Where there are security vulnerabilities, I'd rather it be the NSA exploiting them than someone else. The fact that Huawei support engineers have so much power is much more troubling.
This is so obviously true that I found the tone of the post confusing. It's similar to people's reaction to the comparative threat of keeping their email on Google Mail or some random webmail provider that's likely to lose their mail spool to SQL injection. I'm not arguing that the NSA threat isn't worrisome; it is. But other threats are in fact even worse!
> A government is far more likely to oppress you, deny you rights, blackmail you for political reasons, etc. because it has the resources to do so.
I don't know... you're asserting as a fact here that one is more likely to be oppressed or blackmailed by the USG than by a criminal. But for blackmail alone there are thousands of criminal cases per year in the US, and an incalculable amount of "oppression" caused by criminals generally. What are the numbers for USG cases of blackmail each year? I guess they wouldn't be tallied... But I'd have to estimate that they're somewhat lower.
Criminals and Governments have a long history rich for data mining. If someone wanted to do that study they could.
Asking for facts elides the far more nuanced question of whether it is good for the American Government Marketing Team to continue to operate a known blacksite when the American public is auditing security practices.
The problem with this line of thought is that large criminal enterprises have political goals, and sufficiently large governments have criminal elements with criminal goals within 'em.
who's more likely to work at the NSA? A man who respects the constitution or a criminal? as the NSA grows in both size and power the answer will become clear. As an nsa employee you'll quit or expose secrets when things get sketchy. the only people stick around will be... what exactly?
> Criminals by and large just want money, governments want power. That makes them a far more serious threat.
It's really, really easy to say this living in a place where the rule of law is reasonably robust. There are many parts of the world where this isn't the case.
I am living in Indonesia right now. I would say at first I agreed with you. However what I see as time goes on is that the rule of law in the US is largely an elaborate illusion.
The point of rule of law is supposed to be that the government is bound by the laws. Calling this "robust" with regard to the NSA is the equivalent of putting ones head in the sand....
>There are many parts of the world where this isn't the case.
There are even more parts of the world where the "rule of law" is what opresses people rather than criminals. Dictatorships, third world monarchies, banana republics etc. And sometimes, criminals and an opressive government go hand in hand, as in some latin american countries...
BTW, the district in Indonesia which has the best government is a monarchy (the Sultanate of Jogjakarta). It is a Constitutional Monarchy and the Sultan does not have legislative power (only executive power).
I will admit though that as an American it seems weird to have a Sultan of a small district in a larger parliamentary democracy. It would be like having a King of New Hampshire....
I see what you mean; there are two things that most interest me.
The first is "wow, did I just see them in action?".
The second is that journalists are consulting the wrong "experts" in situations like this. They think "cryptographers" are the experts in these Snowden leaks, but the real experts for most stories are incident responders, pentesters, reverse engineers, and even simple IT engineers.
As for being wrong, I'm sure if I could reveal more details, people might be able to debunk me. Sadly, I can't.
Actually, it's not just Huawei, it's pretty much all everything. Pretty much every router, telcom switch, storage system, etc. sold outside the United States comes with a support contract whereby the vendor's engineers can connect and manage the device.
Indeed, there's a recent legal case of a company selling stuff to Iran. The company said they weren't responsible, because it was resold by intermediaries. Yet, their support engineers were connecting in to manage the box.
The lede was really "here's what we saw", at least to the extent that we can reveal anything being bound by customer confidentiality agreements (which, frankly, isn't much, which kinda sucks for the reasder).
Sure, you're both saying that the least bad option is the best option, which is obviously true. But that's not really the argument, or at least not the end of it. Some of us would like to have options that are significantly better than the best existing option.
Probability dictates it's more likely Huawei will abuse its power than the NSA will abuse Huawei's power. So be equally uncomfortable if you want, but it's Huawei you should be scared of (in this case).
Can you people cut the fucking bullshit? Everyone here is speaking either "quantitatively" or in "probabilistic" terms, but I have yet to see research or actual discourse backing it up.
You're saying Huawei is more power hungry than the NSA?
According to probability theory, if you have A (one single condition), and A+B (two different conditions), A will always be more probable to occur than A+B. Not seeing this is called conjunction fallacy, typically elucidated as the Linda problem. In this case, though, we have one known thing (Huawei has tech support accounts), and one unknown thing (the NSA have access to Huawei's tech support accounts).
Huawei accounts alone are already at risk of being abused by Huawei. We don't know if NSA has access to the accounts. But even if they did, it would still be more probable that Huawei's access would be abused than the NSA using Huawei's access.
1)We can assume NSA has access.
