Last mile stuff. Like parking backwards but towards a phone. Depends upon the TYPHON.</div><div><br></div><div>COTTONMOUTH-I - USB connector with HOWLERMONKEY transceiver, TRINITY and a USB 1.1 hub. It can be remotely upgraded. It can pretend to be any USB device, and thus use USB exploits to exploit the OS (persistently). It can also communicate through a wireless mesh using the SPECULATION protocol. It communicates with DNT's STRAITBIZARRE covertly.</div>
<div>It can break air-gapped networks.</div><div>it "will be a GENIE-compliant implant based on CHIMNEYPOOL."</div><div>It fits INSIDE of a NORMAL USB-A connector! Can be made to be in a keyboard too, then it's called MOCCASIN. (1000k per 50 units) (available 2009)</div>
<div><br></div>COTTONMOUTH-II - Functionality as COTTONMOUTH-I except a 2.0 USB hub. Sneaked into a double USB port connector common on motherboards today. Must be wire-connected to a wireless transmitter elsewhere in the case.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">COTTONMOUTH-III - As COTTONMOUTH-II but with a build in transmitter. Is on the back of the double USB port instead of worked into it. Can be connected to a long range transmitter elsewhere in the case, but it definitely part of the local mesh network.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">FIREWALK - Connects to the back of the Ethernet + USB stack that's common on motherboards. Intercepts IP packets on up to Gigabit Ethernet ports or even creates them. Connects through HOWLERMONKEY transceivers. Can create an Ethernet tunnel to the ROC or an "intermediate redirector node such as DNT's DANDERSPRITZ tool.".</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">RAGEMASTER - Taps the <b>red channel</b> on a monitor and becomes as visible to radar as the signal is strong, IOW: makes the monitor's contents radar visible. <b>Is not essential for VAGRANT</b>, just makes it easier. Advice: when displaying sensitive data, do it in many colors! Add colorful noise to the letters, making sure that humans pick it up through the noise. Think of the colorblind too though. This all will make reconstruction harder. Radar connects to LFS-2 and a monitor, NIGHTWATCH, GOTHAM or VIEWPLATE. (30$) (2008)</div>
<div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><br></div><div>Language oddities / intel spills :</div><div>"Through interdiction" [x can be implanted], what does this mean, really? It <i>should</i> mean legally approved physical action <i>I think. </i>(from IRONCHEF and others)</div>
<div><br></div><div>"the customer" seems like the NSA is selling this to customers. Who are the customers? Do they consider other 3letters customers? Are they their own customers? Naive? Maybe they sell it to companies? (from FEEDTHROUHG) (note: seems like it's NSA divisions other than ANT, never know though especially TAO**)</div>
<div><br></div><div>"DNT's BANANAGLEE and CES's ZESTYLEAK" - there seem to be at least two companies, DNT and CES, with which the NSA works intimately.</div><div><br></div><div>CNO means Computer Network Operations</div>
<div>CNA means Computer Network Attacks</div><div>PBD means Persistent BackDoor</div><div>DNT means Data Network Technologies</div><div><br></div><div>* GOURMET is a French word for appreciating delicious stuff (or something like that) and a Dutch style of eating that has you cooking mini-foods on a baking plate and eating it right away. I'm not sure this is an international phenomena, so I thought I'd clarify. (Dutch people in the NSA? Wouldn't surprise me)</div>
<br>** From another <a href="http://leaksource.wordpress.com/2013/12/30/nsas-tailored-access-operations-elite-hacking-unit-revealed/">article</a>: "Tailored Access Operations, or TAO. This is the NSA’s top operative unit". This is counter to the believe that "The NSA has no field agents". I doubt it's the "top operative unit", since it's publicly known. Maybe there's a little TAO elite circle? Someone make a movie about a TAO unit or two! ~280 operations per year for 2000 agents. Agent count going up (afai can tell). "NSA works together with other intelligence agencies such as the CIA and FBI, which in turn maintain informants on location who are available to help with sensitive missions."; expendable agents! Nice! <b>Has military agents</b>, useful for what again?</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">*** May I recommend the paranoid and heroic people of *BSD to consider a method of sanity checking the OS itself while it's running? How to beat the BIOS, will be the paper's name.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">**** all I can find is Naval blahblahblah. The Navy shouldn't be leading in this operation. I'm not sure who's meant with NSAW.</div></div></div>