|
Dear All, I am glad to share a good
news from Korea, where APrIGF 2013 is in progress, that our India
has been recognized to host APrIGF in 2014. No such event can have any
legitimacy without India’s support in Asia Pacific. All are recognizing,
frankly, we need to do the same and specially, in front of others. We have to further
strengthen our cause with explicit support to our sovereign’s concerns on
vulnerability of our Internet infrastructure. Best Regards, Rajesh Chharia +91 98110 38188 One more
such eye opener: NSA laughs at PCs, Prefers
hacking routers and switches http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ The NSA runs a massive,
full-time hacking operation targeting foreign systems, the latest leaks from
Edward Snowden show. But unlike conventional cyber criminals, the agency is
less interested in hacking PCs and Macs. Instead, America’s spooks have their
eyes on the internet routers and switches that form the basic infrastructure of
the net, and are largely overlooked as security vulnerabilities. Under a $652-million
program codenamed “Genie,” U.S. intel agencies have hacked into foreign
computers and networks to monitor communications crossing them and to establish
control over them, according to a secret black budget
document leaked to the Washington Post. U.S.
intelligence agencies conducted 231 offensive cyber operations in 2011 to
penetrate the computer networks of targets abroad. This included not only
installing covert “implants” in foreign desktop computers but also on routers
and firewalls — tens of thousands of machines every year in all. According to
the Post, the government planned to expand the program to cover
millions of additional foreign machines in the future and preferred hacking
routers to individual PCs because it gave agencies access to data from entire
networks of computers instead of just individual machines. Most of the hacks targeted
the systems and communications of top adversaries like China, Russia, Iran and
North Korea and included activities around nuclear proliferation. The NSA’s focus on routers
highlights an often-overlooked attack vector with huge advantages for the
intruder, says Marc Maiffret, chief technology officer at security firm Beyond
Trust. Hacking routers is an ideal way for an intelligence or military agency
to maintain a persistent hold on network traffic because the systems aren’t
updated with new software very often or patched in the way that Windows and
Linux systems are. “No one updates their
routers,” he says. “If you think people are bad about patching Windows and
Linux (which they are) then they are … horrible about updating their networking
gear because it is too critical, and usually they don’t have redundancy to be
able to do it properly.” He also notes that routers
don’t have security software that can help detect a breach. “The challenge [with
desktop systems] is that while antivirus don’t work well on your desktop, they
at least do something [to detect attacks],” he says. “But you don’t even have
an integrity check for the most part on routers and other such devices like IP
cameras.” Hijacking routers and
switches could allow the NSA to do more than just eavesdrop on all the
communications crossing that equipment. It would also let them bring down
networks or prevent certain communication, such as military orders, from
getting through, though the Post story doesn’t report any such
activities. With control of routers, the NSA could re-route traffic to a
different location, or intelligence agencies could alter it for disinformation
campaigns, such as planting information that would have a detrimental political
effect or altering orders to re-route troops or supplies in a military
operation. According to the budget
document, the CIA’s Tailored Access Programs and NSA’s software engineers
possess “templates” for breaking into common brands and models of routers,
switches and firewalls. The article doesn’t say
it, but this would likely involve pre-written scripts or backdoor tools and
root kits for attacking known but unpatched vulnerabilities in these systems,
as well as for attacking zero-day vulnerabilities that are yet unknown to the
vendor and customers. “[Router software is] just
an operating system and can be hacked just as Windows or Linux would be
hacked,” Maiffret says. “They’ve tried to harden them a little bit more [than
these other systems], but for folks at a place like the NSA or any other major
government intelligence agency, it’s pretty standard fare of having a
ready-to-go backdoor for your [off-the-shelf] Cisco or Juniper models.” Not all of the activity
mentioned in the budget document involved remote hacking. In some cases,
according to the document, the operations involved clandestine activity by the
CIA or military intelligence units to “physically place hardware implants or
software modifications” to aid the spying. “Much more often, an
implant is coded entirely in software by an NSA group called Tailored Access
Operations (TAO),” the Post writes in its story about the document.
