This web site uses cookies to improve your experience. By viewing our content, you are accepting the use of cookies. To find out more and change your cookie settings, please view our cookie policy.

Search
  • Videos
  • Smart Cities
  • Windows 10
  • Cloud
  • Innovation
  • Security
  • Tech Pro
  • more
    • ZDNet Academy
    • Microsoft
    • Mobility
    • IoT
    • Hardware
    • Executive Guides
    • Best VPN Services
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
  • Newsletters
  • All Writers
    • Log In to ZDNET
    • Join ZDNet
    • About ZDNet
    • Preferences
    • Community
    • Newsletters
    • Log Out
  • Menu
    • Videos
    • Smart Cities
    • Windows 10
    • Cloud
    • Innovation
    • Security
    • Tech Pro
    • ZDNet Academy
    • Microsoft
    • Mobility
    • IoT
    • Hardware
    • Executive Guides
    • Best VPN Services
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
      • Log In to ZDNET
      • Join ZDNet
      • About ZDNet
      • Preferences
      • Community
      • Newsletters
      • Log Out
  • us
    • Asia
    • Australia
    • Europe
    • India
    • United Kingdom
    • United States
    • ZDNet around the globe:
    • ZDNet China
    • ZDNet France
    • ZDNet Germany
    • ZDNet Korea
    • ZDNet Japan

Top NSA hacks of our computers

9 of 17 NEXT PREV
  • ANT: Just one of NSA's crack development teams

    ANT: Just one of NSA's crack development teams

    Last week I wrote up a leak of an NSA document describing  DEITYBOUNCE, a tool for flashing malicious BIOS on Dell servers.  Not until the next day did I realize that it was part of a much larger set of descriptions of such hacks. In this image gallery I describe many of the most interesting ones.

    The leaked documents were first described in an article in Der Spiegel, the German magazine. Most are in the same spirit as DEITYBOUNCE and have similar code names. Many are for hacking into mainstream computing hardware like the Dell PowerEdge servers hacked by DEITYBOUNCE, or for big-name networking hardware from the likes of Cisco, Juniper and Huawei.

    There are also devices for tapping into video cables, wireless networks and USB ports. There are devices meant to capture audio in a room and send it elsewhere. There are devices which I just don't understand. Quite a bit of it looks stereotypically James Bond-like.

    These documents are all rather old, dating from 2007 to 2009. It's likely that many, if not most, are obsolete. Certainly DEITYBOUNCE is not likely to be useful anymore. We have no reason to believe that the NSA gave up on this sort of espionage, so it's reasonable to assume there are more current devices and descriptions out there. Perhaps Snowden and his buddies in the press are holding them back for future leakage.

    The tools are the work of a group called ANT, which Der Spiegel says "...presumably stands for Advanced or Access Network Technology." The descriptions of ANT's tools make it clear that there are other groups at the NSA doing similar, related work and perhaps their descriptions are still to come.

    Many of the tools, both hardware and software, need some sort of insider help for installation. There are many places this can be done, such as the manufacturer, a distributor, an intercepted shipment, or even the company's own IT, perhaps even after a bribe or blackmail.

    One of the tools, DROPOUTJEEP, got a lot of attention about a week ago because  it provides a hack for iPhones .

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • IRONCHEF: Hacking the HP Proliant 380DL G5 server

    IRONCHEF: Hacking the HP Proliant 380DL G5 server

    Superficially just like DEITYBOUNCE in that it's designed to be a persistent compromise of a common server platform. There is a software component but, instead of flashing a BIOS, IRONCHEF uses a "hardware implant." Like the flashed BIOS, the hardware device can reinstall the software component at boot time.

    The document is dated 7/14/2008.

    full.02.IRONCHEF

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • FEEDTROUGH+GOURMETTROUGH: Persistence technique for other attacks against Juniper Netscreen firewalls

    FEEDTROUGH+GOURMETTROUGH: Persistence technique for other attacks against Juniper Netscreen firewalls

    Things get confusing and a little scary here: FEEDTROUGH isn't actually an attack on certain Juniper Netscreen firewalls, but a way to make other attacks persistent across reboots. These other attacks are identified as "DNT's BANANAGLEE and CES'S ZESTYLEAK." Who are DNT and CES? I don't know and neither BANANAGLEE nor ZESTYLEAK are in this collection.

    FEEDTROUGH is version-specific to the OS and maintains a database of OS versions; at boot time it checks the OS version and, if it's one not in the database, FEEDTROUGH exits and allows the boot to continue normally. But check out this line: "If the OS is one modified by DNT, it is not recognized, which gives the customer freedom to field new software."

    I repeat: Who is DNT, and how is it that they can modify the OS? Clearly FEEDTROUGH raises more questions than it answers. (But since I ask, DNT is, according to Cryptome, Digital Network Technologies, a private company which builds these things for the NSA.

