Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: North Spore Injection Grain Bag   Kraken Kratom Red Vein Kratom   Unfolding Nature Unfolding Nature: Being in the Implicate Order

Jump to first unread post Pages: 1
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
The NSA Leak Is Real, Snowden Documents Confirm
    #23556390 - 08/19/16 10:14 AM (7 years, 5 months ago)

https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/

Quote:


On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.
The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.
SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.
But malicious software of this sophistication doesn’t just pose a threat to foreign governments, Johns Hopkins University cryptographer Matthew Green told The Intercept:

The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lockpicking tools lying around a high school cafeteria. It’s worse, in fact, because many of these exploits are not available through any other means, so they’re just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable.
So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there’s no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets.

The NSA did not respond to questions concerning ShadowBrokers, the Snowden documents, or its malware.
A Memorable SECONDDATE
The offensive tools released by ShadowBrokers are organized under a litany of code names such as POLARSNEEZE and ELIGIBLE BOMBSHELL, and their exact purpose is still being assessed. But we do know more about one of the weapons: SECONDDATE.
SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.
Other documents released by The Intercept today not only tie SECONDDATE to the ShadowBrokers leak but also provide new detail on how it fits into the NSA’s broader surveillance and infection network. They also show how SECONDDATE has been used, including to spy on Pakistan and a computer system in Lebanon.

The top-secret manual that authenticates the SECONDDATE found in the wild as the same one used within the NSA is a 31-page document titled “FOXACID SOP for Operational Management” and marked as a draft. It dates to no earlier than 2010. A section within the manual describes administrative tools for tracking how victims are funneled into FOXACID, including a set of tags used to catalogue servers. When such a tag is created in relation to a SECONDDATE-related infection, the document says, a certain distinctive identifier must be used:
 

The same SECONDDATE MSGID string appears in 14 different files throughout the ShadowBrokers leak, including in a file titled SecondDate-3021.exe. Viewed through a code-editing program (screenshot below), the NSA’s secret number can be found hiding in plain sight:

All told, throughout many of the folders contained in the ShadowBrokers’ package (screenshot below), there are 47 files with SECONDDATE-related names, including different versions of the raw code required to execute a SECONDDATE attack, instructions for how to use it, and other related files.
.

 
After viewing the code, Green told The Intercept the MSGID string’s occurrence in both an NSA training document and this week’s leak is “unlikely to be a coincidence.” Computer security researcher Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies, who has been particularly vocal in his analysis of the ShadowBrokers this week, told The Intercept “there is no way” the MSGID string’s appearance in both places is a coincidence.

Where SECONDDATE Fits In

This overview jibes with previously unpublished classified files provided by Snowden that illustrate how SECONDDATE is a component of BADDECISION, a broader NSA infiltration tool. SECONDDATE helps the NSA pull off a “man in the middle” attack against users on a wireless network, tricking them into thinking they’re talking to a safe website when in reality they’ve been sent a malicious payload from an NSA server.

According to one December 2010 PowerPoint presentation titled “Introduction to BADDECISION,” that tool is also designed to send users of a wireless network, sometimes referred to as an 802.11 network, to FOXACID malware servers. Or, as the presentation puts it, BADDECISION is an “802.11 CNE [computer network exploitation] tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server.” As another top-secret slide puts it, the attack homes in on “the greatest vulnerability to your computer: your web browser.”

One slide points out that the attack works on users with an encrypted wireless connection to the internet.
That trick, it seems, often involves BADDECISION and SECONDDATE, with the latter described as a “component” for the former. A series of diagrams in the “Introduction to BADDECISION” presentation show how an NSA operator “uses SECONDDATE to inject a redirection payload at [a] Target Client,” invisibly hijacking a user’s web browser as the user attempts to visit a benign website (in the example given, it’s CNN.com). Executed correctly, the file explains, a “Target Client continues normal webpage browsing, completely unaware,” lands on a malware-filled NSA server, and becomes infected with as much of that malware as possible — or as the presentation puts it, the user will be left “WHACKED!” In the other top-secret presentations, it’s put plainly: “How do we redirect the target to the FOXACID server without being noticed”? Simple: “Use NIGHTSTAND or BADDECISION.”

The sheer number of interlocking tools available to crack a computer is dizzying. In the FOXACID manual, government hackers are told an NSA hacker ought to be familiar with using SECONDDATE along with similar man-in-the-middle wi-fi attacks code-named MAGIC SQUIRREL and MAGICBEAN. A top-secret presentation on FOXACID lists further ways to redirect targets to the malware server system.

To position themselves within range of a vulnerable wireless network, NSA operators can use a mobile antenna system running software code-named BLINDDATE, depicted in the field in what appears to be Kabul. The software can even be attached to a drone. BLINDDATE in turn can run BADDECISION, which allows for a SECONDDATE attack:

Elsewhere in these files, there are at least two documented cases of SECONDDATE being used to successfully infect computers overseas: An April 2013 presentation boasts of successful attacks against computer systems in both Pakistan and Lebanon. In the first, NSA hackers used SECONDDATE to breach “targets in Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division,” which contained documents pertaining to “the backbone of Pakistan’s Green Line communications network” used by “civilian and military leadership.”

