Moscow-Based Security Firm Reveals What May Be The Biggest NSA "Backdoor Exploit" Ever

a reply to: daftpink
It seems more than likely that they have and more than likely have continued to do as technology has evolved.
But this is nothing "new" as in something that has come about only in the past few decades of computing. It goes right back to the first and second world wars, and carried on evolving through the cold war, and carries on till present day... Back then it was called signals intelligence, or SIGINT, it can be used but it can alsombe used for communicating over long distances... For example on ships passing throug the night, lights were flashed on and off to send messages between allied ships at long distances or during bad weather that prevented radio communication and of course Morse code was also known as SIGINT.
SIGINT teams were used for both communicating between allies, and intercepting enemy SIGINT, which led tomthe development of encryption algorythms able to be decrypted by a special "key" to unlock the scrambled and encrypted code. Encrypted messa though are nothing new, and probably go back centuries, but electronic encryption is only 100 years old or less. Wired and wireless.

When it comes to machine code, the same rules of SIGINT apply. What you have in its most basic binary form are series of ones and zeros as in : 01110100 for example. Similar to ships using flashes in the night. A one is a flash and a zero is a period of darkness lasting a certain amount of time. 00010000000000010000100011100 another example. If you imagine each character as one second long, you can imagine what that binary signalninhave just sent would look if it was sent from a ship. Three seconds of darkness, a one second flash, followed by eleven seconds of darkness followed by another one second flash followed by fournseconds of darkness followed by three consecutive flashes or one long three second flash, followed by two dark.. Obvioudsly its not exaclty the same but you get the idea, these are electronic signals being sent through the computer building layer upon layer of machine code, trillions of lines long. These are very basic yet very advanced levels of computing, which create the core architecture for every machine to work from. Different machines have different architectures, and as I have found out with microcode, it is possible to emulate other machine code architectures on a machine built with an entirely different machine code architecture...
(See my above post with the wiki article)

Now the thing about your hardware is, its built with a machine and microcode already installed. And therr are very good reasons not to funk around with it, just like not poking a large power grid with metal rod, you dont go poking around the architecture of your digital machine with a keyboard, unless you have maximum win on you side. Because otherwise you will have maximum fail. Aka a bricked machine. But there isnnothing wrong with a look btnfont touch approach, except that unless you knowmwhat you're looking at it would just be a wste of time....

Digital architecture aka machine codes and microcodes use trillions upon trillions of lines of code to set the parameters of each peace of hardware and set it up to for the digital interaction between othernbits ofmhsrdware, using the same or emulated machine code architectures that is installed across the machine...
These machine codes, have certain layers, some it seems are more basic some are more advanced. Together they form operationally sound firmware (if such a thing exists!) that perform certain functions when promoted and make that particular peice of hardware do whatevr it is supposed to do..

Each function of the hardware is promited by the firmware aka the machine code. Now if what bedlam is telling me us is something that is common place it seems a certain lines of machine code used in some of the firmware are "trade secrets", in otherwords if you want your machine to have a decent architecture, you have to pay those individuals or companies royalties or make a contractual agreement with them of some kind, and they dont even tell you what the code they're giving You is, because it emulated and somehow decrypted by some other digital jnteraction in the machine code, too deeply embeded to see (but not impossible to trace and fin out). But once its compiked in the firmware, indeed it can potentially do anything, unbeknownst to even the most cautious hardware and firmware companies or agencies.) So in terms ofnthe nsa involvement in all ofnthis, well we dont know. But itncould be anything from owning the most fundamental components of the machine code digital architecture (why on earth isnt open source i do no know for sure but I suspect SIGINT were involved in making it patented, instead f having it all open sourced), and leasing it to the hardware and firmware companies, to them owning only certain amounts of machine code butnwith big exploit capabilities, to them being the owners of both certain exploitable machine code the hardware component itself, and the companies themselves.. Or as SO suggested simply placing plants in key roles in hardware companies to develop exploits. Its probably all of the above. And who knows how many industry moles they have doing this today? We know its nothing new, because it was going on all through the cold war. Get this China recently discovered kettles were wirelessly infecting their computers with spyware! And telephone companies in the 80s were often fitted with bugging devices able to record live conversations in living rooms up and down the country from remote listening stations. So its nothing new, but you can see it has come a long way since the days of the Morse code interception, and telephone bugging / tapping
It would be a good idea to research more I to this to find out exactly how it goes down. Ormperhaps bedlam can spill more beans for us. We love beans I suspect though

Heres a link to an article the kettle hacking: www.cbsnews.com...

originally posted by: daftpink
a reply to: Aazadan

Does anyone know how they are infiltrating the hard drives? I know they have written exploits into the firmware so does that mean they are infiltrating software companies?

Some of it is being placed there by rootkits and/or trojan horses.

a reply to: Bedlam

Can u recommend any textbooks on these subject that you feel stand out from the rest?
(I'm sire you must have read a few in your time)

a reply to: funkadeliaaaa

Hey funkadeliaaa thanks for that detailed post. I am currently studying computing (web design and ethical hacking) so i am aware of machine code and architecture etc but some of what you posted was new to me and has also made this whole scenario clearer so thank you.

