Read

Error message

Notice: Undefined index: base_url in include_once() (line 125 of /home3/occupyco/public_html/dev/sites/default/settings.php).

User menu

Search form

The NSA Leak Is Real, Snowden Documents Confirm

The NSA Leak Is Real, Snowden Documents Confirm
Mon, 8/22/2016 - by Sam Biddle
This article originally appeared on The Intercept

On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.

The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.

SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.

But malicious software of this sophistication doesn’t just pose a threat to foreign governments, Johns Hopkins University cryptographer Matthew Green told The Intercept:

The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lockpicking tools lying around a high school cafeteria. It’s worse, in fact, because many of these exploits are not available through any other means, so they’re just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable. So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there’s no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets.

The NSA did not respond to questions concerning ShadowBrokers, the Snowden documents, or its malware.

A Memorable SECONDDATE

The offensive tools released by ShadowBrokers are organized under a litany of code names such as POLARSNEEZE and ELIGIBLE BOMBSHELL, and their exact purpose is still being assessed. But we do know more about one of the weapons: SECONDDATE.

SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.

Other documents released by The Intercept today not only tie SECONDDATE to the ShadowBrokers leak but also provide new detail on how it fits into the NSA’s broader surveillance and infection network. They also show how SECONDDATE has been used, including to spy on Pakistan and a computer system in Lebanon.

The top-secret manual that authenticates the SECONDDATE found in the wild as the same one used within the NSA is a 31-page document titled “FOXACID SOP for Operational Management” and marked as a draft. It dates to no earlier than 2010. A section within the manual describes administrative tools for tracking how victims are funneled into FOXACID, including a set of tags used to catalogue servers. When such a tag is created in relation to a SECONDDATE-related infection, the document says, a certain distinctive identifier must be used.

The same SECONDDATE MSGID string appears in 14 different files throughout the ShadowBrokers leak, including in a file titled SecondDate-3021.exe. Viewed through a code-editing program (screenshot below), the NSA’s secret number can be found hiding in plain sight.

All told, throughout many of the folders contained in the ShadowBrokers’ package (screenshot below), there are 47 files with SECONDDATE-related names, including different versions of the raw code required to execute a SECONDDATE attack, instructions for how to use it, and other related files.

After viewing the code, Green told The Intercept the MSGID string’s occurrence in both an NSA training document and this week’s leak is “unlikely to be a coincidence.” Computer security researcher Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies, who has been particularly vocal in his analysis of the ShadowBrokers this week, told The Intercept “there is no way” the MSGID string’s appearance in both places is a coincidence.

Where SECONDDATE Fits In

This overview jibes with previously unpublished classified files provided by Snowden that illustrate how SECONDDATE is a component of BADDECISION, a broader NSA infiltration tool. SECONDDATE helps the NSA pull off a “man in the middle” attack against users on a wireless network, tricking them into thinking they’re talking to a safe website when in reality they’ve been sent a malicious payload from an NSA server.

According to one December 2010 PowerPoint presentation titled “Introduction to BADDECISION,” that tool is also designed to send users of a wireless network, sometimes referred to as an 802.11 network, to FOXACID malware servers. Or, as the presentation puts it, BADDECISION is an “802.11 CNE [computer network exploitation] tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server.” As another top-secret slide puts it, the attack homes in on “the greatest vulnerability to your computer: your web browser.”

One slide points out that the attack works on users with an encrypted wireless connection to the internet.

That trick, it seems, often involves BADDECISION and SECONDDATE, with the latter described as a “component” for the former. A series of diagrams in the “Introduction to BADDECISION” presentation show how an NSA operator “uses SECONDDATE to inject a redirection payload at [a] Target Client,” invisibly hijacking a user’s web browser as the user attempts to visit a benign website (in the example given, it’s CNN.com). Executed correctly, the file explains, a “Target Client continues normal webpage browsing, completely unaware,” lands on a malware-filled NSA server, and becomes infected with as much of that malware as possible — or as the presentation puts it, the user will be left “WHACKED!” In the other top-secret presentations, it’s put plainly: “How do we redirect the target to the FOXACID server without being noticed”? Simple: “Use NIGHTSTAND or BADDECISION.”

The sheer number of interlocking tools available to crack a computer is dizzying. In the FOXACID manual, government hackers are told an NSA hacker ought to be familiar with using SECONDDATE along with similar man-in-the-middle wi-fi attacks code-named MAGIC SQUIRREL and MAGICBEAN. A top-secret presentation on FOXACID lists further ways to redirect targets to the malware server system.

To position themselves within range of a vulnerable wireless network, NSA operators can use a mobile antenna system running software code-named BLINDDATE, depicted in the field in what appears to be Kabul. The software can even be attached to a drone. BLINDDATE in turn can run BADDECISION, which allows for a SECONDDATE attack.

