During one of the most highly anticipated forums at the annual Usenix Enigma security conference in San Francisco, head of NSA’s Tailored Access Operations Rob Joyce explained how to defend against the snooping procedures of him and his NSA coworkers.
As he explained to a room full of security professionals and academics, the NSA operates by exploiting the login credentials of network administrators and others with high levels of network access and privileges that can open the door to monitoring private users.
Once inside a network, the NSA tries to find hardcoded passwords in software or passwords that are transmitted by old, legacy protocols.
“Don’t assume a crack is too small to be noticed, or too small to be exploited,” Joyce warned. “If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter. Those are the ones the NSA, and other nation-state attackers will seize on. We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”
Among Joyce’s many revelations regarding the ways that the NSA hacks into private networks were through temporary network openings, Steam games, HVAC systems, and something called the Quantum insert code injection technique, which apparently allowed for the British spy agency GCHQ to hack the Belgium telecom Belgacom.
The number one way the NSA hacks into your device? Packet injection.
“We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” Joyce explained. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the thing that you think are supposed to be there.”
Joyce also listed ways to make the NSA’s snooping a little more challenging. He recommend that users make access to important systems a higher-privilege system so that only those who really need access are given it. He also recommended that users segment networks and important data to make it less accessible for hackers. Patching systems and implementing application whitelisting was said to be another good way to ward off cyberattacks, and hardcoding passwords and legacy protocols that transmit passwords in the clear was also deemed essential.
NSA also apparently hates “out-of-band network taps”, devices that monitor network activity and produce logs that can record anomalous activity. If you’re a smart administrator and you actually read through the logs and understand what they say, you’re likely to be able to identify if someone’s come snooping.
One of Joyce’s biggest surprises? The NSA doesn’t rely heavily on zero-day attacks, mostly because it doesn’t have to:
“[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days,” he assured. “There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.”