So from what I can gather - the firmware code was infiltrated, the manufacturers who write the code were probably hacked imo, and the trade secrets discovered this way. Perhaps the reason firmware is patented and guarded is to prevent super stealthy attacks like these happening, which would a fair judgement.

However we all know the UK and the US government think they are lawless so it doesn't shock me if it was them but people's nonchalant attitude to this does. I hear people say that it's too technical for non-techies to appreciate the full implications these revelations bring. But it's really frustrating that many just don't care. So what do we do?!

The group dubbed the equation group are now above operating systems, firmware companies, were aware of zero day exploits before anyone else, basically above the law and above the world of personal computers.

They have the ability to infiltrate anyone in super stealth mode. And people are ok with this??? (not directed at anyone in this thread but I know many who just shrug and turn away and I find it baffling)

I have even heard of a technique that involves listening on networks for the distinct hum that our pylons and electricity generators make as these are apparently unique and can be used to pin point ones location. I think that's how the story went, wish I still had the link!

Love the kettle hack!!

a reply to: BornAgainAlien

I just find it hilarious that they're doing this on 'behalf of the United States' ... Tell me, does this benefit any of you?
Now theres gonna be all sorts of people pissed off at the USA. All because of a rogue agency that the people didn't even want in the first place.

originally posted by: funkadeliaaaa
a reply to: Bedlam

Can u recommend any textbooks on these subject that you feel stand out from the rest?
(I'm sire you must have read a few in your time)

Wow. I didn't have any one textbook, I got mine by getting a masters in EE. We designed a CPU at one point. Lots of design time. Lots of assembly language coding. Some work in this field, too.

originally posted by: twhite93
a reply to: BornAgainAlien

I just find it hilarious that they're doing this on 'behalf of the United States' ... Tell me, does this benefit any of you?

Likely, yes, or they wouldn't have kept it up. Things that don't work get dropped.

I don't post here often, forgot my password and even my username. So I created a new just to post this:

I used to have a computer store, and used a very advanced data recovery system called PC3000.
What I had retailed for $14K, it did amazing things, one of which was "fixing" the firmware on drives to enable data recovery.

I had a special cable that connected to the HDD, and I would be able to intimately work on the firmware using commands from hyperterminal. (if you look at a Seagate drive you will see four pins at the end of the board, that's where you connect)

There was a bug in a certain Seagate 500 gb drive where a cache area in the firmware wasn't large enough and would "spill" over, crashing the firmware and making your data inaccessible. The drive would not even show up in the BIOS when this happened. In addition to the cache, there are other "writable" areas of the drive, such as the S.M.A.R.T table which tracks errors and warns of impending failure.

I would have to apply power to the drive with a piece of paper interrupting the contacts that give the drive power, connect in hyperterminal, and then pull the paper to spin the drive. Then perform some erase functions via the menu driven interface, blowing away the S.M.A.R.T table, faulty cache, and some other values. (I sold the system, so this is all from my recollection. ) There were some steps you had to go through, it would sometimes take multiple tries, and I would even have to stray from the documented procedure to get the data off. Then I would immediately flash the firmware without the bug, so help ensure a successful recovery. The hyperterminal interface was menu driven, and well documented by Seagate, WD and others not so much. There are message boards, full of Russian guys, where you could MAYBE get questions answered. They had the WD, Maxtor & other docs, but as you may notice, the HDD manufacturers have kind of consolidated.

Another trick was to remove the NVRAM chip from a donor drive, and put the NVRAM chip from your data drive in it's place and switch boards. The NVRAM chip holds all the specific geometry for your drive and is specific to EVERY drive, since every drive has bad sectors initially at manufacture and this must be described EXACTLY or you ain't reading nothing.

I only delved into the firmware operations enough to get the EU's data recovered. But there were many more options in the menu, most of which I had no idea what the result would be, and I obviously did not experiment with customer's data.
The long and short of this is that I certainly can imagine some extraneous code being in there that could place a DLL on ANY sector it wants. It has complete and full control.

But - for this to be successful I think it needs to know something about your OS. I would suspect Windows and Mac to be the most vulnerable. There isn't a lot of room in there, and the more possible scenarios they try to cover needs precious space which possible future firmware updates may clobber. If the exploit covers ALL scenarios it is also easier to detect.

When I had the store I also submitted quotes to the US Army for a network attached storage system I sold. It used ATA over Ethernet, and unlike iSCSI or NFS it DID NOT USE TCPIP. The box was addressed by MAC address, and was commonly used in VMware ESXi virtual environments. It's manufactured by ONE company - Coraid, the inventor of the ATAOE protocol. To access the storage system you needed an HBA manufactured ONLY by them, which is essentially an Intel E1000 nic with special FIRMWARE. I suspect the US Army may be clued in on how to avoid this HDD exploit.....
I was not such a high level Coraid partner to get the "good" pricing, so I think I was receiving the RFP's just to be quote #3 to follow the get 3 quotes rule. But they were for HUNDREDS of drives, Enterprise Class SAS, & MANY cabinets.

