Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Leaked Documents: GCHQ Made Port-Scanning Entire Countries a Standard Spy Tool

timothy posted about a month and a half ago | from the small-island-nation-with-a-lot-of-curiosity dept.

Government 58

Advocatus Diaboli writes with this excerpt from Heise: Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations. Twenty-seven countries are listed as targets of the HACIENDA program in the presentation, which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail. Also from the article: The list of targeted services includes ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration) (Figure 4). Given that in the meantime, port scanning tools like Zmap have been developed which allow anyone to do comprehensive scans, it is not the technology used that is shocking, but rather the gargantuan scale and pervasiveness of the operation.

cancel ×

58 comments

Sorry! There are no comments related to the filter you selected.

So what? (0)

Anonymous Coward | about a month and a half ago | (#47684021)

I use nmap to find what address my Boxee [wikipedia.org] has. It is faster then check the dhcpd logs.

Re:So what? (1)

Anonymous Coward | about a month and a half ago | (#47684037)

They are not trying to set up their Boxees.

Re:So what? (1)

billstewart (78916) | about a month and a half ago | (#47698663)

Well somebody set up us the boxee, captain!

Phew (1)

Anonymous Coward | about a month and a half ago | (#47684029)

SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration)

I'm glad that was made clear, us nerds know very little about IT in reality.

Re:Phew (2)

Antique Geekmeister (740220) | about a month and a half ago | (#47684087)

> I'm glad that was made clear, us nerds know very little about IT in reality

I'm afraid that you're quite right. Many of our nerd friends and colleagues keep their SSH private keys un-passphrase-protected on backups and on NFS shares or removable media, we leave defaults in place for SNMP access. Moreover, a majority of the companies I've worked with in the last 10 years rely on their external firewalls to protect their internal networks from monitoring. This is even though people with VPN and laptop access connect to those internal networks all the time.

More generally, the Windows admins and most developers don't generally need to or try to understand how other protocol works. They click a few boxes on their configuration tools, they read a Google how-to, and that's the extent of their review. They don't bother to ready the man pages or do an "snmpwalk" because they don't _have_ to.

And it's not just the Windows admins or software developers. I spent an hour on Thursday walking a senior Linux administrator through SNMP. He'd never realized that SNMP was the core tool for scanning remote network devices. I could explain why, but that's a separate post.

Re:Phew (1)

beatboxchad (2719115) | about a month and a half ago | (#47689779)

You know, not to tangent off (oh wait this is slashdot) but this reminds me of a little soapbox I go on a lot lately:

I dropped out of high school and taught myself how to use Linux, which taught me computing because I'm a reasonably clever human who finds things interesting and the command line is a layer of abstraction closer to the computing than a Windows UI.

As I got some chops up from playing around with making websites for my guitar lessons and running various other services for my little LEGO camp business, I thought I should break into doing this stuff for a living. It sure paid better than what I was doing. But I was intimidated to the point of shaking as I looked at the job postings.

This was two years ago. I'm NO hot-shot (I've met them. They're incredible. I'm still a few years away), but two years into my career, I'm about as appalled as I was intimidated. I've worked places where I was the only one who knew how to use SSH keys. I'm still in the Support phase of my career and I routinely work with "Senior IT Architect Engineer High-Salary Genius" titled people who can't cd to /var/tmp in a Linux-dominated environment they're responsible for. They use the UI on every vendor-provided tool and I encountered one who had Gnome running on their servers!

We're talking hour-long conference calls just to get 'em to tar up the logs so I can run grep on them and tell them what's wrong. And these cats probably make twice as much as I do. (I'm only assuming, it's not like I ask 'em. It's just the titles in their email sig I'm going on here.)

It really reassures me about the next phase of my career. I will have to go back to school to get into the deep levels of software development I want to get into (I know enough to know what I don't. You just have to have that math and algorithms and other background. I'm talking low-level C), but there are plenty of well-paying gigs for me to save up with.

I had a really screwed up, rough start to life, but I made it into the industry and it's gonna be a great ride from here... Those clowns have taught me I'll have no problem. I mean, there's no guarantee I'll never be that engineer that has to have something basic explained to him, but I love computing almost as much as I love playing music, and I seem to know more than many of my colleagues in some areas. I'm lucky right now, I work in a place where I have access to lots of people who know more than I do.

