NSA hid spying software in hard drive firmware

[ArticMine]

I have read the .pdf and none of the malware works on GNU/Linux. It does work on Microsoft Windows, OS X and IOS. The simplest way to mitigate this risk is to: Ditch Microsoft, ditch Apple and run Free Software.

Here is the relevant part of the .pdf.

22
13.   Have you seen any non-Windows
malware from the Equation group?
All the malware we have collected so far is designed to work on Microsoft’s
Windows operating system. However, there are signs that non-Windows malware
does exist. For instance, one of the sinkholed C&C domains is currently receiving
connections from a large pool of victims in China that appear to be Mac OS X
computers (based on the user-agent).
The malware callbacks are consistent with the DOUBLEFANTASY schema, which
normally injects into the system browser (for instance, Internet Explorer on
Windows).
The callbacks for the suspected Mac OS X versions have the following user
agents:
•    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.17
(KHTML, like Gecko) Version/6.0.2 Safari/536.26.17
•    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101
Firefox/21.0
•    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/536.28.10
(KHTML, like Gecko) Version/6.0.3 Safari/536.28.10
This leads us to believe that a Mac OS X version of DOUBLEFANTASY also exists.
Additionally, we observed that one of the malicious forum injections, in the form
of a PHP script, takes special precautions to show a different type of HTML code to
Apple iPhone visitors. Unlike other cases, such as visitors from Jordan, which does
not get targeted, iPhone visitors are redirected to the exploit server, suggesting the
ability to infect iPhones as well.

In order for the malware to get at the propriety hard disk firmware it needs Microsoft Windows or OS X. There is a reason why Edward Snowden uses GNU/Linux for his personal computing.

Edit:

Is there an actual way to buy non NSA infected hardware or its a pipedream?

It is way simpler to avoid NSA infected operating systems and the hardware will not get infected in the first place. Focusing on the hardware ignores the real risk which is operating systems which by their very nature are very friendly not just to the NSA but also to the PLA and FSB.

[1714022208]

1714022208

[1714022208]

1714022208

[1714022208]

1714022208

[wilth1]

Here's some relevant work: http://spritesmods.com/?art=hddhack&page=1

It's not the exploits themselves that are surprising, but the sophisticated deployment often years prior to specimen disclosure or similar research.  Docs indicate there are implants across the board that target free software OSes aplenty.

[ArticMine]

Here's some relevant work: http://spritesmods.com/?art=hddhack&page=1

It's not the exploits themselves that are surprising, but the sophisticated deployment often years prior to specimen disclosure or similar research.  Docs indicate there are implants across the board that target free software OSes aplenty.

Very interesting site. It does add to the how of the NSA exploit. It also shows how this could also be used for another nefarious purpose namely DRM (preventing disk cloning). Yes this could be used to re install malware after the server was cleaned up, and this attack could work on a GNU/Linux system. The practical reality is that the attacker would need either root on the server / and or physical access to the hard drive. So it come down to the question how does the attacker get root in the first place? It is at this point where propriety operating systems provide a huge advantage to the attacker. Microsoft regularly provides access to the source code and advance knowledge of vulnerabilities to agencies such as the NSA, PLA and FSB. This creates a hugely uneven playing field since the attackers have access to the source code and vulnerabilities while the defenders do not. Stuxnet is a prime example of what can happen. In addition operating systems that support DRM must have hidden and obtuse parts to support the DRM. We must not forget that DRM and malware are in reality accomplishing the same thing. It is easy to spy on a user of say Windows, OS X or IOS  when those operating systems by design treat that same user as an adversary not to be trusted.  With GNU/Linux everyone has access to the source code creating a level playing field, and the operating system does not treat the user as an adversary not to be trusted. Big difference.

[TippingPoint]

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

They could get the hard drive firmware source code by approaching a key manager or employee directly, using traditional incentives of blackmail, extortion, bribery, sex, false flag, appeal to patriatism, etc. or by infiltration with a qualified agent.

