Forgot your password?
typodupeerror
United States Security

A Look at the NSA's Most Powerful Internet Attack Tool 154

Posted by samzenpus
from the big-gun dept.
realized writes in with a closer look at the NSA's QUANTUM system. "Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.) And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense."
This discussion has been archived. No new comments can be posted.

A Look at the NSA's Most Powerful Internet Attack Tool

Comments Filter:
  • I wonder (Score:5, Insightful)

    by Anonymous Coward on Thursday March 13, 2014 @10:26PM (#46479559)

    all these software engineers that work for nsa/gov , do they have any fucking morals? do they really believe they are securing the world from the evil guys? are they kept at gunpoint? are they just plain stupid? Fail to realize that us, the makers , have all the power is the worst mistake. Plant secret backdoors, failure modes, weaknesses. Be in charge. You don't owe anything to these black suits. Wake fucking up.

    • Re:I wonder (Score:4, Insightful)

      by epyT-R (613989) on Thursday March 13, 2014 @10:30PM (#46479575)

      It probably pays well.

      • Re:I wonder (Score:4, Informative)

        by Arker (91948) on Thursday March 13, 2014 @10:39PM (#46479627) Homepage
        It depends, if you are an actual employee I understand the pay is not really spectacular. The benefits, however, are outrageous. And these days of course the government has gotten into outsourcing too, and most of their workers are contractors, not employees. The contractors are obviously paid well, and if theoretically they have less job security practically their programs are only set to expand.

        Anyway, regardless of position, you could probably make more money in the private sector if you are really motivated to go out and make the next big thing. But this sort of job is about more than compensation. It draws people that really believe in the cause (who eventually become disillusioned, and sometimes become whistleblowers) along with amoral sociopaths that get off on power. Unfortunate that the latter stand a much better chance of being promoted and the former of being waterboarded, seems backwards somehow, but oh well.
        • by dbIII (701233) on Friday March 14, 2014 @12:41AM (#46480059)
          Recent revelations about spying on an Indonesian clove cigarette company for the benefit of US "customers" is one example.
          So that's for the private sector. How the customers in the private sector commission the work and pay for it would make an interesting story. Perhaps they pay via political campaign finance? Let's open that can of worms.
      • by Anonymous Coward

        It doesn't need to pay well.

        Some people just get off on power, the rest just sell the secrets to the highest bidder.

      • That's a silly statement. They're government bureaucrats. At least in the United States, you never join the bureaucracy if your goal is to make money. Even contracting for the government, while better paying than direct government employment, still pales compared to more lucrative areas of the economy, especially for the skill sets we're talking about.
    • Re:I wonder (Score:5, Interesting)

      by tshawkins (1239974) on Thursday March 13, 2014 @11:35PM (#46479819)
      Its the same question that should have been asked of the doctors that assisted with the torture and stress programs, the psychologists that aided and abetted the threats made against detainees families. The aviation engineers that built remote controlled ariel death machines. The lawyers that twisted and bent the law to try to justify all the above. There is a tendancy for professions to remote themselves from the consequences of thier actions, and to adopt both the "obeying orders" and the "if we dont do it, somebody else will" defense. Scumbags the lot of them, there is a very hot place waiting for them all.
      • TL;DR: Even intellectual fools let themselves be divided and conquered. Learn it: Compartmentalization = Evil.

    • by raymorris (2726007) on Friday March 14, 2014 @02:21AM (#46480299)

      My guess, as a security professional who could have been recruited for a three-letter agency, is that many of them are boiled frogs. There are technical challenges that smart geeks love, plus the whole hacker mystique, but you don't want to be criminal, so you go white-hat, hacking bin Ladin. That adds the whole "international spy" thing into it and maybe you help catch some really bad guys. That would be awesome, spying on al Qaeda. Hmm, if you expanded that technique you could catch a lot of bad guys. So you expand it to log calls to and from Iraq, Afghanistan, and Syria. After a few years, you end up in a place you never would have knowingly sought to go.

