Friday, January 24, 2014

Thursday, January 23, 2014

Top 10 DDoS attack trends

Source: Top 10 DDoS attack trends Posted on 23 January 2014.

Prolexic Technologies, a provider of DDoS protection services, published its top 10 attack trends for 2013.

Throughout the year, metrics were collected from all DDoS attacks launched against the company’s client base by the Prolexic Security Engineering & Response Team (PLXsert). Through digital forensics and post-attack analysis, PLXsert is able to build a global view of the evolving DDoS threat.

“It was a dynamic 12 months for DDoS attacks,” said Stuart Scholly, president of Prolexic. “The tools used by malicious actors in 2013 and the tactics they adopted changed considerably, reflecting the on-going evolution of the DDoS threat.”

Top 10 DDoS attack trends for 2013:

DDoS attack volume continued to rise with Prolexic mitigating 32.43 percent more attacks in 2013 than it did in 2012
DDoS attack volume also increased month-to-month in 2013, with 10 out of 12 months showing higher attack volume compared to 2012
Smaller, stealthy and more sophisticated application layer (Layer 7) attacks increased approximately 42 percent
High bandwidth, volumetric infrastructure layer (Layer 3 & 4) attacks increased approximately 30 percent
DNS, UDP, and UDP fragmentation floods, as well as CHARGEN, were the attack vectors that showed the most adoption in 2013
SYN and ICMP floods were the attack vectors that showed the most decline in use
Average DDoS attack sizes continued to increase with Prolexic mitigating numerous attacks over 100 Gbps, the largest peaking at 179 Gbps
Reflected amplification attacks emerged as a very popular attack method
Mobile devices and apps began participating in DDoS campaigns
DDoS attacks were more likely to originate from Asian countries.

“It is critical in 2014 that enterprise defenses continue to keep pace with the changing DDoS threat,” said Scholly. “In addition to increasing vigilance and knowledge, enterprises should also validate services from any mitigation providers they have retained to ensure the latest threats can be blocked quickly and effectively.”

Hadoop data security and Sentry

Source: Hadoop data security and Sentry

, Independent author, 07 January 2014

Access security, perimeter security, and HDFS security

Given the insights possible with big data, privacy fears have been the primary focus of its detractors. What has been missing from this discussion is protection of data with Apache Hadoop. Sentry is one solution aimed at protecting data within Hadoop by using a fine-grained authorization framework. This article explores Sentry and shows how it can be used to provide controls for big data applications in regulated industries.

PDF (187 KB)

Like many software projects, security is often an afterthought. Early Apache Hadoop use models were based on clusters of machines processing large amounts of public data (crawled web pages) inside a private data center. Given that the collected data was already public, the need to protect the data and its results was an unnecessary aspect of the implementation.

But as Hadoop has grown, so have the use models to which it is being applied. Today, not only are private data sets being processed, but Hadoop is being applied to multi-tenant scenarios in which varying datasets are being processed by a variety of users (each with different needs for the raw and processed data). Hadoop is also increasingly applied to sensitive data sets where data must be encrypted to avoid leaks. For this reason, security is now considered an integral part of a Hadoop cluster. In this article, I explore some of the interesting work going on with Hadoop for security. I look at data security, perimeter security, and data access security.

Big data, privacy, and data vulnerability

This case illustrates one danger of big data. Even through attempts to anonymize the data, leaking sensitive or private information is still possible through external correlation. When data sets necessitate regulatory requirements (such as the Health Insurance Portability and Accountability Act [HIPAA]), more must be done to avoid the more serious legal consequences that can result.This case illustrated that even anonymous data can be traced back to real users by correlating the information with other public sources. Netflix responded by excluding certain information from the data set but included other information, such as the users' zip code, age, and gender, but this approach was also flawed. Carnegie Mellon University identified that with this information, a person could be identified from zip code, age, and gender 87% of the time.

Let's start with a description of the problem, and then dive into Cloudera's solution, called Sentry.

Security within the Hadoop ecosystem

Today, Hadoop supports strong security at the file system level. Recall that the Hadoop Distributed File System (HDFS) is implemented within another native file system (such as the third extensible file system [ext3]). Access controls for Hadoop are implemented by using file-based permissions that follow the UNIX® permissions model. Although this model provides file-level permissions within the HDFS, it lacks more fine-grained access controls.

