TS//SI//REL FVEY We have discovered a way that may be able to remotely
brick network cards. We need someone to perform research and develop a
deployable tool.
---
TS//SI//REL) Currently CASTLECRASHER is the only production quality
Windows execution technique that Payload Persistence techniques have.
Another mechanism to execute DNT payloads is needed. Most pre-boot
Persistence techniques only have the ability to influence an OS through
modifications to the target file system. Work needs to be done to investigate
other ways to get execution inside of Windows
---
(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the
BIOS and runs from SMM. Although the core of the code is stable, there are
always new requirements against which to develop. This includes new
network interface card parasitic drivers as well as applications.
---
(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to
apply industry best practices and agile development processes to internal
projects. To this end, the project is managed via the Scrum process. Test
Driven Development (TDD) practices are used as well in an effort to reduce
code defects. The project also is looking to incorporate ideas from DNT such
as their SCube build environment
[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of funny]
---
(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices
from a particular vendor. We need to port TORNSTEAK from the existing two
firewalls to several more from the same vendor.
>BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM
Yeah that sucks.. the BIOS is never out of the picture thanks to the SMM. Intel should find an alternative solution for the minor functions provided by the SMM (APM, thermal management, etc.).
Also from wiki: "Due to this fact, it is a target for malicious rootkits to reside in,[10][11][12] including NSA's "implants"[13] which have individual code names for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls,[14] SCHOOLMONTANA for J-series routers of the same company,[15] DEITYBOUNCE for DELL,[16] or IRONCHEF for HP Proliant servers."
And using the TPM may not help you:
>TPM Vulnerabilities to Power Analysis and An Exposed Exploit to Bitlocker
"The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft's Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS"
Though it sounds like they need physical access to do this.
You know what the solution to this is? Replace your damn equipment all at the same time :). Just make sure to implement some good hygiene pretty quickly.
Attackers would have to go through the entire process of phishing you again to be able to do any rootkit level stuff again.
The first commercial book on "project SCRUM" was actually just the results of a FOIA request on "psychological techniques against enemies with inferior footwear".
There are great photos of Krushchev appealing to the UN human rights commission after his third stand-up in two days on the corn issue. His bosses replaced him and ultimately it was Gorbachev who had to market baby corn to the Chinese after successfully instituting an open source modeled staged waterfall.
I feel like this is some sort of absurdist joke that I can't even begin to fathom. I understand all the things you mention, but can't make a bit of sense out of it.
I wouldn't make that conclusion. As we know, knowledge is very compartmentalized in the NSA. So, there could be groups in the NSA trying to find attack vectors for Microsoft Windows while other parties in the NSA might have backdoor access to Windows for use in specific circumstances.
Furthermore, Microsoft has universal access to Windows machines which connect to Microsoft servers to download patches. The government can argue with risk to national security and force Microsoft to let them use that update mechanism to spread their malware.
Even if they had a universal back door into Windows, I'd expect them to research other attacks for a number of reasons:
- Backdoors can be discovered; I'd assume it is less likely to be detected if you use it less.
- Esoteric network configurations may make the 'normal' backdoor inaccessable
- Securing their own systems
- Deniability - if an attack in progress is discovered, it's better for the NSA et. al that it looks like a bug being exploited by an unknown third party than a deliberate backdoor (though I suspect any backdoors, should they exist, are designed to look accidental).
---
TS//SI//REL FVEY We have discovered a way that may be able to remotely brick network cards. We need someone to perform research and develop a deployable tool.
---
TS//SI//REL) Currently CASTLECRASHER is the only production quality Windows execution technique that Payload Persistence techniques have. Another mechanism to execute DNT payloads is needed. Most pre-boot Persistence techniques only have the ability to influence an OS through modifications to the target file system. Work needs to be done to investigate other ways to get execution inside of Windows
---
(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the BIOS and runs from SMM. Although the core of the code is stable, there are always new requirements against which to develop. This includes new network interface card parasitic drivers as well as applications.
---
(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to apply industry best practices and agile development processes to internal projects. To this end, the project is managed via the Scrum process. Test Driven Development (TDD) practices are used as well in an effort to reduce code defects. The project also is looking to incorporate ideas from DNT such as their SCube build environment
[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of funny]
---
(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices from a particular vendor. We need to port TORNSTEAK from the existing two firewalls to several more from the same vendor.
---