      • by Anonymous Coward

        I wanted to work for one, but had too much black hat in a way that freaked out the moralists over absolutely innapropriate things. Not things like loyalty, or unauthorized access, or openly gay... but "wow, that's equivalent to stealing millions of dollars..." over a bit of high end software cracking.

        As someone who knows and has done other defense and weapons work... let me put it very very clearly:

        Some of us believe there are "bad guys", and while the US is not "the good guys" -- we're better than the oth

    • by AHuxley (892839)
      It depends on the country, the mil junta, the party, the telco and the staff.
      Did the connection to the NSA start with 1960's tech? The 1990's optical? Thats a lot of local staff over generations to read into looking after a lot of 'secret' rooms with copper or less with optical.
      What did the local the mil junta, the party, the telco and the staff get back or was the cover story top down from a trusted local leader?
      Some top gov official tells all the telco staff thats its their nations splitter and not t
    • nsa/gov , do they have any fucking morals? do they really believe they are securing the world from the evil guys?

      idk about morals (I dont want to define or discuss defining it b/c it brings out trolls something fierce)

      do they really believe they are securing the world from the evil guys?

      They feel like cogs. From my short time as a DC congressional staffer & people I know in those fields, they feel like a **cog in a big machine** Their job is so abstracted that they dont really know the context of the wo

    • all these software engineers that work for nsa/gov , do they have any fucking morals? do they really believe they are securing the world from the evil guys? are they kept at gunpoint? are they just plain stupid?

      Imagine a fraternity house filled with hundreds of "bro-grammers" looking to impress their peers and outsiders, alongside more socially inept nerds with a superiority complex and a grudge against society for its refusal to pay homage to their obviously superior intellects. The herd is managed by a ca

      • by ZahrGnosis (66741)

        Of course, you could also imagine a group of highly intelligent and capable programmers that grew up on legends of the Enigma, Bletchley Park, and Alan Turing... who live for reverse engineering code and breaking ciphers. People who know that enemies of the state (in this case the US) had used secret communications since the US War of Independance (http://www.nsa.gov/about/_files/cryptologic_heritage/publications/prewii/Revolutionary_Secrets.pdf and yes, there are non-nsa links to similar material, but I

        • Of course, you could also imagine a group of highly intelligent and capable programmers that grew up on legends of the Enigma, Bletchley Park, and Alan Turing... who live for reverse engineering code and breaking ciphers.

          I'm sorry, but your vision of men in pursuit of a grander calling falls rather flat in the face of their actual activities of trolling in irc chatrooms and obstudely recording every phone call made inside the entire United States.

          Your "Keen men" are boorish goons who would put Russian cyber

    • Now we've rewritten history
      The one thing we've found out
      Sweet taste of vindication
      It turns to ashes in your mouth

    • by Anonymous Coward

      In no particular order:

      1. Cognitive Dissonance: throw enough money/benefits at someone, and even otherwise tightly-held morals can become fluid.
      2. Sociopaths: they'll do stuff simply because they can (and want to), despite the harm it could create for others.
      3. Challenge: some will do things because they enjoy the challenge of seeing if it can be done, as well as the "empowerment" they feel it gives them. Note that this can be mixed in with either of the 2 points above.
      4. Ignorance: for whatever reason, the

    • But of course we can trust the NSA! The government even helped set the "standards" for encryption so kindly! Surely they wouldn't do anything like this, would they?
  • by reovirus1 (722769) on Thursday March 13, 2014 @10:26PM (#46479561)
    I wonder what this tool will think about my encrypted archive of the proceedings of Congress that I've renamed "The_anarchists_cookbook.zip".
  • the Borg have won.
    • by epyT-R (613989)

      Freedom is irrelevant. Self-determination is irrelevant. Existence as you know it is over. We will add your biological and technological labor to our own. Your liberty will adapt to service us... resistance is futile!

