Forgot your password?
typodupeerror
Government The Internet United Kingdom

Leaked Documents: GCHQ Made Port-Scanning Entire Countries a Standard Spy Tool 58

Posted by timothy
from the small-island-nation-with-a-lot-of-curiosity dept.
Advocatus Diaboli writes with this excerpt from Heise: Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations. Twenty-seven countries are listed as targets of the HACIENDA program in the presentation, which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail. Also from the article: The list of targeted services includes ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration) (Figure 4). Given that in the meantime, port scanning tools like Zmap have been developed which allow anyone to do comprehensive scans, it is not the technology used that is shocking, but rather the gargantuan scale and pervasiveness of the operation.
This discussion has been archived. No new comments can be posted.

Leaked Documents: GCHQ Made Port-Scanning Entire Countries a Standard Spy Tool

Comments Filter:
  • by Anonymous Coward

    SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration)

    I'm glad that was made clear, us nerds know very little about IT in reality.

    • > I'm glad that was made clear, us nerds know very little about IT in reality

      I'm afraid that you're quite right. Many of our nerd friends and colleagues keep their SSH private keys un-passphrase-protected on backups and on NFS shares or removable media, we leave defaults in place for SNMP access. Moreover, a majority of the companies I've worked with in the last 10 years rely on their external firewalls to protect their internal networks from monitoring. This is even though people with VPN and laptop acc

      • You know, not to tangent off (oh wait this is slashdot) but this reminds me of a little soapbox I go on a lot lately:

        I dropped out of high school and taught myself how to use Linux, which taught me computing because I'm a reasonably clever human who finds things interesting and the command line is a layer of abstraction closer to the computing than a Windows UI.

        As I got some chops up from playing around with making websites for my guitar lessons and running various other services for my little LEGO camp bus

  • by BitZtream (692029) on Saturday August 16, 2014 @07:36AM (#47684039)

    So basically this is an article about the intelligence agencies using the same tricks criminals and security specialists in the industry have been using for years?

    Let me show you my shocked face ... :|

    • Let me show you my shocked face ... :|

      I raise you my face ... (^_~(__*__)

    • by pjt33 (739471) on Saturday August 16, 2014 @08:08AM (#47684103)

      Well, if we use the same kind of accounting principles that were used to try to extradite Gary McKinnon, this is an article about an intelligence agency causing potentially billions of pounds/dollars/euros of damage to computers, 99%+ of which were not "legitimate targets" for a black bag job. It may not be a surprise, but it's still rather embarrassing.

      • by Archtech (159117)

        No, no, no! You've got it all wrong! When private individuals do such things, they are terrorists, saboteurs, or thieves. But when governments do them, it's perfectly in order - they are only doing what all governments do.

        "Il est défendu de tuer; tout meurtrier est puni, à moins qu’il n’ait tué en grande compagnie, et au son des trompettes".
        ("It is forbidden to kill; therefore all murderers are punished unless they kill in large numbers to the sound of trumpets").

        - Voltaire

    • by Kludge (13653) on Saturday August 16, 2014 @08:18AM (#47684123)

      We are surprised because these are our governments spending our tax payer dollars to find exploits in computers in foreign countries that have done us no wrong. While you may have no scruples about this sort of thing, most of the rest of us are offended when something is done in our names that we would never stand having done to us.

      • The idea behind a spy agency is to catch em before they do wrong. Really all alliances and agreements in international politics are matters of convenience, not moral obligation.

      • A phrase you might be searching for (or not) is "national technical means".

        It's the enforcement mechanism in a great many treaties involving things like, oh, nuclear weapons development, for instance.

        In case it's not obvious, "national technical means" is more or less synonymous with "spying". Yes, we can't actually count on people we make treaties with abiding by the treaties absent some enforcement mechanism. So we spy on them to make sure they do.

