The NSA Playset: 5 Better Tools To Defend Systems

Uploaded on 2015-08-14 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW

ant-product-banner-icons-tiny.jpgThe NSA ANT catalog is a 50-page classified document listing technology available to the United States National Security Agency (NSA)Tailored Access Operations (TAO) by the ANT division to aid in cyber surveillance

Inspired by the National Security Agency’s Ant Catalog, a community of security researchers have been working over the past year to make cutting edge security tools more accessible and easier to use and understand, tapping into the open source software community and commercially-available products.

The NSA Playset project “grew out of an interest by security researchers to build the same types of tools nation states use,” applying open source and commercially-available hardware and software, said Michael Ossmann, a wireless security researcher and founder of Great Scott Gadgets, a company that is working to put cybersecurity tools into the hands of innovative people.

The goal of the NSA Playset project is to develop technology and techniques that serve as a demonstration of the types of threats people might not have considered before, Ossmann said during a session on Thursday at Black Hat, entitled NSA Playset: A Year of Toys and Tools.

The NSA ANT Catalog is a 50-page classified document listing technology available to the NSA Tailored Access Operations by the ANT division to aid in cyber surveillance. Most documents are described as already operational and available to U.S. nationals and members of the Five Eyes Alliance – Australia, Canada, New Zealand, the United Kingdom and the United States. The document was first revealed in an article by security researchers in the German newspaper Der Spiegel, which released the catalog to the public on December 30, 2013.

A lot of the hacking techniques and tools revealed in the NSA ANT Catalog were known to the public security research community. However, some were new, which lead researchers like Ossmann wondering why they had not seen some of these exploits before.
“We as a security community as a whole have the benefit of learning from these leaks,” from a technical and threat prevention perspective, Ossmann said. The information helps security researchers learn about the technology and threat techniques they should consider when developing defenses for systems.
So the NSA ANT Catalog gave birth to the idea of the NSA Playset, whose members have been developing a host of “toys and tools” over the past year. Ossmann described more than a dozen during his talk. The tools have been grouped into five categories based on their functions. The categories are: Physical Domination, Hardware Implants, Passive Radio Interception, Active Radio Injection, and Radio Frequency Retroreflectors.

Here are five examples from Ossmann’s presentation. A full list can be found on the NSA Playset website:

Physical Domination Slotscreamer is an inexpensive PCI Express attack tool that can be used in a number of ways. Ossmann said it can be implanted into a computer and the device allows a person to implement a PCI Express device that can access the memory bus of a computer. Joe Fritz and Miles Crabill built a prototype based on a commercial microchip that serves as a USB device and also as a PCI Express device. An open hardware and software framework that will be released by NSA Playset will give researchers the ability to tinker with Direct Memory Access attacks to read memory, bypass software and hardware security measures.

Hardware Implant ChuckWagon takes advantage of I2C, a serial bus that many people do not realize they have on their computers. But people doing electronic design use it all the time, Ossmann said. It is typically used to attach lower-speed peripheral ICs to processors and microcontrollers. There are I2C buses on PC motherboards that are exposed to the operating system. However, some are exposed on the outside of computers via VGA cables or HDMI ports. If an interface can be surreptitiously placed on a computer a communications channel could be created to run malware on that computer. At DEFCON last year, Josh Datko and Teddy Reed demonstrated a ChuckWagon prototype using a VGA board attached externally to a computer that gave malware a covert channel into the system.

Passive Radio Interception There are several tools for sniffing Global System for Mobile Communication (GSM) in the NSA Playset. For example, Leviticus is a handheld spectrum analyzer, which existed before the NSA Playset. But it fits nicely into the project so the folks decided to give it a silly name and move it into the NSA Playset, Ossmann said. It is an older mobile phone using the Calypso chipset. Hackers who learned to write code for that chipset over the years have introduced interesting tools. One tool measures the received signal strength indicator from baseband. A lot of RSSI data can be pulled into a large spectrum analyzer application with limited bandwidth embedded into the mobile phone. “I think it is cool that you can take an off-the-shelf mobile phone and do such a thing,” without making any hardware changes, Ossmann said.

Active Radio Injection Tiny Alamo is a suite of tools for Bluetooth keystroke surveillance and injection, and these were presented, by Mike Ryan at the DEFCON Wireless village last year. It is more of a software attack, which targets Bluetooth keyboards and mice, which are basically unsecure. Ryan was able to spoof a wireless Bluetooth mouse and inject keystrokes. People might think that they don’t have to worry much about wireless mice, but Ryan demonstrated that an attacker “can take a vulnerable mouse and do something far more powerful with it,” Ossmann said.

RF Retroreflector CongaFlock is an RF retroreflector built by Ossmann. RF retroreflectors are becoming increasingly important for security reasons, he noted. CongaFlock is designed, to be implanted in hardware, such as a cable, monitor, keyboard or PC --any kind of electronic device that has a signal that goes over a wire. It gives an attacker the ability to ease-drop on the signal on that wire using radar. Implanted in a keyboard it could let an attacker study keystrokes or sniff video screens, Ossmann said.

The NSA Playset has other projects in development, but Ossmann thought it was a good time to describe the work its members have done over the past year.
Dark Reading: http://http://ubm.io/1PoVKCs

 

« Twitter says U.S Government Want More User Account Information
Russia, China & U.S. Engage in Cyber War »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

City Security Magazine

City Security Magazine

City Security magazine helps promote best security practices and keep businesses informed on a wide variety of security-related issues.

National Crime Agency (NCA)

National Crime Agency (NCA)

The NCA's Cyber Crime Unit focuses on critical cyber incidents in the UK as well as longer-term activity against the criminals and the services on which they depend.

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

Cloud53

Cloud53

Cloud53 specialise in improving operational IT through strategic use of Cloud technologies and services.

Centre for Cyber Security (CFCS) - Denmark

Centre for Cyber Security (CFCS) - Denmark

The Centre for Cyber Security is the Danish national IT security authority, Network Security Service and Centre for Excellence within cyber security.

ICS2

ICS2

ICS² is the first cyber security company focusing on protecting the control system of power, oil, gas, and petrochemicals plants.

G Data CyberDefense

G Data CyberDefense

G DATA developed the world's first antivirus software, and we have remained pioneers in innovation for IT security ever since.

Randori

Randori

Randori is an attack platform that provides "red-teaming" as a service — basically, staging simulated hack attacks to test for vulnerabilities and gaps in the security response.

Yaana Technologies

Yaana Technologies

Yaana is a leading provider of intelligent compliance solutions including lawful interception, data retention & disclosure, and advanced security analytics.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

ACROS Security

ACROS Security

ACROS Security is a leading provider of security research, real penetration testing and code review for customers with the highest security requirements.

Stefanini Group

Stefanini Group

Stefanini is a global IT services company providing a broad range of solutions for digital transformation including automation, cloud, IoT and cybersecurity.

Mindsprint

Mindsprint

Mindsprint (formerly Olam Technology and Business Services - OTBS) are a leading edge technology and business services firm.

ZainTech

ZainTech

Zaintech is a regional digital & ICT solutions provider offering comprehensive digital solutions and services to enterprise and government customers in the MENA region.

HTL Support

HTL Support

HTL Support, your trusted partner for comprehensive IT support in London. We specialize in delivering top-tier IT solutions tailored to both large enterprises and small businesses.

ITRM

ITRM

ITRM are one of the UK’s top managed service providers and offer a range of award-winning IT solutions, from ad-hoc consultancy to cyber security.