  • wishful thinking (Score:5, Insightful)

    by Patent Lover (779809) on Thursday March 13, 2014 @10:27PM (#46479567)
    Now if they would just use it to actually stop botnets.
  • by Anonymous Coward on Thursday March 13, 2014 @10:34PM (#46479601)

    I'm American and I fully support this. This is exactly what intelligence agencies are for. Nothing in any of these leaks in the linked article suggests these capabilities are being abused. I want my government to be able to pursue foreign intelligence targets with capabilities like these and--in a time where people complain relentlessly about government agencies being ineffective--I'm glad they are able to do this.

    Posting anonymously because I've lost too much karma expressing a contrarian opinion on all these Snowden articles. Frankly, I'm more scared of moderators than our government...

    • by epyT-R (613989) on Thursday March 13, 2014 @10:52PM (#46479671)

      You know, one of these days, you will be the one arrested and thrown in prison without due process for 'terroristic acts', or some other set of stacked charges that cannot be challenged in court because they're matters of 'national security'. It's people like you that allow wannabe tyrants to bypass civil liberties and seize power in the first place. It is a known fact that the feds are breaking the law to pursue their own political or financial agendas. While it is true that the NSA/CIA were chartered to monitor foreign governments, what they've been up to since then has obviously come up short of expectation. They need reigning in and refocusing. Heads need to roll.

      Governments are only ineffective at the things they promised but aren't in the best interests of the high level bureaucrats. Governments are scarily effective at doing whatever it is those in power really want to do. After all, all an employer can do is fire you, but a government can throw you in a box and toss the key.

      I fear the federal government more than some 13th century thugs from the middle east. Groupthink is the most powerful religion in existence. bin laden's goal was to get us to do his work for him, to destroy ourselves from within. So far, he's won every battle.

      • Slashdot users are waaaaaaaaaay too paranoid. The government doesn't care about going after Joe Nobody. Somewhere down the line you guys confused real tyrants with people who intercept your mail. No one cares what you had for lunch. Seriously.

        Please take a minute of your time to read about what *real* tyrants do to their people in the rest of the world and then come back to complain. All this crying about it being a slippery slope isn't making us any safer. It's just leading to a dysfunctional government th

        • by Concerned Onlooker (473481) on Friday March 14, 2014 @01:07AM (#46480135) Homepage Journal

          "All this crying about it being a slippery slope isn't making us any safer."

          I don't know anything about slippery slopes, but I do seem to recall a famous quote about something to do with eternal vigilance and freedom.

          • "All this crying about it being a slippery slope isn't making us any safer."

            I don't know anything about slippery slopes, but I do seem to recall a famous quote about something to do with eternal vigilance and freedom.

            Yes, vigilance is important... but nothing is absolute. Good governance requires trust. The level of cynicism we've reached makes it absolutely impossible to run an efficient government. This remind me of someone who micromanages their employees: nothing gets done.

            We need to find a middle ground between vigilance and trust. Either extreme will kill this country.

            • The level of corruption we've reached makes it absolutely impossible to run a non-parasitic government. We need this country remade or destroyed already.
        • by epyT-R (613989)

          Of course not. Not yet. The cost of tracking joe nobody currently exceeds the extra value (whether financial or psychological) that can be extracted from him if he's monitored. Of course, it's not just whether he's monitored or not. It's his right to know whether he is, to know what's being said about him by various databases gatekeepers tap into when he applies for jobs, loans, licenses, or just about anything. When the cost drops to a point where it's possible, it will happen.

          Just because jack steals

          • Of course not. Not yet. The cost of tracking joe nobody currently exceeds the extra value (whether financial or psychological) that can be extracted from him if he's monitored. Of course, it's not just whether he's monitored or not. It's his right to know whether he is, to know what's being said about him by various databases gatekeepers tap into when he applies for jobs, loans, licenses, or just about anything. When the cost drops to a point where it's possible, it will happen.