2)Is it not the NSA that wants to actively penetrate every single device in existence? https://firstlook.org/theintercept/document/2014/03/20/hunt-...
3)Is there any evidence that Huawei abuses their customers? Like, evidence, not CNN talking points.
I'm just estimating based on assumptions of possibilities. Even if I had evidence that Huawei has never abused their customers, and with evidence that the NSA themselves have used Huawei's accounts to abuse customers, it's still more probable that Huawei's accounts themselves are a greater threat than the NSA abusing them.
Now. Is it more likely that the NSA will abuse them? That's a completely different question. Probability describes the function of an outcome based on a set of fixed parameters; in other words, you can estimate how often a coin flipped will land heads 10 times. The likelihood, however, is based on watching it come up heads 10 times, and would describe whether the coin was rigged or not.
Based on outcomes, is it likely the NSA is spying on customers using Huawei's tech support accounts? The only outcomes we can see is one report from a guy who says he saw a Huawei tech support account exfiltrating data that an American intelligence agency would like to have. It's really not enough data to make many conclusions. The only likelihood we can determine is that Huawei accounts are used to exfiltrate data from companies that American intelligence agencies would like.
Like someone else commented (could have been the OP?) another possible actor could be a CIA mole or some bribed/corrupt employee. Could be a rival company, or someone who wants to sell the information. We don't really know. We could assume the NSA is the only organization with an interest in hacking Huawei because this is the only report we've heard about such a thing, but that's speculating about unknowns.
There's really nothing about this action that screams NSA specifically; it's just being correlated with the story because the data appears to be useful for American intelligence. To say that there is no data that could be useful to both American intelligence and other parties would probably be a stretch. The only thing we do know for sure is that Huawei's accounts were used to exfiltrate data; who wants the data, and what for, is a mystery. But what is certain is that you should be afraid of your Huawei support accounts.
"We currently have good access and so much data that we don't know what to do with it," states one internal document. As justification for targeting the company, an NSA document claims that "many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products."
No, your reasoning is a common fallacy: assuming that A and B are independent probabalistic events.
Attackers are not earthquakes.
If we assume that both NSA and Huawei are intelligent actors (spare us the jokes please) and that both NSA and Huawei have the option of abusing a certain power, then
P(I get pwned) = P(NSA wants to pwn me) + P(Huawei wants to pwn me) + P(other)
Either NSA or Huawei can pwn you with this power, or both. Even if they both elect not to it's still possible someone else can and will.
Always holds whether or not A and B are independent. A contains (A n B) therefore is always bigger.
The assumption being made is that the NSA can't abuse the Huawei access without Huawei being complicit. I.e. if NSA pwn me, Huawei gave them access, so actually it's the NSA and Huawei pwning me together.
P(NSA pwn me) = P(NSA pwn me because Huawei pwned me and gave them access) <= P(Huawei pwn me)
The article is about the possibility that the NSA could be bribing Huawei engineers or infiltrating Huawei with spies. Either way, it requires Huawei employees to be complicit, and for the Huawei support infrastructure to be compromised.
The article discusses the NSA embedding themselves in the Huawei support infrastructure. If true, Huawei's access is being abused by individuals who work for both Huawei and the NSA. So, in order for the NSA to abuse Huawei's access in the way discussed in the article, then that requires Huawei employees to abuse Huawei's access. Hence,
P(NSA abuses H's access) <= P(H abuses H's access)
Nothing is assumed to be happening, that's why we're talking about probabilities. We are discussing the possibility that the NSA could be infiltrating and subverting the Huawei support infrastructure. That's what the article is about. We're not discussing whether or not the NSA directly hacked Huawei. While that is also a worrying piece of news, it isn't the same thing.
To give you an example, if I pick something up at random, the probability that it is a shoe is at least as big as the probability that it is a red shoe. That's because it can't be a red shoe without also being a shoe. Same thing with the A's and B's. If A and B happen, then that means A happens.
Conjunction fallacy only applies if A=A.
Here, your first A is different than your second A, no? If A is "X will abuse account access, given the opportunity" then it matters who is X.
In light of recent revelations it's clear to me that the NSA employees have unsupervised access to an incredible amount of data. I am pretty uncomfortable with that.
I have no information on what sort of access Huawei employees have but I assume at the very least they are not recruited specifically to spy on me and find 'individuals of interest'. People who are recruited to spy on individuals will have a completely different mindset to your average network engineer.
But either way it's a less than ideal situation, and too much power is at the fingertips of these employees.
You are assuming that the individuals are distinct - it is FAR more likely that a TLA agency has implanted support engineers who operate on their orders.