As an example, consider a file within the HDFS that contains movie reviews for a set of users. This data consists of a user ID, zip code, gender, age, movie title, and review. In Hadoop, access is an all-or-nothing model. If you can access the file using the permissions model, you can access all fields within the file. What's needed is a more fine-grained model of access. Where more secure access is granted to all data within the file, lower security access could be provided for individual fields of the data (such as all data except the user ID and zip code). Lower security access minimizes the possibility of leaking user information, and the role-based access of individual fields makes it possible to restrict access within files instead of all-or-nothing file access.

The overall problem of data security within Hadoop becomes even more difficult when you consider its implementation. Hadoop, and its underlying file system, is a complex distributed system with many points of contact. Given its complexity and scale, the application of security to this system is a challenge by itself. Any security implementation must integrate with the overall architecture to ensure proper security coverage.

Authorization frameworks and RBACs

Sentry supports the model defined previously for role-based access called Role-based Access Control (RBAC) over the relational database form of data (databases, tables, views, and so on). The RBAC model provides several features necessary for secure enterprise big data environments. The first is secure authorization, which enables access enforcement to data for authenticated users. Users can be placed under roles, and then given privileges of data access. This behavior allows the model to scale to permit the categorization of users into roles using templates rather than administrators having to assign detailed privileges to each user. This feature also simplifies permission management and reduces the load on administrators while minimizing the potential for errors and unintended access.

Further, administration of privileges can be configured for users to distribute the task to multiple administrators at the database or schema level. The fine-grained access controls to data and metadata can be controlled within databases. For example, a specific role may permit select of data, where another role may permit insert of data (at the server, database, and table scopes). Per my Netflix example, this means that for less strict security levels, roles can be defined to limit visibility to personally identifiable information.

Finally, Sentry implements authentication by using the existing and proven Kerberos authentication protocol, which is integrated into Hadoop.

Sentry with HDFS, Hive, and Impala

Figure 1 presents the basic architecture of Sentry. As you'll soon discover, it was designed for extensibility to support a wide variety of Hadoop-based applications and portability for varying forms of data providers.

Figure 1. Basic architecture of Sentry

Image showing the basic architecture of Sentry

Today, Cloudera has implemented support for many important open source Structured Query Language query engines, including Apache Hive (through the HiveServer2 thrift-based Remote Procedure Call interface) and Cloudera Impala. Each application is secured through a set of bindings implemented for that particular application. These bindings work with the policy engine to evaluate and validate predefined security policies and, when access is approved, work through a policy abstraction to gain access to the underlying data. Today, a file-based abstraction is provided that integrates support for the HDFS or access to the local file system for the security policies.

So, what does this mean for Hive and Impala? Sentry permits fine-grained authorization with the ability to define security controls over a server, database, table, and view, including the ability to specify select privileges for views and tables, insert privileges on tables, and transform privileges on servers. Each database or schema can have separate authorization policies. Sentry also provides support for Hive's metastore architecture.

To support greater extensibility, Sentry can secure new applications such as Apache Pig (through a set of Pig bindings) and enable access to new abstractions for access to security policies (such as a database). All are implemented as pluggable interfaces.

Sentry is available today as part of the Cloudera CDH version 4.3 release for use with Hive and Impala version 1.1. You can also download it separately from the Cloudera website as an add-on. Sentry is released under an Apache 2 license.

Other aspects of security within Hadoop

Sentry provides a role-based authorization framework, but that's not the only security innovation coming to Hadoop. Let's look at some of the other work going on for securing and controlling access to big data.

Project Rhino

Project Rhino is an open source effort by Intel to enhance Hadoop with additional protection mechanisms. The goal is to fill gaps representing insecurity within the Hadoop stack and provide multicomponent security within the Hadoop ecosystem. To that end, Intel has several development items addressing a variety of topics related to security and focusing on crypto capabilities.

Among the variety of work being implemented under Rhino, some of the most interesting cover new crypto capabilities for encryption and decryption of files over a number of use models. For example, the addition of a common abstraction layer for crypto codecs implements an application programming interface (API) through which multiple crypto codecs can be registered and used within the framework. To support this capability, a key distribution and management framework is also in the works.

A Hadoop cryptographic file system (called Hadoop CFS) is also under construction that will provide low-level cryptographic services for files within the HDFS. At this level, any Hadoop user can transparently exploit the new data security (from MapReduce applications to Hive, Apache HBase, and Pig).

Other services under construction include transparent encryption of snapshots and commit logs on disk and new Pig capabilities to support encryption-aware load and store functions.