            Just because jack steals one stick of candy and points to joe who stole 6, doesn't mean we should ignore what jack is doing. It is likely he will emulate joe at some point in the future. Frankly, I don't care what other countries are doing. If their citizens want liberty, they need to stand up for it. Our failed attempts at 'nation building' over the last half century have proven that. I am comparing the USA of the past to the USA of now. The trend is getting worse and looks to get a lot worse. This obsession over 'safety' IS the problem. Talk about crying over spilled milk. We're told daily by the media of all these 'threats', and yet less than 1% of them materialize. I tire of this narrative. I see no threat that justifies the power grabs washington has engaged in over the last 20 years or so. If anyone is making fallacious slippery slope arguments, it's the politicians in DC.

            If there ARE threats out there that are subverting our society, then it's congress' duty to declare war on the countries harboring them. War, not useless perpetual 'police actions' that sound like something out of orwell's 1984 (we were always at war with al quada). Wars have a finite goal: hit the enemy until he is no longer a threat. We don't defend our way of life by supplicating and compromising with these people like our politicians do now.

            No. The government is already failing. We're starting to realize that throwing more money at it is just magnifying the scope of failure. In fact, it's time for daddy to take the credit card away from his16yo princess spendthrift daughter.

            Congress can't declare war because the American people have been brainwashed to believe that all wars are wrong. If WW2 were to happen tomorrow, we'd still sit on the sidelines as long as possible and you can be sure that the second we declare war there will be protests in the street.

            The country is polarized in every which direction. How can you expect the government to do anything when the people can't figure out what they want to do themselves?

            • "If WW2 were to happen tomorrow, we'd still sit on the sidelines as long as possible and you can be sure that the second we declare war there will be protests in the street."

              You mean unlike WW1, where we .... wait for it ... sat on the sidelines as long as possible? I don't know about protests, because there was no internet ot TV (as it exists today), so there may well have been many, many small local protests.

              • That didn't really work all that well in WW2, did it? :)

                Guess what? Not all wars are created equal. Some wars are good to get involved in, and others are bad.

                • I'm sorry. I require that those with whom I might have a discussion like this have at least a modicum of reading comprehension ability coupled with at least semi-functioning logical facilities, but good luck finding someone who doesn't care about those things!
        • What's with all these garbage comments defending rights violations?

          The government doesn't care about going after Joe Nobody.

          Instead, they'll be able to harass anyone who does something they don't like. The goal is not and never has been to harass everyone.

          Please take a minute of your time to read about what *real* tyrants do to their people in the rest of the world and then come back to complain.

          "X is worse than Y, so Y isn't bad." isn't valid logic. Just because there could be worse tyrants doesn't mean that these people aren't tyrants.

          It's just leading to a dysfunctional government that can't get anything done.

          I'd much rather have *that* than a government that infringes upon our individual liberties and the constitution, like what's happening now. This is supposed to be the la

        • by Kogun (170504)

          ... but a government that is untrusted by its people (and by all accounts Americans don't trust any existing political party) cannot effect effective governance. In other words, you're asking your government to fail and then whining when they do. That's not very productive.

          You plea for trust demonstrates your complete lack of understanding about our government system, the purpose of checks and balances, the entire judicial process, the purpose of elections, sunshine laws, government oversight committees, the entire Bill of Rights. Get a fucking clue and quit this pathetic shilling.

          The US government is explicitly built on a foundation of distrust and for damn good reason.

        • by fonos (847221)

          All I'm saying is... please keep things in perspective. You have legitimate points, but a government that is untrusted by its people (and by all accounts Americans don't trust any existing political party) cannot effect effective governance. In other words, you're asking your government to fail and then whining when they do. That's not very productive.

          No, we're asking our representatives to actually represent the people, instead of the special interest. We're also asking that the government follow the constitution and the law, and to stop the illegal programs that break those laws.

    • by pitchpipe (708843)

      Frankly, I'm more scared of moderators than our government...

      Well, from what I gather from the leaks, the moderators are from the government. Who to be scared of now?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You may be right, but in my opinion what's wrong with extreme surveillance is that you can get flagged just for searching the internet for knowledge, or you avoid pursuing more knowledge in the fear of being flagged.