Anyway yeah there's a lot of IT people who don't know what SNMP is.

Re:Phew (0)

Anonymous Coward | about a month and a half ago | (#47690669)

Piss off. While I know what SSH stands for and have done for several years, it's a massive ballache when you have an article which has several arcane acronyms that are unexplained so you need to so a handful of searches to work out what the fuck an article is about.

Providing additional information which may not be of use to all readers is courteous. Withholding information because you believe 'everyone should already know this' is a dick move.

Isn't this exactly what a spy agency DOES? (-1, Troll)

Anonymous Coward | about a month and a half ago | (#47684035)

OMG! We found a spy agency SPYING!!!

OMG! OMG! OMG!

Geez this is getting old.

Re:Isn't this exactly what a spy agency DOES? (2)

Mashiki (184564) | about a month and a half ago | (#47684077)

It's not so much of them "spying" it's more so "were they doing it legally." And if not, who inside the organization and government is going to pay for the travesty. It seems to me that in the UK, the government wishes to throw the social contract [wikipedia.org] not only in the dirt, but shit on it, burn both, and then piss on the ashes.

Re:Isn't this exactly what a spy agency DOES? (3, Interesting)

Electricity Likes Me (1098643) | about a month and a half ago | (#47684301)

It's a freaking port scan. It is not a denial of service attack. It is not remotely illegal and any private citizen is legally allowed to exactly the same and many researchers do without any need for special permissions.

This article could not possibly be any more pathetically sensationalist.

Re:Isn't this exactly what a spy agency DOES? (1)

Anonymous Coward | about a month and a half ago | (#47685791)

Security researchers are required to get written consent before port scanning for an audit.
So you can see why this sounds like a massive endeavor following no ethical rules.
Whether it's as bad as it sounds... meh... but really, it is quite contrary to all one would hold ethical.

Re:Isn't this exactly what a spy agency DOES? (1)

Anonymous Coward | about a month and a half ago | (#47686255)

It is not remotely illegal and any private citizen is legally allowed to exactly the same and many researchers do without any need for special permissions.

That's a bit like saying it is OK to break into peoples' houses because it is legal to enter into someones house when they give you permission, and they are essentially the same thing, right?

Your logic is beyond broken. It is incredibly illegal to commit any type of computer fraud, including brute force attacks (which includes port scanning), unless you have explicit permission before doing so.

Re:Isn't this exactly what a spy agency DOES? (1)

Electricity Likes Me (1098643) | about a month ago | (#47709141)

No. No it isn't, and literally every single thing you wrote is either factually wrong, or completely unrelated to what I was saying.

Re:Isn't this exactly what a spy agency DOES? (1)

Noah Haders (3621429) | about a month and a half ago | (#47684959)

i don't see what the social contract has to do with anything here. if UK is port scanning other nations then fine whatever. but if UK were portscanning the UK to identify vulnerabilities then that would be sucky and make me feel icky inside.

Re:Isn't this exactly what a spy agency DOES? (0)

Anonymous Coward | about a month and a half ago | (#47685127)

Unless they were contacting the owners of the UK computing infrastructure and advising them how to protect that infrastructure from foreign agencies and hackers. Then it might be good.

And we're surprised why? (4, Insightful)

BitZtream (692029) | about a month and a half ago | (#47684039)

So basically this is an article about the intelligence agencies using the same tricks criminals and security specialists in the industry have been using for years?

Let me show you my shocked face ... :|

Re:And we're surprised why? (1)

Gaygirlie (1657131) | about a month and a half ago | (#47684069)

Let me show you my shocked face ... :|

I raise you my face ... (^_~(__*__)

I don't get it. (0)

Anonymous Coward | about a month and a half ago | (#47684139)

Let me show you my shocked face ... :|

I raise you my face ... (^_~(__*__)

You are raising one eyebrow and winking while burying our face in boobies?

Re:I don't get it. (1)

TapeCutter (624760) | about a month and a half ago | (#47684209)

No, a fat woman is sitting on his neck.