    There is a separate document on GOURMETTROUGH, which sounds like a fine-tuned version of FEEDTROUGH. The description speaks more of DNT, making it sound like another NSA group.

    There are several other tools with roughly the same description, tailored for different manufacturers and models: HALLUXWATER, JETPLOW, SOUFFLETROUGH, HEADWATER, SCHOOLMONTANA, SIERRAMONTANA and STUCCOMONTANA

    All documents are dated 6/24/2008.

    full.03.FEEDTROUGH

     

    full.03.GOURMETTROUGH

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • LOUDAUTO: a tiny, low-power microphone

    LOUDAUTO: a tiny, low-power microphone

    LOUDAUTO is just a "bug" in the old sense, a microphone for picking up audio and transmitting it for the NSA (or whomever) to collect. They call it an "audio-based RF retro-reflector."

    It can pick up office-volume audio from over 20 feet away, although perhaps less if concealed. It consumes very little power, which is partly due to the way it retransmits the audio it receives: it passively reflects a digital conversion of the analog audio using a continuous wave signal from a separate, nearby unit.

    LOUDAUTO is built entirely with commercial off-the-shelf hardware. Compared to the hacks of commercial computing equipment, LOUDAUTO sounds almost innocuous. This is the sort of spy stuff the government has been doing for many, many decades.

    (Yes, I agree, this isn't a computer hack and therefore doesn't conform to the title, but I thought it was cool.)

    The document is dated 4/7/2009.

    full.04.LOUDAUTO

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • NIGHTSTAND: a wifi-based client exploitation system

    NIGHTSTAND: a wifi-based client exploitation system

    No wired network access? No problem! Set up your NIGHTSTAND, hack into the wifi and exploit computers running Windows 2000, Windows XP, Windows XP SP1 and Windows XP SP2 along with Internet Explorer 5 or 6.

    NIGHTSTAND is a dedicated Linux Fedora Core 3 computer inside a box with a big antenna that looks like it came off a cell tower. Why? "Use of external amplifiers and antennas on both experimental and operational scenarios have resulted in successful NIGHTSTAND attacks from as far away as eight miles under ideal environmental conditions."

    The description says nothing about the mode of attack, but it's likely that NIGHTSTAND can only work on open or WEP-based wifi networks. Back in 2008 (the document is dated 7/25/2008) this may have been a workable strategy.

    The document is dated 7/25/2008.

    full.05.NIGHTSTAND

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • SPARROW II: A passive Wifi collection device

    SPARROW II: A passive Wifi collection device

    A mini-Linux 2.4 device with a PowerPC chip that captures at least 2 hours of wifi data (at which point the battery starts to go). It runs the BLINDDATE application software, whatever that is. It has Mini PCI slots for expansion.

    The document is dated 7/25/2008.

    full.06.SPARROWII

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • RAGEMASTER, TAWDRYYARD and NIGHTWATCH: What's on your display and where is it?

    RAGEMASTER, TAWDRYYARD and NIGHTWATCH: What's on your display and where is it?

    RAGEMASTER is amazing: it's a device that's embedded "...in the ferrite video cable" between the card and monitor. It taps the red video signal and re-radiated to a separate unit which decodes and displays it.

    That unit would be NIGHTWATCH. TAWDRYYARD acts as a beacon to assist in the location of the RAGEMASTER units.

    According to Cryptome, this technology has been used fairly recently, "...as of September 2010 at the following embassies: Brazil's UN Mission in NY (POKOMOKE), France's UN Mission in NY (BLACKFOOT), India's Embassy and annex in DC, and India's UN Mission in New York. India's embassies were slated to be detasked, at the time of the document."

    The documents are dated 7/24/2008 and 4/7/2009.

    full.07.RAGEMASTER
    full.07.TAWDRYYARD
    full.07.NIGHTWATCH

     

     

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • GINSU+BULLDOZER+KONGUR: Spying on you through the PCI bus

    GINSU+BULLDOZER+KONGUR: Spying on you through the PCI bus

    BULLDOZER is a hardware implant in the PCI bus, installed "through interdiction." KONGUR is a malware payload that uses BULLDOZER to spy on and control the system. GINSU makes KONGUR persistent.

    The document is dated 6/20/2008.

    full.08.GINSU-BULLDOZER

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • MAESTRO-II: When only an implanted full computer will do

    MAESTRO-II: When only an implanted full computer will do

    MAESTRO-II is just one of several implantable, programmable computers in the list. There's nothing remarkable about the architecture, but that it conforms to the "TAO standard implant architecture" — TAO is Tailored Access Operations, NSA's hacking and bugging unit.