      An example: you often see in movies that some criminal builds a pipe bomb with instructions found on the web. I've always been curious of knowing if that's really possible, but I never searched that on the web. Notice, I didn't want to build one, just to know if the average crazy man could reall

    • You may be right, but in my opinion what's wrong with extreme surveillance is that you can get flagged just for searching the internet for knowledge, or you avoid pursuing more knowledge in the fear of being flagged.

      An example: you often see in movies that some criminal builds a pipe bomb with instructions found on the web. I've always been curious of knowing if that's really possible, but I never searched that on the web. Notice, I didn't want to build one, just to know if the average crazy man could real

    • by Jawnn (445279)

      Frankly, I'm more scared of moderators than our government...

      You should be more afraid of your government. You should definitely be more afraid of your government than "teh terrorists". Your fear of "teh terrorists" has convinced you to allow your government to do far more harm to our country.

    • by aliquis (678370)

      Frankly, I'm more scared of moderators than our government...

      Scared of the moderators?
      Hah! Look at this shit I'm posting here! Full user-name and all!

      ACs should be moderated -10 in their real accounts simply for being ACs ;D

      Also you shouldn't let irrelevant Internet scoring and populism affect what you say (Well, I guess posting AC is a way of not letting it.. But really. Just speak up. It should be your freaking right. People are different. People have different opinions. Accept it. Everyone doesn't have to be right. People doesn't even have to be consistent. You're

    • Plus eleven. "If you aren't doing anything wrong", and, quite importantly, when our Gov. doesn't appear to be doing anything wrong, then what's the problem? I'm betting my systems aren't infected with this stuff; In fact, rather disappointingly, if most of us got the chance to ask some spook in-the-know if we were a target of any suspicion, most likely the answer would be 'no, you're boring'.

      • by Kogun (170504)

        So as long as it doesn't bother you, you think it is ok that the government abandons due process, checks and balances. Who the fuck are you?

        ... I'm betting my systems aren't infected with this stuff.

        Why should you believe your systems aren't infected? You must believe the NSA was savvy enough to employ agents undermine open source cryptography but too stupid to use agents or other means to undermine your malware/virus protection. But you aren't supposed to care, anyway, because you are a boring nobody. So why do you even comment? You have nothing insightful to

    • by PmanAce (1679902)
      Even if they use these weapons against your own citizens?
    • by Kogun (170504)

      Your position is common but Machiavellian, and extraordinarily short-sighted.

      A primary underlying principal of our government, found throughout the Constitution, is that the processes of justice, law-making, and enforcement must be fair. This same principal does not guarantee fair outcomes. Checks and balances, search warrants, innocent until proven guilty, 5th amendment rights, equal protection clause, etc, are all part of processes designed to protect the innocent and ensure a fair process of enforcemen

    • by AmiMoJo (196126) *

      Okay, just don't be surprised or upset when foreign governments do the same to you. If you want a cyber cold-war where pretty much anything goes just carry on as usual.

    • by ozzy85 (1427363)
      If you're American, then for the love of your country reread your constitution and ponder if we're as free as our forefathers hoped us to be.
  • I don't know how much is known vs speculation here. If the NSA has some MySQL manipulation tools, it might not actually be intended for use on the actual internet. It is possible that they infiltrate networks and use these tools on the inside.

    It came out that they're tapping dedicated lines, and those are often unencrypted. However, I'd expect most competent mysql use to stay confined to a LAN, even with encryption. Latency tends to cause problems if you separate the database from the application layer.

    • by Gothmolly (148874)

      Do you know how many cheapo hosting companies give you MySQL with your account?

      • by Rich0 (548339)

        Do you know how many cheapo hosting companies give you MySQL with your account?

        Sure, but why would that traffic go over the internet? You would have your server-side application component talk to the database.

        But, I did say "competent." It would not surprise me if some people stick mysql credentials in their javascript code and just manipulate the database from the browser.