In the latter, the NSA used SECONDDATE to pull off a man-in-the-middle attack in Lebanon “for the first time ever,” infecting a Lebanese ISP to extract “100+ MB of Hizballah Unit 1800 data,” a special subset of the terrorist group dedicated to aiding Palestinian militants.
SECONDDATE is just one method that the NSA uses to get its target’s browser pointed at a FOXACID server. Other methods include sending spam that attempts to exploit bugs in popular web-based email providers or entices targets to click on malicious links that lead to a FOXACID server. One document, a newsletter for the NSA’s Special Source Operations division, describes how NSA software other than SECONDDATE was used to repeatedly direct targets in Pakistan to FOXACID malware web servers, eventually infecting the targets’ computers.

A Potentially Mundane Hack
Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.





Extras: Filter Print Post Top
Offlinerider420
Ghost in the machine
Male User Gallery

Registered: 02/11/16
Posts: 659
Last seen: 4 months, 7 days
Re: The NSA Leak Is Real, Snowden Documents Confirm [Re: tdubz]
    #23556477 - 08/19/16 10:51 AM (7 years, 5 months ago)

Being paranoid is its own reward. Luxury living under a rock!

ROLMFAO
Quote:

Blade Runner "Quite an experience to live in fear, isn't it?" "That's what it is to be a slave."




Run and hide chicken little your fear is far worse then anything anyone can do to you.


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: The NSA Leak Is Real, Snowden Documents Confirm [Re: rider420]
    #23556490 - 08/19/16 10:56 AM (7 years, 5 months ago)

The master hackers getting hacked could not have been universally ironic any other way.


Extras: Filter Print Post Top
OfflineLuSiD enthusiast
Stranger

Registered: 03/14/13
Posts: 4,325
Last seen: 4 years, 9 months
Re: The NSA Leak Is Real, Snowden Documents Confirm [Re: rider420]
    #23556501 - 08/19/16 11:00 AM (7 years, 5 months ago)

Do you believe everything you read on the internet? There's no way that stuff would be public for anyone like you to read.:facepalm:

Ok so at work i was talking to a co worker about how in my history class we read official Guantanamo training manuals, one example was how to slap people in the most degrading way possible. This fucking retard who used to be in military  (which makes him an expert on anything:rofl:) comes up and pretty much just shouts that that's classified and there's no way that shit would be public :facepalm:×1000. In 5 seconds i pulled up the exact document and he says what i did above the spoiler :facepalm: i really don't understand people who don't understand how useful the internet is. None of my coworkers even remember edward snowden and wiki leaks happening at all so now I'm the fucking idiot not to mention one of them is 7 years older then me and the guy I'm bitching about is twice my age. :facepalm:

Whenever he argues with me i ask him how it feels to be working the same position as me even though he should have a better job, that and the fact that he has to argue with people half his fucking age just to feel smart.:rofl:

For added bonus i have two jobs outside of this one and he acts like it's impossible to work a job if he already works part time till 11.:rofl:


People make me fucking sick sometimes.

/endrant


--------------------
I'm addicted to coke, weed, booze, ludes and speed.
Not LSD, you can't get addicted to LSD, it was built by scientists.

I ain't got no demons that gonna get woke.


In erowid we trust.

Just take your damn pills and don't ask any questions, you'll be fine.


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: The NSA Leak Is Real, Snowden Documents Confirm [Re: LuSiD enthusiast]
    #23556513 - 08/19/16 11:05 AM (7 years, 5 months ago)

I love the intercept they always have the juiciest details.


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: The NSA Leak Is Real, Snowden Documents Confirm [Re: tdubz]
    #23560866 - 08/20/16 06:48 PM (7 years, 5 months ago)

Cisco has already patched a few vulnerabilities as a result of the leak.


Extras: Filter Print Post Top
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Re: The NSA Leak Is Real, Snowden Documents Confirm [Re: tdubz]
    #23561239 - 08/20/16 08:23 PM (7 years, 5 months ago)

http://arstechnica.com/security/2016/08/cisco-firewall-exploit-shows-how-nsa-decrypted-vpn-traffic/
How the NSA snooped on encrypted Internet traffic for a decade

Quote:


In a revelation that shows how the National Security Agency was able to systematically spy on many Cisco Systems customers for the better part of a decade, researchers have uncovered an attack that remotely extracts decryption keys from the company's now-decommissioned line of PIX firewalls.