Re:I don't get it. (0)

Anonymous Coward | about a month and a half ago | (#47684255)

Ohhhhh! The asterisk is the anus!

Got it!

Re:And we're surprised why? (5, Interesting)

pjt33 (739471) | about a month and a half ago | (#47684103)

Well, if we use the same kind of accounting principles that were used to try to extradite Gary McKinnon, this is an article about an intelligence agency causing potentially billions of pounds/dollars/euros of damage to computers, 99%+ of which were not "legitimate targets" for a black bag job. It may not be a surprise, but it's still rather embarrassing.

Re:And we're surprised why? (2)

Archtech (159117) | about a month and a half ago | (#47684751)

No, no, no! You've got it all wrong! When private individuals do such things, they are terrorists, saboteurs, or thieves. But when governments do them, it's perfectly in order - they are only doing what all governments do.

"Il est défendu de tuer; tout meurtrier est puni, à moins qu’il n’ait tué en grande compagnie, et au son des trompettes".
("It is forbidden to kill; therefore all murderers are punished unless they kill in large numbers to the sound of trumpets").

- Voltaire

We are surprised because... (4, Insightful)

Kludge (13653) | about a month and a half ago | (#47684123)

We are surprised because these are our governments spending our tax payer dollars to find exploits in computers in foreign countries that have done us no wrong. While you may have no scruples about this sort of thing, most of the rest of us are offended when something is done in our names that we would never stand having done to us.

Re:We are surprised because... (0)

Anonymous Coward | about a month and a half ago | (#47684131)

I'm not surprised, and I don't like this. Anyone who finds this surprising doesn't have much knowledge about history.

Re:We are surprised because... (1)

Intrepid imaginaut (1970940) | about a month and a half ago | (#47684225)

The idea behind a spy agency is to catch em before they do wrong. Really all alliances and agreements in international politics are matters of convenience, not moral obligation.

Re:We are surprised because... (2)

CrimsonAvenger (580665) | about a month and a half ago | (#47684251)

A phrase you might be searching for (or not) is "national technical means".

It's the enforcement mechanism in a great many treaties involving things like, oh, nuclear weapons development, for instance.

In case it's not obvious, "national technical means" is more or less synonymous with "spying". Yes, we can't actually count on people we make treaties with abiding by the treaties absent some enforcement mechanism. So we spy on them to make sure they do.

And yes, this may involve spying on perfectly innocent civilians in the process. It's not like the other fellow's secret projects are going to be marked secret_nuclear_project.gov after all....

Re:We are surprised because... (3, Interesting)

AmiMoJo (196126) | about a month and a half ago | (#47686273)

It's not about looking for people with sensitive information. They know who the nuclear scientists are and go after them more directly. What this mass port scanning is aimed at is finding vulnerable PCs and turning them into bots that serve up exploits.

One favourite tactic GCHQ likes to use is to spoof a site and server up a malware infested version, or at least one they can monitor more easily. They use other people's computers to do it, because they can't install their own hardware in the network centres of target countries.

It's not just that they spy on everyone indiscriminately, they actually hijack innocent people's computers and use them to break the law in foreign countries. Clearly anyone who owns a computer should be concerned that GCHQ, a government agency with considerable funding, resources and access to zero day vulnerabilities may wish to use their property for criminal activity.

Re:We are surprised because... (0)

Anonymous Coward | about a month and a half ago | (#47684293)

Port scanning is now a l33t skillset tool?

Anyone know just how much bandwidth all this spy-on-everyone practice consumes? throttling and bottleneck side-effects?

Re:We are surprised because... (1)

houghi (78078) | about a month and a half ago | (#47684429)

Hey, you have voted for them. Several times. And will do so agian.

Re:We are surprised because... (1)

Drewdad (1738014) | about a month and a half ago | (#47684561)

Well, I'm sure that the military has all sorts of contingency plans.

Re:We are surprised because... (1)

Noah Haders (3621429) | about a month and a half ago | (#47684977)

We are surprised because...

dude, the gchq are spies. what do you think they were doing? What surprises you about this?