“As its name suggests, TAO builds attack tools that are custom-fitted to their
targets.” A handful of security
researchers have uncovered vulnerabilities in routers in recent years that
could be used to do the kind of hacking described in the budget document. In 2005, security
researcher Mike Lynn found a serious vulnerability in Cisco IOS, the
operating system running on millions of Cisco routers around the world. Lynn discovered the
vulnerability after his employer, Internet Security Systems, asked him to
reverse-engineer the Cisco operating system to see if he could find security
problems with it. Cisco makes the majority of the routers that operate the
backbone of the internet as well as many company networks and critical
infrastructure systems. The Cisco IOS is as ubiquitous in the backbone as the
Windows operating system is on desktops. The vulnerability Lynn
found, in a new version of the operation system that Cisco planned to release
at the time, would have allowed someone to create a router worm that would shut
down every Cisco router through which it passed, bringing down a nation’s
critical infrastructure. It also would have allowed an attacker to gain complete
control of the router to sniff all traffic passing through a network in order
to read, record or alter it, or simply prevent traffic from reaching its
recipient. Once Lynn found the
vulnerability, it took him six months to develop a working exploit to attack
it. Lynn had planned to
discuss the vulnerability at the Black Hat security conference in Las Vegas,
until Cisco intervened
and forced him to pull the talk under threat of a lawsuit. But if Lynn knew about the
vulnerability, there were likely others who did as well — including
intelligence agencies and criminal hackers. Source code for Cisco’s
IOS has been stolen at least twice, either by entities who were interested in
studying the software to gain a competitive advantage or to uncover
vulnerabilities that would allow someone to hack or control them. Other researchers have
uncovered different
vulnerabilities in other Cisco routers that are commonly used
in small businesses and home offices. Every year at computer
security conferences — including the Black Hat conference where NSA Director
Keith Alexander presented a keynote this year — U.S. intelligence agencies and
contractors from around the world attend to discover information about new
vulnerabilities that might be exploited and to hire talented researchers and
hackers capable of finding more vulnerabilities in systems. In 2008, a researcher at
Core Security Technologies developed a root kit for the Cisco
IOS that was designed to give an attacker a persistent foothold on a Cisco
router while remaining undetected. According to the Post story,
the NSA designs most of the offensive tools it uses in its Genie operation, but
it spent $25.1 million in one year for “additional covert purchases of software
vulnerabilities” from private malware vendors who operate on the grey market —
closed markets that peddle vulnerabilities and exploits to law enforcement and
intelligence agencies, as opposed to the black market that sells them to cyber
criminals. The price of vulnerabilities and exploits varies, depending on a number of factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to more than a million, depending on the exclusivity of the purchase — some vulnerabilities are sold to multiple parties with the understanding that others are using it as well — and their ubiquity. A vulnerability that exists in multiple versions of an operating system is more valuable than a vulnerability that exists in just one version. A class of vulnerability that crosses multiple browser brands is also more valuable than a single vulnerability that just affects the Safari browser or Chrome. The Stuxnet cyber weapon
that was reportedly created by the U.S. and Israel to sabotage centrifuges used
in Iran’s uranium enrichment program, used five zero-day exploits to spread
itself among systems in Iran, including a rare exploit that attacked the .LNK
function in multiple versions of the Windows operating system in order to
spread the worm silently via infected USB sticks. Ubiquitous router
vulnerabilities are difficult to find since there are so many different
configurations for routers, and an attack that works against one router
configuration might not work for another. But a vulnerability that affects the
core operating system is much more valuable since it is less likely to be
dependent on the configuration. Maiffret says there hasn’t been a lot of public
research on router vulnerabilities, but whenever someone has taken a look at
them, they have found security holes in them. “They’re always successful
in finding something,” he says. Once a vulnerability
becomes known to the software maker and is patched, it loses a lot of its
value. But because many users and administrators do not patch their systems,
some vulnerabilities can be used effectively for years, even after a patch is
available. The Conficker worm, for example, continued to infect millions of
computers long after Microsoft released a patch that should have stopped the
worm from spreading.
|