Spying software hidden deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers

Firmware in general is spooky. Unless entirely open.

On Tue Feb 17 2015 at 8:54:48 AM <name at domain> wrote:

> (Reuters) - The U.S. National Security Agency has figured out how to hide
> spying software deep within hard drives made by Western Digital, Seagate,
> Toshiba and other top manufacturers, giving the agency the means to
> eavesdrop
> on the majority of the world's computers, according to cyber researchers
> and
> former operatives.
>
> That long-sought and closely guarded ability was part of a cluster of
> spying
> programs discovered by Kaspersky Lab, the Moscow-based security software
> maker that has exposed a series of Western cyberespionage operations.
>
> Read more:
> http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-
> idUSKBN0LK1QV20150216
> Source:
> http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-
> idUSKBN0LK1QV20150216
>

:(
i guess ill go back to floppy disks...

This news makes me so crazy
Where I run
The only solution is to leave the network

For this news article and The U.S. National Security Agency actions, I'm wearing my home made Aluminum Foil Deflector Beanie because is a Practical Mind Control Protection against Paranoids.

For more info in how is done by The The U.S. National Security Agency, here are additional few links to read about.

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

A deep explanation of how Kapersky did it. Be aware it is a PDF Document.

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf

And if you are about to hit the panic bottom, or bail out with your emergency parachute, make sure you listen to the song "Somebody's Watching Me" by Rockwell just for your reading valor.

Yes, I was going to post this. Judging by some of the dates listed in these articles Kaspersky's knowledge of this goes back years, and much information is redacted, as well as many involved conspirators not named, even though the articles imply such knowledge. Why would Kaspersky be so un-transparent with us?
This essentially makes encryption useless. I originally thought the reason DPR's Full Disk Encryption failed him was due to the fact that his laptop was seized while still in operation, and suffered a cold boot attack. In light of this new knowledge perhaps
this was not the case.
Opening op the code to SSDs (and I would hope it wouldn’t just be SSDs) wouldn't come close to solving the problem. Many other peripherals exist which use the same flash storage switching back to EPROM would be a better idea, it never should have been dropped for the sake of BIOS upgrades. Perhaps a better solution might be to block ALL writes to peripheral storage with a temporary HARDWARE switch allowing write intervals before resetting.
I warned everyone about this before. The whole idea of "Smart" storage and peripherals was a disaster waiting to happen, and now it's being exploited, and has been for years apparently. Having a tiny OS between you and your data is stupid. Your Fingerprint reader has this ability so does your USB controller as well as your CD/DVR/BD drive, also your network card, and GPU; as reported your HD controller does too.
Also Western Digital isn't the only distributer who's HDs have been compromised, I believe 20 brands were effected. I think as a community we need to come together to solve this problem. The internet is full of information "How to prevent TROJANS" (Buzzword) "How to remove VIRUSES" (Buzzword) but much of this information is useless, and provides no solutions, yet also fails to mention fixes for implants or backdoors at all. Search for Greyfish, and you won't find much. So what should we do about this, go back to using 12345 as a password?

http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/
http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage

In fact, there is considerable ambiguity
Do it take advantage of the functions of the os to spy??
Or everything is built inside

There are programs that tells you about the data that passes from your computer
Is wraps on the program?
There is no answer

From what I've understood by reading the Snowden documents - if your pc is connected to the internet you can be the greatest security expert on the earth and use whatever OS on whatever hardware - if they want to get in your pc they will. So.. use free software and secure yourself as you better know and can but don't think you can escape the pigs. Having a spyware on a hard disk or not having it doesn't really matter that much at this point. Sadly.

Defeated Attitude, Beat Down Much? I have heard this argument multiple times, it seems to be recycled quite often.
Do you think winning is impossible? Why strive for something unless you believe it's possible to accomplish?
Do you believe fully free modern computers will be available to us? Why support free software?