Apache Knox Gateway

The Apache Knox Gateway provides a perimeter security solution for Hadoop. Where Sentry provides fine-grained access controls to data, the Knox Gateway provides controlled access to Hadoop services. The goal of the Knox Gateway is to provide a single point of secure access for Hadoop clusters. The solution is implemented as a gateway (or small cluster of gateways) that exposes access to Hadoop clusters through a Representational State Transfer (REST)-ful API. The gateway provides a firewall between users and Hadoop clusters (see Figure 2) and can manage access to clusters that run different versions of Hadoop.

Figure 2. Perimeter security with the Apache Knox Gateway

Image showing perimeter security with the Apache Knox Gateway

The Knox Gateway is a complementary security solution to Sentry that provides the outer level of access security. As a gateway in a demilitarized zone, Knox Gateway provides controlled access to one or more Hadoop clusters segregated by network firewalls.

Delegation tokens

Where the Apache Knox Gateway and Sentry provide perimeter and data access security, one missing element is HDFS data access from MapReduce tasks. One solution used by Oozie relies on the concept of delegation tokens. A delegation token is a two-party authentication protocol that lets users authenticate themselves with the Namenode (using Kerberos); on receipt of the delegation token, users can provide the token to the JobTracker so that resulting Hadoop jobs for those users can rely on the token for secure access to data within the HDFS.

Oozie, a workflow scheduler system to manage Hadoop jobs, uses delegation tokens when submitting Oozie jobs to Hadoop. As defined, an authenticated user provides a job to Oozie that results in a request for a delegation token from the JobTracker. As part of job submission, the delegation token provided for future Hadoop work accesses the HDFS. Any resulting MapReduce tasks for the job uses the associated delegation token to fully secure the resulting work.

Delegation tokens rely on a two-party authentication that is simpler and more efficient than the three-party authentication that Kerberos uses. This difference minimizes Kerberos traffic and leads to improved scaling and minimizing load on the Kerberos assets.

Going further

Sentry, contributed to the Apache Incubator by Cloudera, is a great step in the direction of an extensible authentication framework. As Hadoop clusters grow and their multi-tenancy increases, Sentry will provide the basis for protection over sensitive data and minimize the potential for leaks that were previously possible. For those health care, financial, or government deployments that must comply with strict data regulations (such as HIPAA or the Sarbanes-Oxely Act [SOX]), Sentry is a welcome addition to the Hadoop ecosystem. And although Sentry won't solve all of the issues that a complex system such as Hadoop presents, it's a step in the right direction. In conjunction with other Hadoop security projects (such as the Knox Security Gateway and Rhino), Hadoop is edging closer to an enterprise-capable secure platform.

Resources

Learn

The Sentry main page at Cloudera provides a basic introduction to the framework and links for download and installation (using its Cloudera Distribution for Hadoop, or CDH).
Hadoop, the open source system for scalable distributed computing, is a top-level Apache project. At the Hadoop site, you can learn about not only Hadoop but the collection of other projects that extend and enhance big data processing with Hadoop. One such project, Apache Oozie, provides a workflow scheduler to manage Hadoop jobs. An open item for Hadoop is theCryptographic File System. This is covered by an HDFS ticket for future development.
Delegation tokens implement a two-party authentication protocol to add security for job submissions to a Hadoop cluster.
Differential privacy refers to the goal of providing an accurate query from a statistical database while minimizing the chance of identifying its records. Netflix, in its open search for a more accurate search algorithm, discovered this issue when it released data whose records could be tied back to a known person by using external data for correlation.
For another perspective on role-based access control, check out the "Anatomy of Security Enhanced Linux (SELinux)" (developerWorks, May 2012), which describes the SELinux security architecture within Linux®.
Sensitive data comes in many forms, but a growing list of regulations exists to ensure that data is kept private. These regulations include HIPAA for medical data and SOX for financial data.
Kerberos is a network authentication protocol designed to provide strong authentication for client-server applications using secret-key cryptography.
Sentry relies on the REST architectural style for its interface. You can learn more about this interface style in "Understand Representational State Transfer (REST) in Ruby" (developerWorks, August 2012).
Get more information on security topics in the Security site on developerWorks.
Follow developerWorks on Twitter.
Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.

Get products and technologies

Project Rhino is a collection of enhancements to the Hadoop ecosystem to improve its security so that it can be applied to new markets that have data security and compliance challenges.
The Apache Knox Gateway is a gateway solution to provide perimeter security to one or more Hadoop clusters. It implements a single point of secure access.

