Posted 11 months ago on Feb. 6, 2014, 3:42 p.m. EST by LeoYo
This content is user submitted and not an official statement
Selling Your Secrets: The Invisible World of Software Backdoors and Bounty Hunters
Thursday, 06 February 2014 10:47 By Pratap Chatterjee, TomDispatch | News Analysis
Imagine that you could wander unseen through a city, sneaking into houses and offices of your choosing at any time, day or night. Imagine that, once inside, you could observe everything happening, unnoticed by others -- from the combinations used to secure bank safes to the clandestine rendezvous of lovers. Imagine also that you have the ability to silently record everybody’s actions, whether they are at work or play without leaving a trace. Such omniscience could, of course, make you rich, but perhaps more important, it could make you very powerful.
That scenario out of some futuristic sci-fi novel is, in fact, almost reality right now. After all, globalization and the Internet have connected all our lives in a single, seamless virtual city where everything is accessible at the tap of a finger. We store our money in online vaults; we conduct most of our conversations and often get from place to place with the help of our mobile devices. Almost everything that we do in the digital realm is recorded and lives on forever in a computer memory that, with the right software and the correct passwords, can be accessed by others, whether you want them to or not.
Now -- one more moment of imagining -- what if every one of your transactions in that world was infiltrated? What if the government had paid developers to put trapdoors and secret passages into the structures that are being built in this new digital world to connect all of us all the time? What if they had locksmiths on call to help create master keys for all the rooms? And what if they could pay bounty hunters to stalk us and build profiles of our lives and secrets to use against us?
Well, check your imagination at the door, because this is indeed the brave new dystopian world that the U.S. government is building, according to the latest revelations from the treasure trove of documents released by National Security Agency whistleblower Edward Snowden.
Over the last eight months, journalists have dug deep into these documents to reveal that the world of NSA mass surveillance involves close partnerships with a series of companies most of us have never heard of that design or probe the software we all take for granted to help keep our digital lives humming along.
There are three broad ways that these software companies collaborate with the state: a National Security Agency program called “Bullrun” through which that agency is alleged to pay off developers like RSA, a software security firm, to build “backdoors” into our computers; the use of “bounty hunters” like Endgame and Vupen that find exploitable flaws in existing software like Microsoft Office and our smartphones; and finally the use of data brokers like Millennial Media to harvest personal data on everybody on the Internet, especially when they go shopping or play games like Angry Birds, Farmville, or Call of Duty.
Of course, that’s just a start when it comes to enumerating the ways the government is trying to watch us all, as I explained in a previous TomDispatch piece, “Big Bro is Watching You.” For example, the FBI uses hackers to break into individual computers and turn on computer cameras and microphones, while the NSA collects bulk cell phone records and tries to harvest all the data traveling over fiber-optic cables. In December 2013, computer researcher and hacker Jacob Appelbaum revealed that the NSA has also built hardware with names like Bulldozer, Cottonmouth, Firewalk, Howlermonkey, and Godsurge that can be inserted into computers to transmit data to U.S. spooks even when they are not connected to the Internet.
“Today, [the NSA is] conducting instant, total invasion of privacy with limited effort,” Paul Kocher, the chief scientist of Cryptography Research, Inc. which designs security systems, told the New York Times. “This is the golden age of spying.”
Back in the 1990s, the Clinton administration promoted a special piece of NSA-designed hardware that it wanted installed in computers and telecommunication devices. Called the Clipper Chip, it was intended to help scramble data to protect it from unauthorized access -- but with a twist. It also transmitted a "Law Enforcement Access Field" signal with a key that the government could use if it wanted to access the same data.
Activists and even software companies fought against the Clipper Chip in a series of political skirmishes that are often referred to as the Crypto Wars. One of the most active companies was RSA from California. It even printed posters with a call to “Sink Clipper.” By 1995, the proposal was dead in the water, defeated with the help of such unlikely allies as broadcaster Rush Limbaugh and Senators John Ashcroft and John Kerry.