>>DPR's encryption didn't fail him - he failed at doing it >>properly.
How so? There doesn’t appear to be much information available as to those specifics.
>>You can't honestly make statements like "" if you know >>and understand the history of WHY it's done that way.
There is a reason these things haven't been done, cost. The computer can do the processing for the harddrive, it needn't be left to the
questionable coding skills intent of motiveless third parties, worse third parties with a motive. EPROM is an effective solution;
it is merely more expensive. Besides, I don't see how hardware disconnect for peripheral’s writable media wouldn't solve this specific problem.
There is a demand for secure technology, especially in the business sector.
>>Anyway, if you want what you're asking for - unplug >>from the internet,
This is an absurd statement, perhaps I shouldn't leave the house for fear of being shot.
>>store data on paper under lock and key in a safe
Are state actors unable to open safes?
>>speak to no-one, throw your phone away.
I speak to whom I wish. I have thrown away my phone, I could not secure it to my satisfaction, or install a GNU Linux OS+desktop in a secure manner.
The design of these devices is intentionally flawed.
>>If you're going to use a computer, make sure it's one >>that you put together yourself from individual >>components.
If you're going to eat food, make sure it's been grown by you, milled yourself, cooked from individual ingredients, and isn't poisoned.
I have verified the security of two of the devices I use, though they are under-powered.
I do not use google.
>>From what I've understood by reading the Snowden >>documents - if your pc is connected to the internet you >>can be the greatest security expert
>> on the earth and use whatever OS on whatever
>>hardware - if they want to get in your pc they will.
I believe this is FUD. They are not god. If this was true "hackers" wouldn't exist. Snowman obviously wasn't compromised, or his data
would have been remote-wiped. Besides, we need to solve these problems. For every measure a countermeasure.
>>Having a spyware on a hard disk or not having
>>it doesn't really matter that much at this point. Sadly.
How exactly? Do you mean compromised hardware?

The problem is inherent in the fact that we excessively use a machine far too complex to be understood by ourselves or anybody around us (at least as a whole).
Some big companies understand *parts* of that machine; they are the only one who do and even they don't understand the machine as a whole.
So should we stop using computers?
Call me crazy, but my answer is: partially yes.
We should stop using computers for really sensitive stuff, maybe we should stop using them as much as we can.
I mean, come on! People lived without computers for thousands of years; you want to write something down nobody should ever see but you? Take pen and paper, there you go; problem solved.
It's far easier than going crazy about hundreds of components of your computer, fighting a war you can't win.
I'm _not_ saying that we should stop fighting for free software and privacy!
We deserve both and should try to achieve the best situation we can; I'm just saying that a pc might never be a perfectly private, user respecting machine, no matter how hard we try.

quantumgravity

I agree with you only 90 percent of your comments.
Why?
They designed this poison to be more reliable while using Windows OS and Mac OS not GNU/Linux.

The more U read into it, you will discover that they need some kind of software for it to function. In this case Widows and Mac. It it a target malware for a specific IP, region and specific OS only.

Read on it. and you will understand the mechanics they are using for years.

I always believe, If anyone compromise their computer and information, is because their trust and knowledge is naive and limited on how to protect themselves and equipment.

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf

More Information to listen to.

http://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080
http://threatpost.com/inside-nls_933w-dll-the-equation-apt-persistence-module/111128

Listen to the interview
https://threatpost.com/costin-raiu-on-the-equation-group-apt/111169

Listen to what he say's about encryption! At least there is a solution...

To be well informed, kills the computing paranoia attitude By Jodiendo...

A tad off-topic by now but going back to 1.5Mb(or, God forbid, .7Mb) floppies is a bit.....mad, isn't it?

An old 20 GB IDE HDD would make a bit more sense, for example. Or do those spy as well? :)

I think that free modern computers will be available to us. It will simply be a matter of other nations producing and selling their own hardware. Eventually, if US tech companies continue along this path they will probably lose all foreign customers.

http://www.wired.com/2015/02/nsa-firmware-hacking/

ANOTHER ARTICLE
How the NSA’s Firmware Hacking Works and Why It’s So Unsettling

By Kim Zetter
02.22.15

One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen.

The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered.

It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted.

Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption.

Here’s what we know about the firmware-flashing module.
How It Works

Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.

When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish.

The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.

Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.

The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered.

The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba.

“You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”

Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation.
Hidden Storage Is the Holy Grail

The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised.

The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal.

This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption.

“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says.

Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk.

Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications.

“[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.”

Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.”

They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space.

An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.”

Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage.

To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail.

One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem.
NSA Interns to the Rescue

The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk.

“The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible.

The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command.

How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out.

Very interesting to say: Todays modern computing software programs that are available or sold are use for forensic tools. Knowing this, I'm assuming they could be re-engineer.

Example of hard drive forensic tools.