Just a few years ago, Chinese hackers were caught hacking into the US for no reason. The fact of the matter is that Huawei, with its close connections to the Chinese Government, could be straight up responsible for this.
Remember, half of the western world have banned Huawei devices from their country.
Keep up with the modern cyberwar people! The Chinese National Security Committee has already deployed "The Great Firewall of China" and banned the use of VPNs on their shores. HTTPS connections fail randomly in China and encryption is illegal.
Between the US and China, there is one country where people disappear for saying the wrong things on the internet.
I think it's naive to assume that the NSA is the only entity that is likely to be able to exploit vulnerabilities. This is the crux of the controversy around NSA's attacks on web security.
I only see a difference between an opaque, unaccountable organization in the USA and an opaque, unaccountable organization in China when I look through a nationalistic lens.
Qualitatively speaking, I think as opaque as the NSA and CIA are, they're more accountable to the average US Citizen than their Chinese equivalents are to the average Chinese citizen.
They're less accountable than I would like, but they are accountable for their actions.
The US is just as much a direct threat to my countries economic interests as China. A pity my countries politicians are in Washington's pockets and are silent now when only two years ago they were yammering about the threat from Chinese government hackers and Huawei.
FISA Courts. Senate Intelligence Committee. Yes, sometimes they have been ignored, and yes, sometimes they have been rubber-stampers. But presently both are, in some capacity, rebelling and, in some capacity, angling to reign in the intelligence bureaus. Nothing similar exists in, for example, France, Russia, China, or India.
> Nothing similar exists in, for example, France, Russia, China, or India.
Not true. France does have an Intelligence Committee ("Délégation parlementaire au renseignement"). And there is a control organism like the FISA Courts ("Commission nationale de contrôle des interceptions de sécurité"); while legally their decisions are only consultative, in practice the government almost always respects them. And it denies between 1% and 2% of requests, whereas the FISA only denies 0.03%.
However I'm no expert, so I can't say how much power or independance they actually have.
I thought we were speaking quantitatively. Where's that quantitative evidence?
EDIT: No offense, peterwwillis, but I tend to take arguments such as those from Americans with a grain of salt. Americans like to think that they are better than those nasty commies, but history says otherwise, what with the CIA transporting cocaine and overthrowing foreign governments, and the nsa actively carrying out MITM attacks.
No, he said Qualitatively. He doesn't need numbers, only the subjective property of the NSA or CIA's character versus similar agencies in China. I would probably also wager that we have more accountability over our intelligence agencies than Chinese people have over their intelligence agencies.
> I would probably also wager that we have more accountability over our intelligence agencies than Chinese people have over their intelligence agencies.
Neither citizenry has any meaningful control over "their" spy agencies. They're not your favourite sports team that you need to defend. If you harbour any illusions of democratic control: the elected class is a lot smaller and a few degrees more stable than the candidate pool. Before they get access to power, candidates tend to renounce any action against the NSA.
But qualitative statements are of literally no value. It's all gut instinct. Of course you'd like to think that the US can take moral high ground over the Chinese.
Try to get a Chinese security researcher to expose a hack by a Chinese security agency, on their own blog hosted in China. Don't need numbers to know I wouldn't do it. And I'm not American.
What we're discussing is the subjective perception of both agencies. NSA has most of their programs exposed, as opposed to the PLA, and yet the public still gives NSA the benefit of the doubt. Now that's what I call freedom.
If they are accountable, where can this company send the bill for the break-in?
Going around like thieves in the night and breaking into places and steal stuff like common criminals is not exactly the conduct of someone accountable for their actions. I would actually say its the opposite behavior.
Because I'm American, and while I'm not really a fan of most of the shit they're pulling, it's still more likely to be in my interest (or less against my interests) than whatever the PLA has in mind.
1. I was trying to display that NSA engages in the same actions as the PLA.
2. Real evidence points to real attacks on americans carried out by the NSA. The only tangible shred of information we have about the PLA comes from CNN/MSNBC/Business Insider talking points, and we all know how objective those are.
A backdoor or 0day for a Huawei router would be of limited use to the NSA, because the control ports are behind firewalls. Hacking behind firewalls would likely give full access to the target network anyway, making any backdoors/0days in routers superfluous.
But embedding themselves inside the support infrastructure would give the NSA nearly unlimited access to much of the world. Huawei claims that a third of the Internet is running their devices. Almost all of it is under support contract. These means a Huawei support engineer, or a spy, can at any time reach out through cyberspace and take control of a third of the Internet hardware, located in data centers behind firewalls.
So the companies that use Huawei's products put the control ports behind their firewalls, but somehow are allowing unrestricted access through that firewall to/for Huawei's support mechanism?