    • by Deep Esophagus (686515) on Friday March 14, 2014 @12:09AM (#46479943)
      I have to wonder, how many national-security-endangering secrets are terrorists storing in a MySQL database?
  • If you have been on your computer, cell phone or car with EZpass or OnStar: they know a lot about you. Even if you have 7 degrees of separation from the bad guys.

    You have to applaud the thoroughness. Misguided patriots, the lot.

  • 10 BILLION DOLLAR BUDGET, and they have a bag of Tommy 10 year old script kiddy tools to show for it...

  • If the NSA can bring down botnets, why don't they? Are spammers making political contributions?
    • by Burz (138833)

      If the NSA can bring down botnets, why don't they? Are spammers making political contributions?

      They are the best and brightest of an unaccountable corporate-run state. In their minds, they are already doing something constructive just by showing up at work and feeling insecure and nosy.

      Of course, letting garden-variety criminals front for you engenders a motive for letting those criminals off the hook.

    • by AHuxley (892839)
      Its one global network and the same staff on two very different missions. One to use the botnets to reach out and own computers with and one to protect from often the same botnets.
      The US faced the questions in the 1930's with the Army and Navy working on codes (mostly from Japan) - on the same codes with very few US experts ie duplication..
      If the using of the botnets is given to another agency via CIA ....
      If protecting from the botnets is given to another agency via FBI ....
      The other aspect is knowing
  • by BitterOak (537666) on Friday March 14, 2014 @02:57AM (#46480379)

    But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.)

    When the author wrote that part of the story, he or she seemed to be unaware of what he or she had just written:

    allowing bogus certificates and similar routines to break SSL

    By breaking SSL, the NSA has access to SQL queries whether or not they're encrypted.

    • by akozakie (633875)

      Besides, why "on the Internet"? The assumption here is that it's somehow hard for the NSA to infiltrate an intranet - hard to believe given the wide choice of tools they have. And unencrypted MySQL on the intranet is common.

    • No, I think you didn't parse the story carefully enough. If you look, it's saying that MITM attacks are the kind of thing that COULD be used to break SSL, if you had bogus certificates. It does not say that there's any evidence of this actually happening on a large scale, and indeed one of the surprising things about the Snowden leaks so far is that there isn't much (any?) evidence of SSL sabotage, even though it obviously must be one of their highest priority targets. The MITM attacks that NSA/GCHQ have be

  • by i_want_you_to_throw_ (559379) on Friday March 14, 2014 @08:07AM (#46481373) Homepage Journal
    What I have noticed is that there is a story in the media every damn day about the over reach of NSA and arghh..people are outraged. Oh it's horrible, etc etc. Amazingly enough, no one seems to want to do anything about it. Where are those stories? Where is the demand for congressional oversight? We get the NSA we deserve because we the people are doing nothing to reign them in.
    • We get the NSA we deserve because we the people are doing nothing to reign them in.

      Fool. We have never had the NSA we deserve. Secret agencies are now and have always been anti-activist. [wikipedia.org] There is nothing we can do about them legally, we are their enemy. [theguardian.com] They will not bow to the demands of the enemy. I speak of activism because voting is meaningless. If you think otherwise then you're under the flawed assumption that our government's voting system isn't compromised [snagfilms.com], that or you wrongly believe it hasn't been blatantly rigged all along. [snagfilms.com]

      How dare you accuse the powerless of deserving th

    • by Kogun (170504)

      Do you know why there is news every day? Because the quantity of information leaked by Snowden is overwhelming. Furthermore, the scope of the violations is beyond all measure. We would do less, and care less if all this were released at once.

      The information is dribbled out, little by little, because we Americans have a short attention span and if it were all released at once, we'd be interested only until the next celebrity break-up, or Superbowl, or Oscar night, or terrorist bombing, or jet-liner gone m

APL is a write-only language. I can write programs in APL, but I can't read any of them. -- Roy Keir

Working...