How the US and Its Spy Allies Scan the World for Hackable Servers

So far, the agencies have mapped every server in 27 different countries.

The spy agencies behind the Five Eyes snooping alliance are actively scanning networks across the connected world for vulnerabilities. Their tool is called Hacienda and its task is to find any unprotected "holes" left in server firewalls, such that spies can penetrate those servers and, potentially, take control. This was revealed in a paper published yesterday in Heise Online by researchers and journalists based in Germany.

Hacienda operates as a port scanner, a kind of software that probes the security of the different gateways that a system uses to connect to a network, like the internet or something more local. If a hacker wants to crack a system from the outside, ports are the way in. And they're in use everywhere all the time, from the servers storing your emails to the systems monitoring the activities of a nuclear power plant.

"The goal is to identify as many servers as possible in other countries that can be remotely controlled," said Christian Grothoff, the group's leader, in a statement from Technische Universität München (TUM). 

Five Eyes is the tight association of spy agencies hailing from the United States, Canada, New Zealand, Australia, and the United Kingdom. A pre-Cold War relic, the alliance is focused specifically on signals intelligence, the genre of snooping that's mostly interested in eavesdropping on communications. The Hacienda tool was first uncovered by journalists at Heise Online, who in 2009 came into possession of a slideshow presentation describing the technology and giving a heavily-redacted glimpse into its deployment.     

"It should also be noted that the ability to port-scan an entire country is hardly wild fantasy," the authors note in the new paper. "In 2013, a port scanner called  Zmap was implemented that can scan the entire IPv4 address space in less than one hour using a single PC." So, you could port scan just about the entire planet in an afternoon and have your very own highest-resolution atlas of server vulnerabilities.

The revelation is less that the capability exists than how it's being employed. The next slide notes that Hacienda has so far been used to port scan 27 different countries, though the actual identities of those nations is blanked out. Moreover, "the documents do not spell out details for a review process or the need to justify such an action." They do, however, note that Five Eyes' port snooping involves network services, all purportedly secure, including HTTP, FTP, SSH, and SNMP. Again: nothing beyond Zmap capabilities.

Port mapping takes advantage of what's known as the "TCP handshake." I'll let the paper explain: 

The establishment of the connection works as follows: the host which wants to initiate a connection first sends out a TCP SYN ("synchronize") packet. If the destination host accepts the connection request, it sends a SYN/ACK ("synchronize/acknowledge") packet. After receiving a positive reply, the initiating host sends out an ACK ("acknowledge") packet, which finalizes the TCP three-way handshake. This TCP three-way handshake allows an adversary to easily determine if some TCP service is offered at a given port by a host on the Internet: if the TCP port is closed, the server reacts differently to the TCP SYN packet (Figure 6), sending a RST ("reset") packet instead of the SYN/ACK it would send were the port open. Thus, an adversary can easily map Internet services by considering the differences in the server's replies in the packet flows ...

So, it's not a difficult exploit, a fact that works the other way too. Port snooping can be evaded, and the TUM team is also unveiling a countermeasure of its own construction, called "TCP Stealth." The idea is simple enough and is based on the concept of "port knocking," in which the synchronization packet is loaded with some encrypted passcode, without which the process goes silent.

"The basic idea is to make a TCP server not respond positively to a TCP [syncronization] request unless a particular 'knock' packet has been received first," the authors explain. "This can be helpful for security, as an attacker who cannot establish a TCP connection also cannot really attack the TCP server. TCP Stealth is useful for any service with a user group that is so small that it is practical to share a passphrase with all members. Examples include administrative SSH or FTP access to servers, Tor Bridges, personal POP3/IMAP(S) servers and friend-to-friend Peer-to-Peer overlay networks."

The paper notes that the NSA in particular thrives on what are known as "0-day attacks." This is when an attacker identifies a system vulnerability before the would-be defenders, essentially creating a scheme in which every additional defense deployed becomes a new possible exploit. 

"Once an adversary armed with 0-day attacks has discovered that a vulnerable service is running on a system, defense becomes virtually impossible," the paper explains. "Firewalls are unlikely to offer sufficient protection, whether because administrators need remote access or because spy agencies have already infiltrated the local network."

So the stakes are high, but protecting a server/network, whether its from snooping nation-states or still more shadowy saboteurs, is easy. The TUM paper even comes with instructions on installing and using the TCP Stealth program. So why not?