It's the norm today that companies have firewall/VPN holes allowing support engineers from other companies to have access to their networks, to manage things as simple as the HVAC system, or things as complex as their entire routing infrastructure.
Throughout the world, most Huawei routers come with such support contracts.
Firewalls can (and should) block outbound connections, as well. (Although trying to ultimately clamp down on this in any normal business environment where humans want to web browse is a battle you will ultimately lose if you are trying to completely stop all of it.)
Sure, but then Huawei can say, "well we can't support our hardware if you don't let us access it". Or maybe they would say, "Ok so would you like to pay for on-site support?"
The "phone home" model is one of the safer ones to my knowledge, if only because it allows a blanket "-A INPUT -j drop" rule. Outbound connections should be filtered, yes, but inbound is even more important.
I was skeptical of that too - however, another part of the article implied another scenario, leaving it unclear whether the writer confused them or refers to both. The second scenario is, company may control its own gear well enough, but relies on a service provider that uses Huawei devices, and the Huawei support people can access comms thru the latter. Which begs questions about encryption, so the implications are murky.
>In 2012, during an incident, we watched in real time as somebody logged into an account reserved for Huawei tech support, from the Huawei IP address space in mainland China.
I'm a little skeptical.
I wonder what they mean by "watched," because I doubt that they guessed the tty for reading or that the hacker joined a screen session. What is the likelihood that one would just "happen" to be staring at that server during an "incident."
It was an internal system. We noticed with 'netstat' that it had a connection to an outside system. 'who' told us it was the account setup for Huawei remote support, and the IP address told us indeed that it was from a Huawei network.
The SQL query took 15 minutes to run. We saw it using 'ps'.
That's weird. Bash_history doesn't usually get flushed for every command you run; only when you exit an interactive shell. If you `kill -9 $$` or erase the .bash_history file and create it as a directory, it loses the history. The exception is if you create a custom PROMPT_COMMAND="history -a; history -n", which would append on each new bash prompt. (You'd think a hacker would know these things...?)
That "history -a" bit is extremely common if the environment has shared storage like NFS in use or multiple shells are common. It would not surprise me at all to see it on by default on an account used for debugging / support purposes as a cheap audit measure.
My interpretation was that after IDS had identified a particular host, they had tailed syslog (or the equivalent) on that host. The observation that they would have missed it if they hadn't been watching seems to imply that normally their logs wouldn't have retained the level of detail needed to see either the event or the deletion of the logs of the event.
From encrypting and emailing to a hotmail account, it sounds like they connected with Teamviewer/VNC type of software and author was watching what was going on the screen.
I'm not sure if this is in any way useful, but consider that Ed Snowden himself was in a "support"/administrator role and that's what gave him access to the documents he later then leaked.
Edit: finally found it, with some Googling. There are a lot of things with TAO as their TLA leading to a lot of false leads. TAO in this story means "Total Access Operations".
Among vulnerability research people, TAO is practically slang for "the branch of NSA that hacks into Chinese computers". Robert Graham comes from those circles. I think that's what he's trying to evoke by referencing TAO.
I was not aware that the NSA had decided to restrict TAO's operations to China. That must be a very recent thing if so. Can you provide any references to that?
The normal guidelines for developing a security strategy is to estimate the resources and capabilities ranged against you and the probability they will be levelled against you and then develop a strategy for mitigation (absolute security is impossible).
The capabilities the NSA and GCHQ have developed are scary enough in and of themselves but the sheer breadth and depth of what they have achieved is far more horrifying, If I was the CTO for a large multi-national or a foreign government I'm not even sure where I'd start protecting against them.
What I don't understand is why the US government would point fingers at the Chinese for putting backdoors in Huawei devices when it was really the NSA all along. It seems like they're shooting themselves in the foot by giving pointing out the backdoors. My best guess is that they assumed someone would figure it out eventually and they wanted to spread misinformation to get out ahead of that.
I don't think they are referring to the same vulnerabilities.
The US government was publicly accusing the Chinese government of inserting backdoors in Huawei products, while at the same time seeking and exploiting vulnerabilities in Huawei products themselves.
Perhaps this was an attempt to cover tracks by pre-emptively blaming the Chinese government for backdoors installed by the US government, should these backdoors ever be discovered.
Personally I'm inclined to call Hanlon's razor on the hypocrisy of it all.
Why couldn't it be both? To me, the least-surprising explanation would be that both the Chinese government and the NSA were trying to exploit Huawei. Any finger pointing could be chalked up as typical "left hand doesn't know what the right hand is doing."