    The document is dated 8/5/2008.

    full.09.MAESTRO-II

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • SWAP+ARKSTREAM+TWISTEDKILT: The super-rootkit in your Windows system

    SWAP+ARKSTREAM+TWISTEDKILT: The super-rootkit in your Windows system

    SWAP, ARKSTREAM and TWISTEDKILT are used together to perform, on an arbitrary computer, much the same affect as DEITYBOUNCE: ARKSTREAM reflashes the BIOS and TWISTEDKILT writes to the hard disk's Host Protected Area; SWAP provides software application persistence. In fact, ARKSTREAM is the BIOS flashing component in DEITYBOUNCE.

    Because it is flashed into the BIOS, it can execute before any software-based security.

    The document is dated 6/20/2008.

    full.10.SWAP

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • WISTFULTOLL+UNITEDRAKE+STRAITBIZZARE: Surreptitious forensic exam of Windows

    WISTFULTOLL+UNITEDRAKE+STRAITBIZZARE: Surreptitious forensic exam of Windows

    WISTFULTOLL is spyware which collects registry data and other information about a Windows system using WMI (Windows Management Instrumentation) API calls.

    Like a lot of surreptitious NSA software, WISTFULTOLL is installed and managed using either UNITEDRAKE or STRAITBIZZARE. These are frameworks for delivering payloads to systems; they implant using malicious hard drive firmware.

    The document is dated 6/20/2008.

    full.11.WISTFULTOLL-UNITEDRAKE-STRAITBIZZARE - Copy

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • GOPHERSET+MONKEYCALENDAR: Your SIM card is phoning home to Fort Meade

    GOPHERSET+MONKEYCALENDAR: Your SIM card is phoning home to Fort Meade

    For most people a SIM card in a phone is just a key that opens the door to their carrier's network, but there's more to them. A SIM card also holds the user's phone number, address book, text messages, and other data.

    GOPHERSET is a software hack of the SIM card itself. It "exfiltrates" the user's personal data using SMS. Yes, code on the SIM card can issue commands to and make requests of the phone. It can be deployed either through USB connection or over the air and may or may not require keys from the carrier. So maybe the carrier, or just a carrier employee, has to cooperate; maybe not.

    MONKEYCALENDAR is similar, but it captures and reports the phone's geolocation data.

    Interesting question: Surely the text messages are being sent from the user's carrier account, and if there are charges he'll see them on his bill. Perhaps there's more to it.

    The documents are dated 10/1/2008.

    full.12.GOPHERSET
    full.12.MONKEYCALENDAR

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • PICASSO: The cellular sniffer in the room

    PICASSO: The cellular sniffer in the room

    PICASSO is cool. It's a modified handset that "collects user data, location information and room audio." It can be commanded remotely through SMS from a laptop and another phone.

    In fact it does a lot more than just collect data from the room — the description says "Block call to deny target service" which I guess means it can interfere with other phones in the room. It can also have a "panic button" sequence which alerts the operator and sends him location data.

    The document is dated 6/20/2008.

    full.13.PICASSO

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • TOTECHASER+TOTEGHOSTLY: Getting inside Windows Mobile

    TOTECHASER+TOTEGHOSTLY: Getting inside Windows Mobile

    TOTECHASER and TOTEGHOSTLY are software hacks aimed at Windows Mobile devices. Windows Mobile never had a lot of traction in consumer markets, but there were narrow markets where it did quite well, including ruggedized phones and, as is the case with TOTECHASER, satellite phones.

    TOTECHASER is an implant for the Windows CE kernel inside Windows Mobile, specifically targeting the Thuraya SG-2520 dual-mode GSM/SAT handset (discontinued). Either this model was very popular or the NSA had someone specific in mind.

    The TOTECHASER writeup makes it clear that it's not fully-baked (the documents are dated 10/1/2008). It sounds like it probably needs installed before the customer gets it and they haven't figured that part out.

    TOTEGHOSTLY is a higher-level remote control framework for compromised (perhaps by TOTECHASER) Windows Mobile devices.

    full.14.TOTECHASER
    full.14.TOTEGHOSTLY

      

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • CANDYGRAM: Roaming into hostile territory

    CANDYGRAM: Roaming into hostile territory

    CANDYGRAM is a fake cell tower, built out of a Windows XP system and a cell phone. It can be configured for a pre-set list of up to 200 phone numbers. When one of those phones comes within range of CANDYGRAM, it sends an SMS message to "registered watch phones."

    CANDYGRAM is designed for passive data collection, not attack of the target phones. There are several other tools in the list with various GSM "network in a box" functions.

