Wednesday, March 26, 2014

We may have witnessed a NSA "Shotgiant" TAO-like action

Last Friday, the New York Times reported that the NSA has hacked/infiltrated Huawei, a big Chinese network hardware firm. We may have witnessed something related to this.

In 2012, during an incident, we watched in real time as somebody logged into an account reserved for Huawei tech support, from the Huawei IP address space in mainland China. We watched as they executed a very narrow SQL query targeting specific data. That person then encrypted the results, emailed them to a Hotmail account, removed the log files, and logged out. Had we not been connected live to the system and watched it in real-time, there would have been no trace of the act.

The compelling attribute of the information they grabbed is that it was useful only to American intelligence. The narrowness of the SQL query clearly identified why they wanted the data. It wasn't support information, something that a support engineer would want. It wasn't indiscriminate information, something a hacker might grab. It wasn't something that would interest other intelligence services -- except to pass it on to the Americans.

I point this out to demonstrate the incompleteness of the New York Times story. The story takes the leaked document with the phrase "Leverage Huawei presence to gain access to networks of interest" and assumes it's referring to the existing narratives of "hardware backdoors" or "finding 0days". In fact, these documents can mean so much more, such as "exploiting support contracts".

A backdoor or 0day for a Huawei router would be of limited use to the NSA, because the control ports are behind firewalls. Hacking behind firewalls would likely give full access to the target network anyway, making any backdoors/0days in routers superfluous.

But embedding themselves inside the support infrastructure would give the NSA nearly unlimited access to much of the world. Huawei claims that a third of the Internet is running their devices. Almost all of it is under support contract. These means a Huawei support engineer, or a spy, can at any time reach out through cyberspace and take control of a third of the Internet hardware, located in data centers behind firewalls. Most often, it's the Huawei device or management server the NSA would target. In other cases, the Huawei product is just one hop away from the desired system, without a firewall in between.

You want to know who the Pakistani president called in the hours after the raid on the Bin Laden compound? Easy, just use the Huawei support account to query all the telephone switches. You want the contents of Bashar al-Assad's emails? Easy, just log into the Huawei management servers that share accounts with the email servers.

This isn't a just Huawei issue, but a universal principle of hacking. An example of this was last Christmas's breach of the retailer Target, where 40 million credit cards were stolen by hackers. Apparently, hackers first breached the HVAC (air conditioning) company, then leveraged their VPN connection to the Target network to then hacking into servers.


By the way, I doubt this was actually the NSA. It's more likely the CIA, who has "assets" at Huawei (support engineers they've bribed), or the intelligence service for a friendly country. The intelligence community is so huge it'd be unreasonable to assume the NSA is lurking behind every rock. I'm just pointing out that there are other ways to interpret that NYTimes story.


2 comments:

Winston Bishop said...

I find it extraordinarily difficult to believe that any information could "only be of interest to the American intelligence community".

The statement is paradoxical in and of itself via the logic that if something is of great and secret interest to one political power it is inherently of great interest to that power's competitors.

Larry Johnson said...

Please contact the police in your state or the FBI. If any entity, federal agency, or otherwise accessed your computer system in that manner, it is patently illegal and contrary to regulation. If a federal agent or employee accessed your computer system in that way, their misconduct needs to be immediately reported.

The regulations that govern the NSA's and CIA's use of computer resources, USSID12333 and SP0018, specifically prohibit exploitation of domestic computer systems. If the information on those systems is required, the standard federal warrant system or FAA 702 (National Security Letters) is the only authorized mechanism to the U.S. government.