Discuss

Join the developerWorks Community, a professional network and unified set of community tools for connecting, sharing, and collaborating.

To Protect Your POS, Add Layers | Symantec Connect Community

Source: To Protect Your POS, Add Layers | Symantec Connect Community

To Protect Your POS, Add Layers

Created: 22 Jan 2014 • Updated: 22 Jan 2014

Author Kevin Haley

A cash register was part of the Internet of Things long before there was an Internet of Things.

A cash register, or Point Of Sale (POS) system, is a device that contains an operating system and network connectivity. It performs a very specific task, sending data back to a central server. Put that way, it sounds very much like part of the Internet of Things (IoT).

The big difference between POS and “IoT” is that devices in the “new” Internet of Things tend to run some flavor of Linux, while many cash registers run some version of the Windows operating system. As such, these cash registers are susceptible to the millions of pieces of malware written for Windows.

The solution to this security issue over the years has been to put some sort of anti-virus technology on the cash register.

In light of all the recent POS data breaches, we have to wonder, is anti-virus enough? The simple answer is no. Even if we were just concerned about common malware, the answer is still no.

Protecting against even common malware today requires more than anti-virus.

Symantec has sold technologies beyond anti-virus to protect Windows systems since 2003. Over the years we have added major technologies to our desktop product to provide additional layers of protection. We no longer sell “anti-virus” alone. We sell Symantec Endpoint Protection, which includes IPS (network threat protection), Insight (unique reputation-based technology) and SONAR (behavior-based blocking). To safeguard systems from advanced attacks you need to be running all of these layers of protection included in our endpoint protection solution.

Attackers have targeted POS systems for some time, and the pace has increased. It’s no surprise that these devices are prime targets for attack. They hold valuable credit card information at an extremely vulnerable time – before data has been encrypted and transferred to a more secure location.

Even if you have more than antivirus on these devices, it’s still not enough. What is the point of locking your door if you leave the windows wide open?

You need layered security on your POS device and throughout your network.

A properly configured endpoint protection product can block even the most determined attacker, and this is especially true when it comes to a POS system. POS systems actually have a security advantage over a PC as a single function device. Because no one on that device is web browsing, emailing or opening shared drives, the functionally of the machine and the files needed on that machine are limited.

Symantec Endpoint Protection 12.1 includes System Lockdown, Application Control, Device Control and Firewall capabilities. These tools allow you to reduce the attack surface by limiting the specific applications running on the machine, as well as control which devices and applications are allowed to access the network. Limiting applications and network accessibility on the machines can render malware useless because it won't be allowed to run on the machines or the network.

In short, to implement the best protection for your Windows-based POS systems, you need to need to havelayered security as part of your IT architecture. You need to have a security solution like Symantec Endpoint Protection on your device with specific features to maximize security.

If you already have Symantec Endpoint Protection, we’ve put together a step-by-step guide to help you maximize protection on a POS. You can find the guide here. If you use POS systems and you want to make sure you’ve done everything you can to make them secure, this is a document I can’t recommend highly enough.

For more information about how to protect your business, see:

Upgrading to SEP 12

How To Secure your Mobile POS Devices

Symantec Endpoint Security Blog

Videos:

How Symantec Endpoint Protection 12 protects against malware threats using Insight and SONAR technology

Beyond anti-virus with network threat protection

Blog Entry Filed Under:

Security, Endpoint Security Blog, customer data, endpoint security, Point of Sale, POS, safe transactions, SEP,symantec, Symantec Endpoint Protection

Group Ownership:

PartnerNet Group

Tim Harford — Article — Casinos’ worrying knack for consumer manipulation

Source: Tim Harford — Article — Casinos’ worrying knack for consumer manipulation

Casinos’ worrying knack for consumer manipulation

The spread of machine gambling offers a portent of other economic developments

What if the future of capitalism is not to be found in Shenzhen, Abu Dhabi or the Massachusetts Institute of Technology Media Lab – but in the Nevada desert? Natasha Dow Schüll, an anthropologist, has spent 15 years conducting field research in Las Vegas, culminating in a disturbing book, Addiction by Design. We are used to thinking of Vegas as a city of gaudy spectacle and the green baize of poker, blackjack and roulette tables. It is now a city of slot machines, which have grown like weeds because they are fantastically profitable. And the spread of machine gambling offers a worrisome portent of developments elsewhere in the economy.