Elsewhere in these files, there are at least two documented cases of SECONDDATE being used to successfully infect computers overseas: An April 2013 presentation boasts of successful attacks against computer systems in both Pakistan and Lebanon. In the first, NSA hackers used SECONDDATE to breach “targets in Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division,” which contained documents pertaining to “the backbone of Pakistan’s Green Line communications network” used by “civilian and military leadership.”

In the latter, the NSA used SECONDDATE to pull off a man-in-the-middle attack in Lebanon “for the first time ever,” infecting a Lebanese ISP to extract “100+ MB of Hizballah Unit 1800 data,” a special subset of the terrorist group dedicated to aiding Palestinian militants.

SECONDDATE is just one method that the NSA uses to get its target’s browser pointed at a FOXACID server. Other methods include sending spam that attempts to exploit bugs in popular web-based email providers or entices targets to click on malicious links that lead to a FOXACID server. One document, a newsletter for the NSA’s Special Source Operations division, describes how NSA software other than SECONDDATE was used to repeatedly direct targets in Pakistan to FOXACID malware web servers, eventually infecting the targets’ computers.

A Potentially Mundane Hack

Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.

3 WAYS TO SHOW YOUR SUPPORT

ONE-TIME DONATION

Just use the simple form below to make a single direct donation.

DONATE NOW

MONTHLY DONATION

Be a sustaining sponsor. Give a reacurring monthly donation at any level.

GET SOME MERCH!

Now you can wear your support too! From T-Shirts to tote bags.

SHOP TODAY

Comments

HOW I GET A LOAN HELP @ 2% INTEREST RATE

I was not sure of getting a legit loan lender online But when i could not face my Debt any more, my son was on hospital bed for surgery that involve huge money and i also needed some money to refinance and get a good home then i have to seeks for Assistance from friends and when there was no hope any more i decide to go online to seek a loan and i find VICTORIA LAWSON Trust Loan Firm (marianlawson@outlook.com) with 2% interest Rate and applied immediately with my details as directed. Within seven Days of my application She wired my loan amount with No hidden charges and i could take care of my son medical bills, Renew my rent bill and pay off my debt. I will advice every loan seeker to contact VICTORIA LAWSON LOAN Company with marianlawson@outlook.com For easy and safe transaction.

*Full Name:_________

*Address:_________

*Tell:_________

*loan amount:_________

*Loan duration:_________

*Country:_________

*Purpose of loan:_________

*Monthly Income:__________

*Occupation__________

*Next of kins :_________

*Email :_________

Sign Up

Article Tabs

prison reform, incarceration rates, private prisons, for-profit prisons, white supremacy, enslavement, climate justice, racial justice, Green New Deal

The year 2020 has caused many white people to realize we live in a racist system. The Green New Deal is about systemic change for all, and deconstructing racism must be front and central in this agenda.

coronavirus pandemic, Donald Trump, Boris Johnson, Jair Bolsonaro, COVID-19 deaths, downplaying coronavirus

By infecting three of the world’s most right-wing leaders, the coronavirus underscored not only the incompetence and irresponsibility of their governments – but the truth that their brand of populism doesn't keep people safe.

COVID-19, corporate bailouts, corporate welfare, corporate destruction

Corporations are not "too big to fail" and, when they commit crimes, they are not "too big to jail." As David Whyte writes in his new book, "Ecocide: Kill the Corporation Before It Kills Us," the moment is now to rein in out-of-control corporate power.

The world has lost an incredible thinker and doer. I have lost an amazing friend. A void exists where before it was filled with David's optimism, humour and joy.

Kevin Zeese speaks at a rally for Chelsea Manning. By Ellen Davidson.

Kevin fought to bring truth every day. We must not lose this struggle.

prison reform, incarceration rates, private prisons, for-profit prisons, white supremacy, enslavement, climate justice, racial justice, Green New Deal

The year 2020 has caused many white people to realize we live in a racist system. The Green New Deal is about systemic change for all, and deconstructing racism must be front and central in this agenda.

coronavirus pandemic, Donald Trump, Boris Johnson, Jair Bolsonaro, COVID-19 deaths, downplaying coronavirus

By infecting three of the world’s most right-wing leaders, the coronavirus underscored not only the incompetence and irresponsibility of their governments – but the truth that their brand of populism doesn't keep people safe.

COVID-19, corporate bailouts, corporate welfare, corporate destruction

Corporations are not "too big to fail" and, when they commit crimes, they are not "too big to jail." As David Whyte writes in his new book, "Ecocide: Kill the Corporation Before It Kills Us," the moment is now to rein in out-of-control corporate power.

The world has lost an incredible thinker and doer. I have lost an amazing friend. A void exists where before it was filled with David's optimism, humour and joy.

Kevin Zeese speaks at a rally for Chelsea Manning. By Ellen Davidson.

Kevin fought to bring truth every day. We must not lose this struggle.