[Cryptography] Equation Group Multiple Malware Program, NSA Implicated

[ianG]

On 17/02/2015 22:21 pm, Jerry Leichter wrote:
> On Feb 17, 2015, at 11:46 AM, ianG <iang at iang.org> wrote:
>> Snowden saying "encryption works."
> Snowden may be wrong.  He may have been deliberately lead astray.  He may be a plant.
>
> It's not that I think any of these is true, but presumably Snowden believes *the encryption he was given to use while at NSA* works.

Snowden had a pretty broad view as to what was going on.  From all the 
stuff they are doing, how they are acting, you can draw inferences back 
to what worries them, what doesn't worry them and so forth.

This is what intel is all about:  collect all that you know and stare at 
it until you see the patterns.  The fact that is very strong here is 
that the NSA is spending huge amounts on cracking into machines.  Would 
they do that if they could crack the crypto?  Likely, less.  The NSA is 
no longer a *passive signals* agency, it is now more an *active digital 
command and control* agency.


> But that's not the encryption any of us use, so it doesn't help.  His statement that encryption, *in general*, works is odd because some of the stuff he released implies that there may be breaks.  It's all ambiguous - you could interpret the same material to say that the encryption itself is fine but the eavesdroppers have all kinds of way to get hold of keys.  But in the end ... does it really matter?  If we knew that AES absolutely, positively could not be broken by NSA - but we had *no idea* what key distribution or generation methods had been broken - we would be absolutely nowhere.


Right, we don't know which parts they can break and which not.  But we 
do know where they spend their energies.  Which indicates whatever they 
can do to break any of the crypto, it isn't enough.


>> EquationGroup use of RC4-6, AES, SHAs.
> But they also use simple XOR (see the slide set).  This is a situation where unbreakability isn't necessary.  They're more interested in hiding what they are doing - once someone *notices* an exfiltration or command stream, it doesn't matter all that much whether they can read exactly what it says; the game is up.  Even fairly weak encryption would be adequate to prevent simple recognition of such streams based on content.


They care some - they are using RC6 in places instead of RC4.  What this 
indicates to me is that they have respect for the outside crypto.  Which 
as a minimum means that they don't think the Russians or Chinese can 
break it.

What however is strange is that they used entirely American product. 
That's a finger pointing right back at the NSA.  Why not mix it in with 
some GOST?  Blake?  Ripem-D?  What's the thing they have going with Ron? 
  Is he a poster-boy for the root kit builders?


>> FBI complaining about going dark, we need backdoors - they only ever complain at that level as proxy for NSA, and same complaint is repeated in rapid succession in UK, DE.
> The FBI complains all the time.  The NSA isn't about to share their advanced techniques with the FBI; they don't want them exposed, which, "parallel construction" or not, will inevitably leak out if used in support of criminal cases.


No, I see this a concerted campaign that was begin by the FBI and then 
spread to two other countries that I saw -- UK and DE just recently, 
which means it is being spread through the intel agencies.  This is a 
response to the American companies being embarrassed and showing a 
little spine - they need their backdoors in there.  So either they 
encourage bad software engineering or they get the companies on board to 
backdoor them.  Or?

I agree the NSA doesn't share this stuff with the FBI.  But they do use 
the FBI as the proxy for this in political lobbying.  This is the same 
thing that was happening with Loiuse Freeh in the 1990s.  The FBI 
doesn't care about crypto, they are on record as saying they came across 
one serious case where crypto *might* have impacted the result but did 
not.  In how many decades?

(Naive of me -- I actually grew up thinking it was illegal for 
government agencies in western democracies and *especially the military 
and intel* to get involved in politics.)


>> Practically all the exploits so far disclosed are about hacking the software, hardware, nothing we've seen comes even close to hacking the ciphers.  Some of the interventions are about hacking the RNGs - which typically take the cryptanalysis to places where we can hack it.  Off-the-record comments I've heard. Analysis of released systems such as Skipjack.
>>
>> It's all circumstantial.
> And I still don't have an strong belief that the NSA can break AES or any other particular magic thing.  But my belief that they *can't* is much weaker today than it was the day before yesterday.


Right.  One new fact can shift the pattern dramatically.  One deception 
plan by the enemy can lead us down the garden path for years.  Different 
analysts can draw opposing conclusions from the same 'facts' and flip 
tomorrow.

This is how intel is.


>>> (To the point where they've apparently even neglected defense of their own internal systems:  What Snowden did was certainly something they *thought* they had a defense against.)
>> No, I think that is unfair.
> Unfair to whom?  Besides, they've as much as admitted (by the actions they've taken since) that they've come to see their pre-Snowden precautions as insufficient.

Oh, sorry, I didn't finish that, got confused and sent the post without 
thought.

The insider theft has always been a huge difficulty.  But the NSA is 
more a victim of changing circumstances than any huge laxness.  A 
scratch list:

  * They haven't had a major spy case in years.
  * Statistically they have to have a number of insider cases and afaics 
it is about 10 over the last decade or so, drawing widely to other agencies.
  * The 911 switch caused massive opening up across all intel agencies.
  * Which meant that if you trust the FBI with stuff, you are going to 
worry less your sysadms who are security cleared very heavily.
  * Also the 911 switch caused a massive switch away from the normal NSA 
doctrine of ignoring americania to total information awareness.  This 
latter being the thing that offended Snowden.
  * the Bush / Obama administration debased the patriotism coin to 
worthless, something that is not easy to see in the center.
  * A massive upgrade in cyber warrior caused attention and resources to 
switch away from existing long term and non-cyber-warrior insiders to 
the incoming flood of people.

If they hadn't been 'lax' they couldn't have coped with the above. 
Snowden was bullet they had to take to get where they are going.  They 
can't go very open, very broad and also illegal at the same time without 
offending some statistical number of insiders who don't buy the 
patriotism rhetoric.


>> What's the guess -- how many cyber warriors are there in employment in USA today?  100,000?
> Depends on what you count, I suppose.  The military services have large numbers of people doing "cyber warfare", most of whom are doing defense.

Right, I mean, count the entire US military-industrial machine, so DoD 
and contractors as well.  I recall a couple of years ago talking to a 
major contractor in AU and the indication was lots of slots in new cyber 
division, and any other slots opening were due to people being 
transferred into this new growing carbuncle.


> Their jobs are not all that different from those of security managers (not developers) at commercial organizations - though since this is the military, the procedures are much more standardized, as are the systems being managed, and there are many more people there on a day by day basis.

Hmmm.

> If you mean people doing security development - defense or attack; or even those training to do attack with tools the bigwigs develop for them ... it's anyone's guess.  My gut says closer to 10,000 than 100,000, and that would be including a large number of people with basic training on how to attack low-level, ill-defended targets.

OK.

> Remember how the Navy Seals who took out OBL grabbed all the computers and USB sticks and such?  They clearly had training on what to look for and how to seize it in a way that didn't destroy the data.  And there are undoubtedly rooms full of people who work on extracting data from such seized devices.  They are part of the "cyber warfare" community, by any reasonable definition of the term.

Yep.  I can imagine the Seals being told "the reason you are going in 
today is because someone somewhere past stole some digital data...  So 
time to pay it forward, guys: *bring back the data*.  More important 
than the body."

;)



iang