Three slot-machine innovations stand out: first, confusion by design; second, addictiveness by design; third, the use of play money. All have been made possible by the digital automation of the machine itself, which in Las Vegas as elsewhere eliminates the skilled service jobs of croupiers and replaces them with highly paid jobs in interface design and low-paid work as a security guard or waitress.

Consider, first, confusion by design: Las Vegas casinos are mazes, carefully crafted to draw players to the slot machines and to keep them there. Casino designers warn against the “yellow brick road” effect of having a clear route through the casino. (One side effect: it takes paramedics a long time to find gamblers in cardiac arrest; as Ms Schüll also documents, it can be tough to get the slot-machine players to assist, or even to make room for, the medical team.)

Most mazes in our economy are metaphorical: the confusion of multi-part tariffs for mobile phones, cable television or electricity. My phone company regularly contacts me to assure me that I am on the cheapest possible plan given my patterns of usage. No doubt this claim can be justified on some narrow technicality but it seems calculated to deceive. Every time I have put it to the test it has proved false.

I recently cancelled a contract with a different provider after some gizmo broke. The company first told me the whole thing was my problem, then at the last moment offered me hundreds of pounds to stay. When your phone company starts using the playbook of an emotionally abusive spouse, this is not a market in good working order.

Another example is the way the pension providers charge for their services. Between the pensioner and the financial assets they are acquiring, it is almost impossible to figure out who is being charged for what. Even when annual charges are transparent, few people begin to grasp the vast sums such charges may cost them over the life of the product.

Now consider addiction by design. What is not understood about modern slot machines – certainly not by the UK’s Labour party, which recently tried to spark a moral panic on the subject – is that they do not try to drain your money away quickly. They do so slowly, by maximising “time on device”. The machines are cheap to run: what is the hurry? Machine gamers do not even play to win: they play to play. The aim of the machine is to deliver constant reinforcement – for instance, the “false win”, where a player is treated to fanfares and flashing lights after betting $3 and winning 60 cents.

Here, the natural analogy is with Facebook, Twitter and Google. These companies, ultimately, are selling one thing: our attention. Nothing about Facebook makes sense until you view it as a well-honed system for persuading you to check Facebook one more time.

Finally, consider the arrival of play money. A cutting-edge slot machine will not bother with a slot: the player will be attached umbilically via a casino charge-card on an elastic cord. This is partly a logistical matter: feeding machines with money, summoning a cashier to make change and cashing out jackpot wins all take time and interrupt a player’s flow.

But the substitution of cash for “credits” has a psychological effect too. Behavioural economists have shown that cash seems to have a bracing effect on our ethics and our judgment. Dan Ariely has found that we are willing to cheat for poker chips convertible into cash but less willing to be dishonest for naked cash itself. Drazen Prelec and Duncan Simester discovered a much higher willingness to pay for a good of uncertain value if the payment was made by credit card.

I would not wish to be too gloomy about all this. Most people do find a way to navigate through the maze of shopping malls and phone bills and loyalty cards and easy credit – the research of the economist Eugenio Miravete often shows people finding satisfactory deals against what look like insuperable odds. And the free market continues to deliver valuable products.

Nor is the right regulatory intervention always clear. Slot machines could be banned, I suppose – no doubt with unintended consequences – but the Vegas-isation of the everyday economy is not easily curbed with the stroke of a legislator’s pen.

Yet it is hard for a free-market enthusiast like me to look unblinkingly at Las Vegas, at row upon row of machines, designed by an elite and needing little human intervention, drawing in consumers, soothing them, entertaining them and eating their money – and not to feel that the invisible hand has slipped.

Also published at ft.com.

Monday, January 20, 2014

Housing Starts Top Views As Builders See Solid Foundation For 2014 - Investors.com

Source: Housing Starts Top Views As Builders Bet On Solid '14

By ANDREA RIQUIER, INVESTOR'S BUSINESS DAILY

Posted 01/17/2014 05:03 PM ET

Builders broke ground on more homes than expected in December, a sign of continued confidence in a tenacious housing recovery.

Housing starts fell 9.8% to an annualized rate of 999,000, the Commerce Department said Friday, but that followed November's 23.1% spike to a 6-year high. Last month's pace was higher than the 985,000 consensus, with the harsh weather likely contributing to the decline.

Some 923,400 homes were started last year, up more than 18% over 2012.

View Enlarged Image

"Sales are moving along and the future is bright," said Keith Gumbinger, vice president of HSH.com, a mortgage-lending website.