EnCase Portable

The Sleuth Kit Informer http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt
http://www.sleuthkit.org/informer
http://sleuthkit.sourceforge.net/informer

File System Forensic Analysis

Hiding Data in Hard-Drive’s Service Areas
http://www.recover.co.il/SA-cover/SA-cover.pdf

http://www.vidstrom.net/stools/taft/
TAFT is an ATA (IDE) forensics tool that communicates directly with the ATA controller. It can retrieve various information about a hard disk, as well as look at and change the HPA and DCO settings.

HDD Guru http://hddguru.com/

Hidden Disk Areas: HPA and DCO
https://utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf

Device configuration overlay
https://en.wikipedia.org/wiki/Device_configuration_overlay\

Device configuration overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the Host Protected Area (HPA), which can be temporarily removed for a power cycle

https://en.wikipedia.org/wiki/Host_protected_area
Host protected area
From Wikipedia, the free encyclopedia
The host protected area (also referred to as hidden protected area[1]) is an area of a hard drive that is not normally visible to an operating system (OS).

more updates from the Electronic Frontier Foundation

Russian Researchers Uncover Sophisticated NSA Malware

Defending your rights in the digital world

February 19, 2015 | By Eva Galperin and Cooper Quintin
Russian Researchers Uncover Sophisticated NSA Malware

Over the weekend Russian IT security vendor Kaspersky Lab released a report about a new family of malware dubbed "The Equation Family". The software appears, from Kaspersky's description, to be some of the most advanced malware ever seen. It is composed of several different pieces of software, which Kaspersky Lab reports work together and have been infecting computer users around the world for over a decade. It appears that specific techniques and exploits developed by the Equation Group were later used by the authors of Stuxnet, Flame, and Regin. The report alleges that the malware has significant commonalities with other programs that have been attributed to Western intelligence agencies; Reuters subsequently released an article about the report in which an anonymous former NSA employee claims that the malware was directly developed by the NSA.

Among the most interesting and advanced features of the malware is its ability to compromise and rewrite hard drive firmware. Reprogramming the hard drive itself in this way is a deeper level of compromise than infecting an operating system, and can let the malware re-install itself from a hidden sector of the hard drive even if the drive is securely wiped and reformatted and the OS is reinstalled from scratch. Conventional wisdom about reinstalling operating systems in response to suspected infections may therefore not be enough for the victims of attacks like Equation's.

Antivirus companies regularly try to improve their products by doing malware research—trying to find and analyze new malicious software in the wild. They are in a very good position to see the entire landscape of malicious software and attacks, which today increasingly includes government-sponsored malware. Some observers found it significant that Kaspersky—a Russian firm—was the only company to release a report about the Equation Group, Kaspersky's shorthand name for the anonymous authors of the malware. Many antivirus companies are based in, or have important business interests in, countries that develop government malware, such as the Five Eyes (the U.S., United Kingdom, Australia, New Zealand, and Canada), and these companies may come under pressure to conceal government malware. Having antivirus companies, security companies, and malware researchers in a variety of different jurisdictions is valuable in that they can collaborate on their research and resist this sort of pressure.

The hard drive firmware capabilities of the Equation Group malware and code names that are described in the report match up closely with NSA capabilities and code names previously disclosed in Der Spiegel. That lends credibility to the hypothesis that Equation Group is part of or affiliated with the NSA, which would mark one of the first times that programs or capabilities exposed by journalists were specifically found in the wild. This is a very exciting development; it will be interesting to see if researchers continue to succeed in publicly documenting samples of other nation-state malware and attack tools whose existence has been reported or conjectured.

The report also mentions that the Equation Group used several different 0-day exploits to spread their malware. Some of these exploits were later used by Stuxnet. One of the exploits used was originally used in the 2009 Aurora attack; it was later repurposed by the Equation Group to be used against government officials in Afghanistan. This raises some interesting questions—is the NSA stockpiling 0-day vulnerabilities? Is it doing any reporting of 0-days to the affected companies? How does NSA decide whether or for how long to stockpile such knowledge? EFF filed a lawsuit last year demanding that the NSA answer these questions.

Another important question was promptly raised in the press: given that the Equation Group's software can infect a broad range of hard drives, replacing their firmware with maliciously customized versions, did the hard drive companies collaborate with governments to develop this firmware? Based on the information we have now, it's hard to draw a reliable conclusion one way or the other. A Kaspersky researcher claimed that there is “no way that hard drive firmware could be reverse engineered using public information.” Yet at least two published projects from years past have demonstrated otherwise: a team of researchers in 2013 created a full-fledged hard drive firmware backdoor akin to that used by Equation Group, using only publicly available information and reverse engineering; and that same year an individual researcher achieved a comparable level of access to modify hard drive behavior, again using only reverse engineering and without any manufacturer assistance. These and other projects show it's quite possible to learn to tamper with the components that make up a computer, even without support from the manufacturer.