Virtualization is most likely the the key here. VMware uses a disk image file like drive.vmdk. There is no firmware in a disk image file. The bios of a VM is the Intel 440BX reference bios from the late 90's, and you can switch this out with a known clean one. SO how does bad firmware code know where to insert a DLL in a monolithic disk image? I think such a feat may not "fit" in the limited extra space available in HDD firmware. It's one thing to add some code, but to make Seagate solder a bigger chip on the board? And just to be sure, lets put the disk subsystem in a remote box, with NO IP stack, attached to a special NIC with NO IP stack.

So the countermeasure is to run a Virtualized system, you can even build an ATAOE SAN if you are really paranoid.

All of my pc's are virtual, this one I am typing on, my kid's pc's etc. I use PCI Passthrough for the graphics cards, and can play the latest Wolfenstein The New Order on the highest settings. The box I use has 6 video cards, with a different OS running on each one. As I type, my 10 yr old is playing Teraria on Steam, & the 13 yr old is playing Super Meat Boy on the same box. It runs any Windows, Linux, SteamOS, Mac, and even Android x86. I have been lazy about the SAN though......

I have a project on Hackaday.io (Hydra Multiheaded Virtual Computer) that details the 6 card build. Check it out, build one yourself, and keep the NSA out of your data, questions are welcome and it's Open Source. I haven't updated in a while, but I am working on a single card living room gaming build and will be updating soon....

Hydra Multiheaded Virtual Computer

An interesting point to note is that the sectors targeted by GrayFish are -

Government and diplomatic institutions
Telecoms
Aerospace
Energy
Nuclear research
Oil and gas
Military
Nanotechnology
Islamic activists and scholars
Mass media
Transportation
Financial institutions
Companies developing encryption technologies


So if I'm correct islamic students are targetted. VERY unethical, NSA/GCHQ/Equation group!!!

Source -


securelist.com...

a reply to: SolRozenberg

Awesome info Sol thank you!

originally posted by: Bedlam

originally posted by: funkadeliaaaa
a reply to: Bedlam

Can u recommend any textbooks on these subject that you feel stand out from the rest?
(I'm sire you must have read a few in your time)

Wow. I didn't have any one textbook, I got mine by getting a masters in EE. We designed a CPU at one point. Lots of design time. Lots of assembly language coding. Some work in this field, too.

would it still work today? (I am guessing probably not)


Ok then, so you must have read lots of books.
Perhaps you should write a thread with a list of titles then for us noobs

ATS has a computer forum, to you could post it in there. What do you think?

I'm going to start a new business called the moleware exterminator... we destroy moleware on despair ...

a reply to: 0bserver1

Hahaha moleware should be the least of your worries...
If its not you havent been paying enough attention to posts in this thread.

originally posted by: JacKatMtn
a reply to: SkepticOverlord

I wish I could say I am shocked...

if it goes this far, how long til we hear the news that all motherboard manufacturers have been compromised?

Free speech on the web, is an illusion?

Motherboards have been compromised since 1995 that I know of, many times certain operations that cannot be reconciled with ANYTHING known can be observed.

a reply to: funkadeliaaaa

No sorry I'm not , because many technical details are way above my pay grade..
but what I do wonder about is that that Russian hacker Vladimir Drinkman that has been extradited to US for stealing millions of creditcard numbers has a connection to this topic . Maybe he knew how to search the harddrives for those numbers the same way the NSA works to retrieve the info they need ?

a reply to: 0bserver1

Lol it doesnt mean you can't or shouldnt learn about them!

Replying for thread sub.

a reply to: SolRozenberg

I wish I knew you in person. I hate being the smartest person in my circles. People like you and bedlam push me to soak up more info. Same to all the other posters on this site and in this thread putting out posts.

The exploits - including the 'prized technique' of the creation of a secret storage vault that survives military-grade disk wiping and reformatting - cover every hard-drive manufacturer and have many similar characteristics to the infamous NSA-led Stuxnet virus.

Can this be clarified, please, if anyone knows exactly what was meant in the original source?

Does it mean

- The hackers use the remote hard disk drives of infected domestic and business (and perhaps state) PCs through infection, to make those many disk drives owned by many different people together into the "secret storage vault" which is virtually impossible to erase (either remotely or at location)?

- Or that the hackers are very efficient in hacking, and also have built their own secret storage vault on their own disks / servers which they keep themselves. They have perfected a means to make this storage up from drives made by every manufacturer in a way which cannot be wiped by advanced means (either remotely or at location)?

---

I just didn't understand the source quote.

Either the hackers are using disks of many unwitting users collectively to form their own remote storage vault which even beats advanced erasing methods.
Or it's just that the hackers have perfected that technology of treating their own disks so their data can't be erased by military.

Big difference, and I'd like to know which it is.