The National Association of Home Builders said Thursday that optimism among builders slipped a notch in January, to 56, but remained firmly in positive territory. That survey's subindexes signaled even stronger conditions for current and future sales.

"Builders have been increasingly happy because they're building again," Gumbinger said. "That's because 2014 is expected to be a pretty good year."

New construction of single-family homes hit 667,000 units in December, well above the 12-month average of 621,000.

The number of new homes finished but not sold has increased from a record low earlier in the cycle, but at 167,000 remains historically low.

There are 5.1 months' worth of existing homes at the current sales pace, according to the National Association of Realtors. Normal inventories would be six to six-and-a-half months' worth, said Celia Chen, a director with Moody's Analytics.

Foreclosure activity has fallen to a six-year low, meaning the huge overhang of supply is fading away.

Such constrained inventory has been "very supportive" for builders, who started to respond.

Home sales did take a breather in the summer as interest rates jumped more than a full percentage point in anticipation of Federal Reserve tapering. The Mortgage Bankers Association on Jan. 14 lowered its 2014 forecast for mortgage purchases by about 5% based on higher borrowing costs.

But most analysts believe that with the Fed actually starting to taper asset purchases over the course of 2014, such huge spikes won't be repeated. Rates averaged 4.72% in the Jan. 10 week, a 6-basis-point decline over the prior week, and applications to buy a home surged 12%.

"No one's interested in seeing higher financing costs, but higher rates are already in play," Gumbinger said. "No one should be afraid of a 5-handle."

But it would be worrisome if rates kept rising along with prices, Gumbinger said.

Rates had been kept "unnaturally low," Chen said, and she believes future increases will move in tandem with an improving economy. Even if prices rise along with rates, she said, an improving job market should offset those increases. Prices will likely appreciate at a slower pace in 2014 after running red-hot for much of 2013, which will help keep affordability in reach.

Builders have been conservative with supply in part to keep prices — and profits — rising. But despite strong earnings gains and generally bullish outlooks, shares of PulteGroup (PHM), Lennar (LEN) and D.R. Horton (DHI) remain well below their May peaks.

Read More At Investor's Business Daily: http://news.investors.com/economy/011714-686841-builders-start-more-homes-as-inventories-fall.htm#ixzz2qx08ZZF9

NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware | LeakSource

Source: NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware | LeakSource

NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware

In ANT, Archive, Hacking, NSA, NSA Files, Surveillance, TAO, Technology on December 30, 2013 at 3:17 AM

12/29/2013

SPIEGEL:

After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.

When it comes to modern firewalls for corporate computer networks, the world’s second largest network equipment manufacturer doesn’t skimp on praising its own work. According to Juniper Networks’ online PR copy, the company’s products are “ideal” for protecting large companies and computing centers from unwanted access from outside. They claim the performance of the company’s special computers is “unmatched” and their firewalls are the “best-in-class.” Despite these assurances, though, there is one attacker none of these products can fend off — the United States’ National Security Agency.

Specialists at the intelligence organization succeeded years ago in penetrating the company’s digital firewalls. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell and Apple’s iPhone.

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.

This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets’ data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.

In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA’s department for Tailored Access Operations (TAO). In cases where TAO’s usual hacking and data-skimming methods don’t suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such “implants,” as they are referred to in NSA parlance, have played a considerable role in the intelligence agency’s ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows “TAO personnel to see what is displayed on the targeted monitor,” for example, is available for just $30. But an “active GSM base station” — a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones — costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn’t just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are “remotely installable” — in other words, over the Internet. Others require a direct attack on an end-user device — an “interdiction,” as it is known in NSA jargon — in order to install malware or bugging equipment.

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. “Cisco does not work with any government to modify our equipment, nor to implement any so-called security ‘back doors’ in our products,” the company said in a statement. Contacted by SPIEGEL reporters, officials at Western Digital, Juniper Networks and Huawei also said they had no knowledge of any such modifications. Meanwhile, Dell officials said the company “respects and complies with the laws of all countries in which it operates.”

Many of the items in the software solutions catalog date from 2008, and some of the target server systems that are listed are no longer on the market today. At the same time, it’s not as if the hackers within the ANT division have been sleeping on the job. They have continued to develop their arsenal. Some pages in the 2008 catalog, for example, list new systems for which no tools yet exist. However, the authors promise they are already hard at work developing new tools and that they will be “pursued for a future release”.

Eagle Business Solutions Blog