It's also a good way to drum up support; start by accusing the "other side" of doing whatever it is you want to do. You're basically coordinating with the other team with the full cooperation of the people you've scared.
According to the article, it wasn't the NSA that put backdoors in Huawei devices, it was Huawei. It sounds like like any intelligence agency that can bribe a Huawei support engineer has access to any Huawei networking device. That definitely includes the Chinese and the American intelligence agencies.
The US intelligence agencies can simultaneously act to protect the information security of American businesses by warning people of the vulnerability AND act to exploit the vulnerability for their own intelligence-gathering goals.
I think an important part of the mission of the NSA is to spread fear, so that people are more likely to consent. This means terrorist (which of course isn't really a danger if you look at the numbers), nuclear Iran, cyber China, etc.
I dont understand why this level of access (if it is accurately described in the article) would only be of use to American intelligence, and "would['t] interest other intelligence services -- except to pass it on to the Americans."
It seems like something that powerful would be of interest to any intelligence service (or group of any sort), anywhere.
Chinese intelligence might be interested in something simply because they (correctly or not) deduce that American intelligence will be interested in it.
One of the biggest ironies of the Huawei hacking case is that now every time someone detects an attack from a Huawei device or the company itself, they can never be sure if it's China or the US that's behind it.
What we really need is a new agency just like the NSA except for it's only mandate is closing holes everywhere even if those holes are actively being exploited by the NSA and CIA. Such an agency would actively discover holes, patch them when possible or disclosing the vulnerabilities to the engineers responsible for the software or hardware in question. Furthermore, the NSA and CIA would need to be barred from trying to get any access to this organization for its own use.
SELECT * FROM Foreign_Corporations fc INNER JOIN Foreign_Corporation_Employees fce ON fc.FCID = fce.FCID WHERE fc.Country IN ('Pakistan', 'Afghanistan', 'Iran')
I can't reveal the exact SQL query because that's customer private information.
However, it had both a subject and a timeframe that were peculiar. Googling the subject revealed news stories about it -- making it clear this was something the U.S. was interested in, but which would be no particular interest to anybody else.
If you have a restricted timeframe & the information that the US government would be interested in knowing details about an event that happened in that timeframe, then that might well be enough information to identify the company involved, or at least reduce the list of candidates to a very short one indeed.
The OP probably has a contractual duty to protect their client's identity & therefore can't take the risk that revealing more details would result in their client being identified.
"I can't reveal the exact SQL query because that's customer private information."
That doesn't make sense.
The results of the query are probably private customer information, but the query itself has nothing to do with them (hopefully) and was simply the net the TLA was casting.
You've broken the seal by reporting that it was done at all and reporting the exact query doesn't change that.
OTOH, not reporting on what the actual query was makes me very skeptical about the whole thing.
By all means, obfuscate table names or whatever if there was a wildcard involve that matched customer defined elements (or whatever).
This sort of thing is significant. It puts remote support for systems in a very different light. At Efficito, we have plans to release on-premise appliances as well as our cloud hosting options. This sort of story makes me think about how to avoid this sort of problem.
Here are rules I am suggesting.
1. The on-premise appliance should not be directly accessed from the network unless folks at the local environment enable contact.
2. Everything else, regarding services, should be loosely coupled and designed not to give significant access to either party over the other.
This sort of thing strikes me as an area where the industry is going to have to evolve. The danger of "we can connect to your systems" is becoming clearer to a larger section of the market.
This blog post is trying to say something tremendously important but it also is not giving us any information to evaluate it. Apparently everything is on fire but they can't tell us how.
How does the support login have the privileges to delete all of the activity log files, and why is a login with enough privilege to delete logs allowed to perform SQL queries?
It's scary to think that a third of the internet relies on any one company's backbone products, regardless of the country that company calls home. Way too many eggs in one basket, but much easier for the humans involved compared to having a ton of different manufacturers who would have their own individual issues. Find an exploit once, employ it (most) everywhere (appropriation of old Java tagline).
Witnessing in this way runs counter to my experience of system management. How can you see (in real time) a query, the encryption, the email and the log deletion? I have run sql monitors and I see queries appear and then disappear... but my brain doesn't allow me to understand what the user is "up to" without lots of investigation and so on.
It's one thing getting spied on by the US government, but one would hope they'd use something more sophisticated than Hotmail to move the information around.
Trouble with that is, the more sophisticated and unusual the mechanism you use, the more likely it is that someone will (a) notice you, and (b) be able to identify you based on it.
Hotmail seems like a reasonable first link in the chain to extract the information. I assume they would log in through Tor or another anonymous method before extracting it to its final location. They're not going to email it to joe.spy@nsa.gov directly.