    The document is dated 6/20/2008.

    full.15.CANDYGRAM

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • COTTONMOUTH: Up your Serial Bus

    COTTONMOUTH: Up your Serial Bus

    We've got three devices here: COTTONMOUTH-I, COTTONMOUTH-II and COTTONMOUTH-III, all about compromising systems through USB.

    COTTONMOUTH-I is a smart "jacket" around a USB A plug. It monitors what's on the wire and communicates it either wirelessly to other COTTONMOUTH-1 devices or through a covert channel in the USB wire to STRAITBIZZARE software. COTTONMOUTH-II is a USB port with a built-in tap to communicate with STRAITBIZZARE. There is no wireless component.

    COTTONMOUTH-III is a COTTONMOUTH-II and a tapped Ethernet port. Like COTTONMOUTH-I it has a wireless capability for communicating with other COTTONMOUTH devices and can talk to STRAITBIZZARE over the wire.

    These ports are of the type soldered to the motherboard, and so they have to be installed through an interdiction of the computer or, conceivably, at the factory itself.

    The document is dated 8/5/2008.

    full.16.COTTONMOUTH-I
    full.16.COTTONMOUTH-II
    full.16.COTTONMOUTH-III

     

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

  • FIREWALK: Wireless spy on your wired network

    FIREWALK: Wireless spy on your wired network

    FIREWALK is a tapped, bidirectional Gigabit Ethernet port. It can actively inject Ethernet packets inbound or out. It has a built-in RF transceiver which it can use to create communicate with an ROC (Remote Operations Center).

    The document is dated 8/5/2008.

    full.17.FIREWALK

     

    Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

    Caption by: Larry Seltzer

9 of 17 NEXT PREV
  • 0
  • ANT: Just one of NSA's crack development teams
  • IRONCHEF: Hacking the HP Proliant 380DL G5 server
  • FEEDTROUGH+GOURMETTROUGH: Persistence technique for other attacks against Juniper Netscreen firewalls
  • LOUDAUTO: a tiny, low-power microphone
  • NIGHTSTAND: a wifi-based client exploitation system
  • SPARROW II: A passive Wifi collection device
  • RAGEMASTER, TAWDRYYARD and NIGHTWATCH: What's on your display and where is it?
  • GINSU+BULLDOZER+KONGUR: Spying on you through the PCI bus
  • MAESTRO-II: When only an implanted full computer will do
  • SWAP+ARKSTREAM+TWISTEDKILT: The super-rootkit in your Windows system
  • WISTFULTOLL+UNITEDRAKE+STRAITBIZZARE: Surreptitious forensic exam of Windows
  • GOPHERSET+MONKEYCALENDAR: Your SIM card is phoning home to Fort Meade
  • PICASSO: The cellular sniffer in the room
  • TOTECHASER+TOTEGHOSTLY: Getting inside Windows Mobile
  • CANDYGRAM: Roaming into hostile territory
  • COTTONMOUTH: Up your Serial Bus
  • FIREWALK: Wireless spy on your wired network

The latest leaked documents from the NSA reveal a long collection, from 2007-2008, of software and hardware used to spy on computers, networks and to capture audio and video.

Read More Read Less

MAESTRO-II: When only an implanted full computer will do

MAESTRO-II is just one of several implantable, programmable computers in the list. There's nothing remarkable about the architecture, but that it conforms to the "TAO standard implant architecture" — TAO is Tailored Access Operations, NSA's hacking and bugging unit.

The document is dated 8/5/2008.

full.09.MAESTRO-II

 

Published: January 6, 2014 -- 09:00 GMT (01:00 PST)

Caption by: Larry Seltzer

Related Topics:

Security TV Data Management CXO Data Centers
  • 0
LOG IN TO COMMENT
  • My Profile
  • Log Out
| Community Guidelines

Join Discussion

Add Your Comment
Add Your Comment

Related Galleries

  • 17 internet-connected things that really shouldn't be online

    Security

    17 internet-connected things that really shouldn't be online

  • Smart home suites match up devices for security and convenience

    Security

    Smart home suites match up devices for security and convenience

  • Adjust these Facebook privacy settings to protect your personal data

    Social Enterprise

    Adjust these Facebook privacy settings to protect your personal data

  • Social media cannot be trusted without these features

    Social Enterprise

    Social media cannot be trusted without these features

ZDNet
Connect with us

© 2018 CBS Interactive. All rights reserved. Privacy Policy | Cookies | Ad Choice | Advertise | Terms of Use | Mobile User Agreement

  • Topics
  • All Authors
  • Galleries
  • Videos
  • Sponsored Narratives
  • About ZDNet
  • Meet The Team
  • Site Map
  • RSS Feeds
  • Reprint Policy
  • Manage | Log Out
  • Log In to ZDNET | Join ZDNet
  • Membership
  • Newsletters
  • Site Assistance
  • ZDNet Academy