Seeing these attacks in the wild has spurred new anxiety about whether our hard drives and other parts of our computers could be compromised. (To be clear, the Kaspersky research does not suggest that the manufacturers tampered with the drives, but rather that software, once introduced onto a user's computer, can reprogram them.) What can the hard drive manufacturers do in order to assure users that their drives have not been compromised? Unfortunately, it's not entirely clear; there are a few solutions, but they generally require changing current hard drive designs, potentially in a ways that make them more expensive. What is clear is that hard drive manufacturers must bear the responsibility of assuring customers that their products can't be twisted into tools of the surveillance state.

The long-term problem here is deeper than just the Equation Group's wizardry. Your modern computer is made up of many little computers. Each of those computers can conceivably be infected with malicious software separately from the main computer, but you never see or interact with them directly, so nobody has given much thought to how to secure them, how to scan them for malicious code, or even how to do a forensic analysis on them. Unfortunately, infecting any one of them can give total control over the main computer or the ability to spy on or break some of its activities. It's a problem that has been demonstrated publicly by researchers over and over again. Security researcher Halvar Flake has given an excellent talk demonstrating some of the scope of this problem.

This attack vector is serious; the solutions are daunting. Hardware manufacturers must ensure that their firmware is open source, can be audited for security, can be updated and replaced by consumers. We must also create ways for average computer users to verify that the firmware on their devices is the firmware that they expected to be there.

We are glad to have an even better understanding of the techniques and tools used by the surveillance state. We still need more transparency from the US Government about the use of 0-day vulnerabilities in intelligence gathering. This report once again demonstrates how important it is that all companies take concrete steps to protect consumer privacy and prove that they are not exposing their customers to surveillance. Some hard drive vendors, asked for comment by the press, pronounced their products completely safe and immune to tampering—even as Kaspersky showed that those same products were actively being exploited. We hope those vendors will reconsider that overconfidence and get to work improving the safety of their products.

updates

(Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines declined to comment.

Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.

The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of U.S. technology products abroad.

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.

"There can be serious negative effects on other U.S. interests," Swire said.

TECHNOLOGICAL BREAKTHROUGH

According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.

"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.

Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.

GETTING THE SOURCE CODE

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.

It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.

"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."

Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

old news but it is real.

SPIEGEL ONLINE
12/29/2013 09:19 AM
Shopping for Spy Gear
Catalog Advertises NSA Toolbox

By Jacob Appelbaum, Judith Horchert and Christian Stöcker

After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.

Editor's note: This article accompanies our main feature story on the NSA's Tailored Access Operations unit. You can read it here.

When it comes to modern firewalls for corporate computer networks, the world's second largest network equipment manufacturer doesn't skimp on praising its own work. According to Juniper Networks' online PR copy, the company's products are "ideal" for protecting large companies and computing centers from unwanted access from outside. They claim the performance of the company's special computers is "unmatched" and their firewalls are the "best-in-class." Despite these assurances, though, there is one attacker none of these products can fend off -- the United States' National Security Agency.

Specialists at the intelligence organization succeeded years ago in penetrating the company's digital firewalls. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.

A 50-Page Catalog

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives -- from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA's specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets' data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."

Master Carpenters

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA's department for Tailored Access Operations (TAO). In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station" -- a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones -- costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

'Persistence'

The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable" -- in other words, over the Internet. Others require a direct attack on an end-user device -- an "interdiction," as it is known in NSA jargon -- in order to install malware or bugging equipment.

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. "Cisco does not work with any government to modify our equipment, nor to implement any so-called security 'back doors' in our products," the company said in a statement. Contacted by SPIEGEL reporters, officials at Western Digital, Juniper Networks and Huawei also said they had no knowledge of any such modifications. Meanwhile, Dell officials said the company "respects and complies with the laws of all countries in which it operates."

Many of the items in the software solutions catalog date from 2008, and some of the target server systems that are listed are no longer on the market today. At the same time, it's not as if the hackers within the ANT division have been sleeping on the job. They have continued to develop their arsenal. Some pages in the 2008 catalog, for example, list new systems for which no tools yet exist. However, the authors promise they are already hard at work developing new tools and that they will be "pursued for a future release."

So until the OpenSSD people finish their work, what can we do about this? What can be done to stop these things until then?