Re:We are surprised because... (0)

Anonymous Coward | about a month and a half ago | (#47687709)

I was expecting them to at least follow the law..

Re:We are surprised because... (0)

Anonymous Coward | about a month and a half ago | (#47685115)

"rest of us are offended when something is done in our names that we would never stand having done to us"

By all means, be offended. It's done to you as well. Probably also by your closest ally.

Re:We are surprised because... (1)

grep -v '.*' * (780312) | about a month and a half ago | (#47689637)

most of the rest of us are offended when something is done in our names that we would never stand having done to us.

But I like being screwed!

Ya (1)

Sycraft-fu (314770) | about a month and a half ago | (#47684141)

It seems like the press has run out of new interesting things to report with regards to spy agencies, so rather than do some informed discussion on the stories or something, they are digging for shit.

Yes, we know, spy agencies spy. That is their purpose, that is the reason they get funding. If this shocks you then you've had your head in the sand. Now if you think governments shouldn't have spy agencies, ok, but that is a different argument (and you might want to look in to why they do). But acting all surprised that they spy, and use known tricks to spy, is stupid.

It also takes away from the real issue, the story that needs to be discussed: That spy agencies were illegally spying on their own populace. THAT is the story that should be getting coverage. However it seems like the press did their thing on it, and now wants to move on to "something new" no matter how irrelevant it is.

If the GCHQ is spying on other countries, Brits shouldn't be concerned. That is why they have a GCHQ. If the GCHQ is spying on their own subjects, they should be concerned, since that is illegal.

Re:And we're surprised why? (1)

AmiMoJo (196126) | about a month and a half ago | (#47684219)

Not that surprising, but still worth confirming so that we can defend against it.

It's also confirmation that there is a cyber cold war going on, with countries actively probing each others defences and running an arms race in cyber security.

What countries (0)

Anonymous Coward | about a month and a half ago | (#47684287)

These leaks are all meaningless, wikileaks, blackvault..etc. all the same obfuscated, redacted crap that tell u f-all..

Re:And we're surprised why? (-1)

Anonymous Coward | about a month and a half ago | (#47684599)

You're from the class of assholes who called people tin-foil hat wearers before Snowden, when they'd talk about the state of the security civilization. To proceed with "And we're surprised why?" with every revelation, as the only comment. You are part of the problem. If you know so much, why don't you release all your knowledge now, asshole? But that is not your goal, is it? You like the stasi.

Re: And we're surprised why? (0)

Anonymous Coward | about a month and a half ago | (#47685029)

Are you taking you frustrations out on him because it's safe to do so? You're in desperate in need of an easy target because you know you are powerless? Do you bite your pillow through the night, burning with seething rage? Your displays of anger are amusing.

waste of money (0)

Anonymous Coward | about a month and a half ago | (#47684045)

what a waste of tax payers money.. everybody knows you can use Shodan to do it for "free"

Oh the naivete! (0)

Anonymous Coward | about a month and a half ago | (#47684061)

Gotta love how the folks who get their panties in a wad when big out-of-control government does this kind of thing are the same ones who want to make that government even BIGGER by putting it in charge of health care.

Hey, guess what: A government that abuses you with X amount of power and resources will abuse you even MORE when it gets 3X power and resources.

Re:Oh the naivete! (1)

robsku (1381635) | about a month and a half ago | (#47685053)

Word! When I got my ADHD diagnosis from finnish health care system I felt so ass-raped and abused I still can't sleep without crying.

Two things (0)

Anonymous Coward | about a month and a half ago | (#47684065)

Spy agencies need to care only about two things. Following the laws of their countries and not getting caught.

So this is news? (0)

Anonymous Coward | about a month and a half ago | (#47684091)

I though it was common knowledge.

Re:So this is news? (0)

Anonymous Coward | about a month and a half ago | (#47685827)

Not common knowledge. One can easily imagine a spying agency doing something like this, but we often do not precisely know what they are up to.

Folks at Spy Agencies Caught Doing Their Jobs! (0)

Anonymous Coward | about a month and a half ago | (#47684259)

Tomorrow on Slashdot:

Folks at Spy Agencies Caught Doing Their Jobs AGAIN!