        And yes, this may involve spying on perfectly innocen

        • by AmiMoJo (196126) * <mojo@NOspAm.world3.net> on Saturday August 16, 2014 @06:12PM (#47686273) Homepage

          It's not about looking for people with sensitive information. They know who the nuclear scientists are and go after them more directly. What this mass port scanning is aimed at is finding vulnerable PCs and turning them into bots that serve up exploits.

          One favourite tactic GCHQ likes to use is to spoof a site and server up a malware infested version, or at least one they can monitor more easily. They use other people's computers to do it, because they can't install their own hardware in the network centres of target countries.

          It's not just that they spy on everyone indiscriminately, they actually hijack innocent people's computers and use them to break the law in foreign countries. Clearly anyone who owns a computer should be concerned that GCHQ, a government agency with considerable funding, resources and access to zero day vulnerabilities may wish to use their property for criminal activity.

      • by houghi (78078)

        Hey, you have voted for them. Several times. And will do so agian.

      • by Drewdad (1738014)

        Well, I'm sure that the military has all sorts of contingency plans.

      • We are surprised because...

        dude, the gchq are spies. what do you think they were doing? What surprises you about this?

      • most of the rest of us are offended when something is done in our names that we would never stand having done to us.

        But I like being screwed!

    • by Sycraft-fu (314770)

      It seems like the press has run out of new interesting things to report with regards to spy agencies, so rather than do some informed discussion on the stories or something, they are digging for shit.

      Yes, we know, spy agencies spy. That is their purpose, that is the reason they get funding. If this shocks you then you've had your head in the sand. Now if you think governments shouldn't have spy agencies, ok, but that is a different argument (and you might want to look in to why they do). But acting all surp

    • by AmiMoJo (196126) *

      Not that surprising, but still worth confirming so that we can defend against it.

      It's also confirmation that there is a cyber cold war going on, with countries actively probing each others defences and running an arms race in cyber security.

  • by Anonymous Coward

    There are faster ways to scan large address blocks - at least for TCP. We used a customized form of stateless scanning based on scanrand almost 10 years ago that could do the "usual suspects" across an entire 10/8 block off a single Linux machine in the space of about 8 hours. This was in a corporate environment much of the space was >=1G but also covered lower speed international routes. The 8 hrs was a balance between performance and network impact so could have been reduced.

  • Wasted time and money, but hardly shocking or evil.

    Every IP address exposed on the Internet is constantly scanned.

  • by PPH (736903) on Saturday August 16, 2014 @10:11AM (#47684495)

    Bulk port scanning is something I'd expect criminals to do looking for vulnerable systems to exploit. Its not going to tell you anything about the use of that system or the motives of its owners unless you install some sort of exploit. The only thing this will reveal is the possible presence of certain peer-to-peer apps that use well known ports.

    I'd expect the intelligence agencies to develop a list of likely terrorists and then concentrate on breaking into their systems. This looks like GCHQ has given up on al Qaida and is chasing file sharers full time. Public funds expended to protect the Disney companies property. When can I expect the local police department to pay two officers to guard my old pickup truck parked in my driveway every night?

  • nmap as a "hacking" tool reveals such an old mindset. Back then the prize was finding a service, which was inevitably not locked down or was easily compromisable. Nowadays even basic installs are secure thanks to sane package managers and distributions. The old "find an old version of sendmail and open a shell" tricks don't work.

  • Port Sentry is your friend :)

    A. The Sentry tools provide host-level security services for the UNIX platform. PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis.

    It can also automatically respond to scans by blocking the originating hosts.

    I have been using it continuously since the 1990's

    http://sentrytools.sourceforge... [sourceforge.net]

  • I would estimate that in the last decade, any host visible on the Internet has gotten between 10 and 100 full port-scans per year, and most not from these people but other criminals.

    So let me say this clearly: If a port-scan is a risk for your server, you should
    a) Fix the damned thing already!
    b) If you cannot, stop administrating systems when you have no clue how to do it!

    Hell, in many countries port-scans are even perfectly legal.

If money can't buy happiness, I guess you'll just have to rent it.

Working...