FYI.

This story is over 5 years old.

Tech

Why Twitter Was the Platform of Choice for Ripping Apart the NSA Dump

Researchers collaborated to uncover exploits dumped by The Shadow Brokers live, on Twitter.

Last week, "The Shadow Brokers" dumped a slew of hacking tools they claimed belonged to a group associated with the NSA.

The dump was verified in various different ways. The Snowden documents provided a solid link between the files and NSA operations, and Kaspersky published an analysis of the encryption used that suggested the tools came from The Equation Group, a hacking unit widely believed to be part of the NSA.

Advertisement

But the majority of the work—especially around figuring out what the dumped exploits, tools, and other pieces of code actually did—hasn't come out of a multimillion dollar cybersecurity company, nor was it carried out in private.

Instead, many of the NSA's exploits were ripped apart live, on Twitter, by people who weren't paid to do so. Because it was all in public, anyone (including journalists such as myself) could watch the process unfold as it happened.

The #ShadowBrokers #EquationGroup BIOS implants are terrifying. I count 7 distinct flash/BIOS chips: pic.twitter.com/NsGh2kEUVf
— Brendan Dolan-Gavitt (@moyix) August 17, 2016

"Such difficult work requires collaboration and, in my opinion, Twitter provides it very well," Maksym Zaitsev, a security researcher who analysed different parts of the dump, told me in a Twitter message. Zaitsev works in a small company specialising in penetration testing and research and development. This time, he applied those skills on a unicorn-cache of never before seen exploits.

To keep up with the torrent of information posted by hackers, academics, and hobbyists, I adapted a Python script to scan new tweets for the tools' names. Tweets containing words such as ELIGIBLEBOMBSHELL, EXTRABACON, and BOOKISHMUTE flooded my screen. Many of those just mocked the NSA for having its tools exposed, but others came from researchers who had managed to get a tool to work, or discovered a new aspect of an exploit.

Advertisement

Shortly after The Shadow Brokers dumped the files, Mustafa Al-Bassam, a security researcher and former Lulzsec hacker, started what would become an incredibly detailed Twitter thread, combining his own research with other findings that sprung up as researchers dug into the various tools.

"Because the leaked files were already public, it makes no sense to do the research in private and hold on to it privately. Someone who's public about it will probably beat you to it," Al-Bassam told me in an online chat. "Also, sharing the research in public has the major advantage of other people contributing to the research freely, and things moving faster."

I'm going to tweet about interesting things I've found in the new NSA/Equation Group dump in this thread.
— Mustafa Al-Bassam (@musalbas) August 15, 2016

Perhaps this collaborative work could have been carried out in a slightly more closed setting—an IRC channel, for example. But Twitter provided a more open platform, where anyone was free to join in, discuss, and experiment.

"Email is an asynchronous communication, it can be delayed, you don't always know it, you don't always trust. IRC is synchronous, although it's not always accessible, not everyone's there and you can't be sure of a person," Zaitsev said.

And although not perfect, "Twitter has all the advantages, whereas almost no significant inconveniences. I found it way more effective than all other [means] of communication," he said.

Advertisement

"The most important work when it comes to improving computer security is often not done by information security companies"

One high point in the Twitter collaboration was the confirmation of an attack codenamed BENIGNCERTAIN. After analysing the code, Al-Bassam suspected it could extract keys from Cisco firewalls. He didn't have the hardware to test out the exploit himself, so called out to the community for help. Sure enough, Brian Waters, another security researcher, dug up his old Cisco PIX appliance and showed that the attack could work out VPN passwords.

Does anyone have a Cisco PIX firewall with a VPN configured for me to test on?
— Mustafa Al-Bassam (@musalbas) August 18, 2016

"In this case, others had already done a bunch of reverse engineering work; I just happened to be the only one with actual hardware," Waters told me.

Kevin Beaumont, another researcher who dived into the NSA dump, said, "My motivation was technical, I just wanted to understand how the exploits worked so I could better protect my employer." He also thought the vendor response had not been good enough.

Indeed, the discoveries around BENIGNCERTAIN arguably pushed Cisco to publicly respond to the issue.

"Cisco by their own admission only responded after news sites reported on my research, so they may never have responded to it otherwise," Al-Bassam said. Beaumont pointed out something similar happened with Fortinet, another company that makes firewall products.

It absolutely blows my mind that a handful of people on Twitter had to drive the research on #BENIGNCERTAIN, push for vendor acknowledgement
— Kevin Beaumont (@GossiTheDog) August 20, 2016

This isn't the first time researchers have pooled their efforts together onto Twitter: something similar happened when Italian surveillance company HackingTeam was exposed in 2015, although that dump was mostly concerned with emails and documents.

"The most important work when it comes to improving computer security is often not done by information security companies who are paid to look after the interests of their corporate clients, but hobbyists and academics doing research that is in the interest of wider society," Al-Bassam added.

That, and "It's just fascinating to analyse NSA exploits that are supposedly created by their most elite hacker unit."