[ArticMine]

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

They could get the hard drive firmware source code by approaching a key manager or employee directly, using traditional incentives of blackmail, extortion, bribery, sex, false flag, appeal to patriatism, etc. or by infiltration with a qualified agent.

... or simply by making a deal with the manufacturer. No fancy spy techniques needed at all.

[Lauda]

Why does this surprise you? I was actually expecting something like this. The NSA just forces things like this on manufacturers.
You could prevent this from happening though, if you block the right outgoing traffic.

[AGD]

https://bitcointalk.org/index.php?topic=948636.msg10387510#msg10387510

There is no big business without national interest. If you have a tech company and make millions, you are making part of national security already. Intel IS part of the national security since the 70s. You think Bill Gates would have sold his OS, if he refused the offer from the guys in the black suits back in the days?

Same with Seagate, IBM, WD, Samsung, Sony, GB, MSI and a lot more.

[lunarboy]

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

A long list of almost superhuman technical feats illustrate Equation Group's extraordinary skill, painstaking work, and unlimited resources. They include:

    The use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Recently published documents provided by Ed Snowden indicate that the NSA used Regin to infect the partly state-owned Belgian firm Belgacom.
    The stashing of malicious files in multiple branches of an infected computer's registry. By encrypting all malicious files and storing them in multiple branches of a computer's Windows registry, the infection was impossible to detect using antivirus software.
    Redirects that sent iPhone users to unique exploit Web pages. In addition, infected machines reporting to Equation Group command servers identified themselves as Macs, an indication that the group successfully compromised both iOS and OS X devices.
    The use of more than 300 Internet domains and 100 servers to host a sprawling command and control infrastructure.
    USB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive that they aren't connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability to bridge airgaps.
    An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

The unfettered arrogance of these spies makes my skin creep.

What happens next I wonder?  Governments, agencies and hackers around the world have just received an advanced class in malware and will co-opt it to do as they please. The harm done by these intrusions will be 10 fold any advantage gained.

[BitMos]

The U.S. government is out of control and does not represent or care about the U.S. American people.  

simply. It has been INCORPORATED.

[ajareselde]

Why does this surprise you? I was actually expecting something like this. The NSA just forces things like this on manufacturers.
You could prevent this from happening though, if you block the right outgoing traffic.

Block outgoing traffic? Well if were talking about dan hard drives that come with malware embedded, i wouldnt be surprised if the very software were using to defend us against such threats
would be compromised to some extent also. Maybe thats why two antivirus programs recognize each other as infections :]

cheers

[WEB slicer]

The U.S. government is out of control and does not represent or care about the U.S. American people.  

+1

[Wilikon]

It's clear now: we need open source hardware as well as internet decentralization.

Yep...

[CIYAM]

And people thought I was being "too paranoid" when I created a QR code system for doing offline Bitcoin tx signing (whereas Armory still uses a USB stick).

[ArticMine]

Why does this surprise you? I was actually expecting something like this. The NSA just forces things like this on manufacturers.
You could prevent this from happening though, if you block the right outgoing traffic.

No the NSA does not force this on manufacturers. The manufactures do this because they believe they can get away with spying on their customers and selling the fruits of their spying for profit to marketers. Another very common motivation for manufactures to spy on their customers is DRM and "intellectual property protection". Agencies like the NSA come in much later. They realize the manufactures have valuable data and make a deal with the manufactures for access to that data.  

As for blocking the outgoing traffic yes on can do this but one must take over control of one's network and computing devices. The best way to do this is using Free Software. What actually happens is that one can build a Free Software jail around the propriety software "appliance". This can allow the owner to then use the appliance while blocking or controlling the malicious features in the appliance’s propriety software. It then becomes a battle for control between the owner and the appliance with each one trying to control the other.

Edit1: This process is completely voluntary. The iSheep for example provide data to Apple on a voluntary (they clicked I agreee on Apple's EULA) basis. Apple also provides the data to the NSA on a voluntary basis to the NSA via the PRISM program. https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29. This is why many libertarians simply do not understand the real nature of the threat.