But the NSA proved more tenacious than its opponents imagined. It never gave up on the idea of embedding secret decryption keys inside computer hardware -- a point Snowden has emphasized (with the documents to prove it).
A decade after the Crypto Wars, RSA, now a subsidiary of EMC, a Massachusetts company, had changed sides. According to an investigative report by Joseph Menn of Reuters, it allegedly took $10 million from the National Security Agency in exchange for embedding an NSA-designed mathematical formula called the Dual Elliptic Curve Deterministic Random Bit Generator inside its Bsafe software products as the default encryption method.
The Dual Elliptic Curve has a “flaw” that allows it to be hacked, as even RSA now admits. Unfortunately for the rest of us, Bsafe is built into a number of popular personal computer products and most people would have no way of figuring out how to turn it off.
According to the Snowden documents, the RSA deal was just one of several struck under the NSA’s Bullrun program that has cost taxpayers over $800 million to date and opened every computer and mobile user around the world to the prying eyes of the surveillance state.
“The deeply pernicious nature of this campaign -- undermining national standards and sabotaging hardware and software -- as well as the amount of overt private sector cooperation are both shocking,” wrote Dan Auerbach and Kurt Opsahl of the Electronic Frontier Foundation, a San Francisco-based activist group that has led the fight against government surveillance. “Back doors fundamentally undermine everybody's security, not just that of bad guys.”
For the bargain basement price of $5,000, hackers offered for sale a software flaw in Adobe Acrobat that allows you to take over the computer of any unsuspecting victim who downloads a document from you. At the opposite end of the price range, Endgame Systems of Atlanta, Georgia, offered for sale a package named Maui for $2.5 million that can attack targets all over the world based on flaws discovered in the computer software that they use. For example, some years ago, Endgame offered for sale targets in Russia including an oil refinery in Achinsk, the National Reserve Bank, and the Novovoronezh nuclear power plant. (The list was revealed by Anonymous, the online network of activist hackers.)
While such “products,” known in hacker circles as “zero day exploits,” may sound like sales pitches from the sorts of crooks any government would want to put behind bars, the hackers and companies who make it their job to discover flaws in popular software are, in fact, courted assiduously by spy agencies like the NSA who want to use them in cyberwarfare against potential enemies.
Take Vupen, a French company that offers a regularly updated catalogue of global computer vulnerabilities for an annual subscription of $100,000. If you see something that you like, you pay extra to get the details that would allow you to hack into it. A Vupen brochure released by Wikileaks in 2011 assured potential clients that the company aims “to deliver exclusive exploit codes for undisclosed vulnerabilities” for “covertly attacking and gaining access to remote computer systems.”
At a Google sponsored event in Vancouver in 2012, Vupen hackers demonstrated that they could hijack a computer via Google’s Chrome web browser. But they refused to hand over details to the company, mocking Google publicly. “We wouldn’t share this with Google for even $1 million,” Chaouki Bekrar of Vupen boasted to Forbes magazine. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
In addition to Endgame and Vupen, other players in this field include Exodus Intelligence in Texas, Netragard in Massachussetts, and ReVuln in Malta.
Their best customer? The NSA, which spent at least $25 million in 2013 buying up dozens of such “exploits.” In December, Appelbaum and his colleagues reported in Der Spiegel that agency staff crowed about their ability to penetrate any computer running Windows at the moment that machine sends messages to Microsoft. So, for example, when your computer crashes and helpfully offers to report the problem to the company, clicking yes could open you up for attack.
The federal government is already alleged to have used such exploits (including one in Microsoft Windows) -- most famously when the Stuxnet virus was deployed to destroy Iran’s nuclear centrifuges.
“This is the militarization of the Internet,” Appelbaum told the Chaos Computer Congress in Hamburg. “This strategy is undermining the Internet in a direct attempt to keep it insecure. We are under a kind of martial law.”