Re:Folks at Spy Agencies Caught Doing Their Jobs! (0)

Anonymous Coward | about a month and a half ago | (#47688213)

Folks at Spy Agencies Caught Breaking the Law AGAIN!

There, FTFY.

The scale isn't that impressive (1)

Anonymous Coward | about a month and a half ago | (#47684321)

There are faster ways to scan large address blocks - at least for TCP. We used a customized form of stateless scanning based on scanrand almost 10 years ago that could do the "usual suspects" across an entire 10/8 block off a single Linux machine in the space of about 8 hours. This was in a corporate environment much of the space was >=1G but also covered lower speed international routes. The 8 hrs was a balance between performance and network impact so could have been reduced.

Re:The scale isn't that impressive (0)

Anonymous Coward | about a month and a half ago | (#47684797)

This does more obviously, but discovery is the main challenge.

State or war. (0)

Anonymous Coward | about a month and a half ago | (#47684399)

Should we not now be at a state of war with the nations? They have entered our sovereign space, friend or not they have broken a trust between country's.

Let the bombing begin.

-

Government waste (1)

Drewdad (1738014) | about a month and a half ago | (#47684431)

Wasted time and money, but hardly shocking or evil.

Every IP address exposed on the Internet is constantly scanned.

Why? (2)

PPH (736903) | about a month and a half ago | (#47684495)

Bulk port scanning is something I'd expect criminals to do looking for vulnerable systems to exploit. Its not going to tell you anything about the use of that system or the motives of its owners unless you install some sort of exploit. The only thing this will reveal is the possible presence of certain peer-to-peer apps that use well known ports.

I'd expect the intelligence agencies to develop a list of likely terrorists and then concentrate on breaking into their systems. This looks like GCHQ has given up on al Qaida and is chasing file sharers full time. Public funds expended to protect the Disney companies property. When can I expect the local police department to pay two officers to guard my old pickup truck parked in my driveway every night?

So what? (0)

Anonymous Coward | about a month and a half ago | (#47684533)

'..it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations. '

2009? then we were a bit late at getting into the game there then.
In the late '90s/early 2000 it wasn't uncommon for me to spot countrywide port scans originating from a handful of IP numbers at a certain chinese technical institute (At the time, I was looking after machines for various organisations in widely different geographical locations here in Britain).
I'm sure If I dug through all of the old backup tapes/cds from that time I've still got I could probably find records of similar port scans originating from 'unassigned' IP numbers lurking in US Gov/Military netblocks I'd logged, they used to happen occasionally back then too.

Portscans? I always regarded them as the networking equivalent of this [youtube.com]

Welcome to 1999 (1)

Gothmolly (148874) | about a month and a half ago | (#47684905)

nmap as a "hacking" tool reveals such an old mindset. Back then the prize was finding a service, which was inevitably not locked down or was easily compromisable. Nowadays even basic installs are secure thanks to sane package managers and distributions. The old "find an old version of sendmail and open a shell" tricks don't work.

Re:Welcome to 1999 (1)

allo (1728082) | about a month and a half ago | (#47696103)

People like you are the people, whose mailservers spam the rest of us.

Port sentry (1)

bl968 (190792) | about a month and a half ago | (#47685007)

Port Sentry is your friend :)

A. The Sentry tools provide host-level security services for the UNIX platform. PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis.

It can also automatically respond to scans by blocking the originating hosts.

I have been using it continuously since the 1990's

http://sentrytools.sourceforge... [sourceforge.net]

Server security still sucks (1)

gweihir (88907) | about a month and a half ago | (#47687891)

I would estimate that in the last decade, any host visible on the Internet has gotten between 10 and 100 full port-scans per year, and most not from these people but other criminals.

So let me say this clearly: If a port-scan is a risk for your server, you should
a) Fix the damned thing already!
b) If you cannot, stop administrating systems when you have no clue how to do it!

Hell, in many countries port-scans are even perfectly legal.

Whiny Americans (0)

Anonymous Coward | about a month and a half ago | (#47689633)

Your EXPECT of your government to do it to foreigners, well guess what 'us' foreigners expect our government to do the same to you.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?