Edit2:

https://bitcointalk.org/index.php?topic=948636.msg10387510#msg10387510

There is no big business without national interest. If you have a tech company and make millions, you are making part of national security already. Intel IS part of the national security since the 70s. You think Bill Gates would have sold his OS, if he refused the offer from the guys in the black suits back in the days?

Same with Seagate, IBM, WD, Samsung, Sony, GB, MSI and a lot more.

Bill Gates did not just sell out to the United States. He also sold out to China and Russia among others. Ever wonder where all that Chinese hacking of Windows that has been traced back to the PLA came from? It is hardly surprising that Microsoft Windows has become such a cesspool of malware.

[BitMos]

Why does this surprise you? I was actually expecting something like this. The NSA just forces things like this on manufacturers.
You could prevent this from happening though, if you block the right outgoing traffic.

No the NSA does not force this on manufacturers. The manufactures do this because they believe they can get away with spying on their customers and selling the fruits of their spying for profit to marketers. Another very common motivation for manufactures to spy on their customers is DRM and "intellectual property protection". Agencies like the NSA come in much later. They realize the manufactures have valuable data and make a deal with the manufactures for access to that data.  

As for blocking the outgoing traffic yes on can do this but one must take over control of one's network and computing devices. The best way to do this is using Free Software. What actually happens is that one can build a Free Software jail around the propriety software "appliance". This can allow the owner to then use the appliance while blocking or controlling the malicious features in the appliance’s propriety software. It then becomes a battle for control between the owner and the appliance with each one trying to control the other.

Edit: This process is completely voluntary. The iSheep for example provide data to Apple on a voluntary (they clicked I agreee on Apple's EULA) basis. Apple also provides the data to the NSA on a voluntary basis to the NSA via the PRISM program. https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29. This is why many libertarians simply do not understand the real nature of the threat.

Thank you for this interesting perspectives. It will sound ironic or naïve but I trust more the NSA than the marketers (1 THE NSA CAN "PRINT"). And here is why, the NSA can do infinitely more damages in all aspects to anyone than a "marketer" (because, who is really behind those buying), anyway, However, don't fool the NSA. Snowden, Binner... are few, don't forget they spoke against something that was against their own consciousness, however "exploiting" the nsa, that's another story, that ends more than often very silently... As such when a marketer "exploits" nsa people in their daily civilian lives, I believe it's the duty of those more versed in real combat operation (SF) after consultation with the "exploited" to take the lead and bring the Enemy (foreign or domestic) to his end. Naïve or stupid? Who cares . I see a lot of possibility of exploits (zeroday real life attack, not very clever not to discuss it, it's called hiding) in those marketers... and contrary to nsa agents aren't really aware of what a betrayal (should) implies, once upon a time...

[TippingPoint]

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

They could get the hard drive firmware source code by approaching a key manager or employee directly, using traditional incentives of blackmail, extortion, bribery, sex, false flag, appeal to patriatism, etc. or by infiltration with a qualified agent.

... or simply by making a deal with the manufacturer. No fancy spy techniques needed at all.

I doubt that agents would even attempt to make such a deal unless they already had leverage on someone.  The consequences of alerting the target, and causing increased security measures would be too severe.  Leverage could come from allegations or knowledge of corporate or individual income tax evasion, insider trading, or other human foibles such as infidelity.  And agents would not want such an arrangement to be documented in writing.  Alternatively, access to firmware code could be obtained as part of a large government purchase or certification of hardware, and compliance with MILSPECs.

[AGD]

Why does this surprise you? I was actually expecting something like this. The NSA just forces things like this on manufacturers.
You could prevent this from happening though, if you block the right outgoing traffic.

No the NSA does not force this on manufacturers. The manufactures do this because they believe they can get away with spying on their customers and selling the fruits of their spying for profit to marketers. Another very common motivation for manufactures to spy on their customers is DRM and "intellectual property protection". Agencies like the NSA come in much later. They realize the manufactures have valuable data and make a deal with the manufactures for access to that data.  