The discovery is significant because the attack code, dubbed BenignCertain, worked on PIX versions Cisco released in 2002 and supported through 2009. Even after Cisco stopped providing PIX bug fixes in July 2009, the company continued offering limited service and support for the product for an additional four years. Unless PIX customers took special precautions, virtually all of them were vulnerable to attacks that surreptitiously eavesdropped on their VPN traffic. Beyond allowing attackers to snoop on encrypted VPN traffic, the key extraction also makes it possible to gain full access to a vulnerable network by posing as a remote user.
BenignCertain's capabilities were tentatively revealed in this blog post from Thursday, and they were later confirmed to work on real-world PIX installations by three separate researchers. Before the confirmation came, Ars asked Cisco to investigate the exploit. The company declined, citing this policy for so-called end-of-life products. The exploit helps explain documents leaked by NSA contractor Edward Snowden and cited in a 2014 article that appeared in Der Spiegel. The article reported that the NSA had the ability to decrypt more than 1,000 VPN connections per hour.

"It shows that the NSA had the ability to remotely extract confidential keys from Cisco VPNs for over a decade," Mustafa Al-Bassam, a security researcher at payments processing firm Secure Trading, told Ars. "This explains how they were able to decrypt thousands of VPN connections per minute as shown in documents previously published by Der Spiegel."

The revelation is also concerning because data returned by the Shodan search engine indicate more than 15,000 networks around the world still use PIX, with the Russian Federation, the US, and Australia being the top three countries affected. Last weekend's release of BenignCertain and dozens of other NSA-connected attack tools means even relatively low-skilled hackers can now carry out the same advanced attack. Analysis of the exploit binary shows BenignCertain targeted PIX versions 5.3(9) through 6.3(4). The researchers, however, were able to make the key-extraction technique work against version 6.3(5) as well.

Cisco representatives on Friday declined to comment on the revelation, citing the previously mentioned end-of-life policy. Update: After this article went live, Cisco updated a previously written blog post to report that product security incident response team decided to investigate BenignCertain after all. The team found that Adaptive Security Appliance, its currently supported firewall is not vulnerable; PIX versions 6.x and earlier are affected; and PIX versions 7.0 and later are confirmed to be unaffected.

BenignCertain exploits a vulnerability in Cisco's implementation of the Internet Key Exchange, a protocol that uses digital certificates to establish a secure connection between two parties. The attack sends maliciously manipulated packets to a vulnerable PIX device. The packets cause the vulnerable device to return a chunk of memory. A parser tool included in the exploit is then able to extract the VPN's pre-shared key and other configuration data out of the response. According to one of the researchers who helped confirm the exploit, it works remotely on the outside PIX interface. This means that anyone on the Internet can use it. No pre-requirements are necessary to make the exploit work. The researcher provided this packet capture to show the end result of the attack.

Interestingly, Cisco's Adaptive Security Appliance, the firewall that replaced PIX, contained a similarly critical Internet Key Exchange vulnerability that was fixed three months ago. What's more, during the time the PIX vulnerability was active, firewalls from almost a dozen other providers were similarly vulnerable. While BenignCertain worked only against PIX, it's possible that still-undiscovered exploits were developed for other products.

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
The key-extraction exploit could be even more powerful when combined with other attack tools in the possession of Equation Group, the elite, NSA-connected hacking team tied to it. Another tool called FalseMorel appears to extract the "enable" password that's required to gain administrative control over the PIX firewall itself. The BenignCertain tool lets attackers know if a given firewall is vulnerable to FalseMorel. BenignCertain, FalseMorel, and more than a dozen other tools were mysteriously published last weekend by a previously unknown group calling itself ShadowBrokers.

"Despite the existence of 0days, these tools seem to be overwhelmingly post-exploitation," security expert Rob Graham, CEO of Errata Security, wrote in a blog post published Thursday afternoon. "They aren't the sorts of tools you use to break into a network—but the sorts of tools you use afterwards."
Graham's comments came before the capabilities of BenignCertain were revealed. Now that they have been documented, it's clear at least some of the tools gave, and possibly still give, attackers an initial foothold into targeted networks




Extras: Filter Print Post Top
Jump to top Pages: 1

Shop: North Spore Injection Grain Bag   Kraken Kratom Red Vein Kratom   Unfolding Nature Unfolding Nature: Being in the Implicate Order


Similar ThreadsPosterViewsRepliesLast post
* EFF - AT&T has sold you out to the NSA blink 676 4 04/08/06 10:53 PM
by Ythan
* NSA Bugged Website Visitors Despite Ban DiploidM 535 0 12/31/05 06:50 PM
by Diploid
* First confirmed case of wolves killing a human lIllIIIllIlIIlIlIIllIllIIl 637 2 11/14/05 04:30 PM
by Legoulash
* Security leaks Tengu 1,361 6 11/01/02 05:42 PM
by TheHobbit
* Free document on Free energy
( 1 2 3 4 all )
Ego Death 6,959 72 06/20/06 01:48 PM
by pod3
* Real Quick! USB External Harddrive Suggestions, Please! Locus 951 4 04/28/05 07:17 PM
by BigGameHunter
* Real Player accelerator jong21 457 0 02/10/04 11:04 PM
by jong21
* Evolution
( 1 2 3 all )
newuser1492 4,799 57 10/08/05 03:54 PM
by H_Wrabbit

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: trendal, automan, Northerner
390 topic views. 0 members, 0 guests and 1 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.023 seconds spending 0.007 seconds on 14 queries.