As for blocking the outgoing traffic yes on can do this but one must take over control of one's network and computing devices. The best way to do this is using Free Software. What actually happens is that one can build a Free Software jail around the propriety software "appliance". This can allow the owner to then use the appliance while blocking or controlling the malicious features in the appliance’s propriety software. It then becomes a battle for control between the owner and the appliance with each one trying to control the other.

Edit1: This process is completely voluntary. The iSheep for example provide data to Apple on a voluntary (they clicked I agreee on Apple's EULA) basis. Apple also provides the data to the NSA on a voluntary basis to the NSA via the PRISM program. https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29. This is why many libertarians simply do not understand the real nature of the threat.

Edit2:

https://bitcointalk.org/index.php?topic=948636.msg10387510#msg10387510

There is no big business without national interest. If you have a tech company and make millions, you are making part of national security already. Intel IS part of the national security since the 70s. You think Bill Gates would have sold his OS, if he refused the offer from the guys in the black suits back in the days?

Same with Seagate, IBM, WD, Samsung, Sony, GB, MSI and a lot more.

Bill Gates did not just sell out to the United States. He also sold out to China and Russia among others. Ever wonder where all that Chinese hacking of Windows that has been traced back to the PLA came from? It is hardly surprising that Microsoft Windows has become such a cesspool of malware.

IF Bill sold out to others than the US, this would make part of the US foreign policy. Means, the NSA still would have the power to access every computer worldwide.

[croato]

Looks like U.S. goverment lost controll and NSA is now in charge. I am not conspiracy theory fanatic but how to explain all that. Land of the free is becoming land of slaves and drones infecting whole world with their controll freak shit.

[BitMos]

Looks like U.S. goverment lost controll and NSA is now in charge. I am not conspiracy theory fanatic but how to explain all that. Land of the free is becoming land of slaves and drones infecting whole world with their controll freak shit.

the incorporation of the FED predates the Incorporation of the NSA, we can only hope for a take over of the FED and affiliates by the NSA and affiliates, for the better, don't forget that the NSA is just a part of the Military Industrial and Intelligence Complex, and as such has seen how systematic the horrors of wars are, stealth (ctrl+p) or plain visible. What ever darkness of man doings seems unstable in it's nature, furthermore exacerbates when the "adversaries" are on the Path.  

interesting quotes :

Questioning known liars makes you a "conspiracy theorist".  
...
The conspiracy theorist is the sheep in the middle trying to go in the opposite direction but constantly pushed by the 'normal' sheep into the slaughter chute.
...
"conspiracy theorist" is a derogatory label coined by the media black arts (if they only knew ) practitioners specifically for the purpose of unfairly maligning or smearing any person who challenges the official government/media/corporate narrative about anything.

Because of this, the government media duo and the corporations they protect have a shield against all probing questions. As soon as you cause any static, you're a conspiracy theorist.

add marketable digital profiles to use for " targeted ads attacks".    

I don't understand why those holding the triggers, would serve against their interests known liars. Stupidity? A Master Plan, Who Knows . But those who don't, and are on the "tricks" shall be aware, they know. ahaha. What sum of money can erase the blood, sweet and tears of a dying fallen? Guess, pen holders. But I agree the Mastery of the Arts of Wars aren't very "sexy" . who cares, anyway. When the SWARM gravitates inwards, primitive parasitism is restored (on'a entropic lvl  (ΔSBTC$,S)   ), some times, or all ways, who knows...  

The civilian admin occupying the (R)ecless and white house buildins since a little too long is very not conducive for business, to come back to your first point...  

[TECSHARE]

Looks like U.S. goverment lost controll and NSA is now in charge. I am not conspiracy theory fanatic but how to explain all that. Land of the free is becoming land of slaves and drones infecting whole world with their controll freak shit.

Everyone seems to just gloss over the fact that the NSA is basically the biggest blackmail machine ever designed. They could easily subvert our government with it, or any other organization for that matter. Take out, discredit, or control those in key positions in any centralized organization, you own the whole.