Have you ever used Shodan search engine? A publicly available service crawls the Internet looking for connected devices and list their open ports, services running, system information etc.
Shodan search engine is majorly used by Hackers, developers, students and anyone else with a sense of curiosity to find Internet-facing vulnerable systems with open ports and insecure mechanisms for authentication and authorization i.e. Servers, Internet-Connected Cameras, Traffic Lights, And SCADA Systems.
According to latest revelation from the whistleblower Edward Snowden, British spy agency GCHQ – counterpart of NSA – apparently uses their own port scanning service to target internet-connected systems in at least 27 countries, in an attempt to potentially exploit them.
In top-secret documents published by Heise on Friday, the Port-scan is a part of the "Hacienda" program which scans for open ports on all public-facing servers to find out vulnerable applications running on them – a basic technique used by a large number of hackers and criminals.
WHY SCANNING FOR OPEN PORTS
Open ports are the doorways to the targeted server or workstation that is connected to the Internet. Port Scanning Tools like Nmap allows you to discover which network ports are open on your target host.
Behind an open port, there is an application or service that is able to receive and send data to the client. But these applications may have vulnerabilities or bugs which could be exploited by a hacker to gain access to sensitive data or execute malicious code on the machine remotely.
So, the idea behind the program is to use those vulnerabilities to secretly turn the vulnerable servers into the operational relay boxes (ORBs). As a result, when the British spy agency or one of its Five-Eyes partners wants to attack a target or steal data, they use these ORBs as an attack pathway, to hide their tracks.
"So-called Operational Relay Boxes are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data," Heise explains.
WATCHING BY FIVE EYES
The freshly-revealed top secret GCHQ documentation dating back to 2009, note that HACIENDA program was used to fully port-scan 27 countries and partially scan five more, which was operated by "Five Eyes" Nations, including the NSA and the spy agencies of Canada, Australia and New Zealand. Targets included ports using protocols such as SSH (Secure Shell) and SNMP (Simple Network Management Protocol), which are used for remote access and network administration.
The Heise report is co-written by Snowden confidantes Jacob Appelbaum and Laura Poitras, that states:
"The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of 'Mastering the Internet', which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems."
"Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case. Using this logic, every device is a target for colonisation, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target."
The HACIENDA database is shared with other member of Five Eyes spying club through "Mailorder" – a secure way for them to exchange collected data.
TCP STEALTH
Port scanning generally takes advantage of a basic flaw in the TCP protocol, which lets clients and servers talk to each other over the Internet by establishing client-server connections by "three-way handshake" and the problem actually resides here. This handshake leaks data associated with the ports, even if the client that's doing the probing isn't authorized.
The report suggests various countermeasures against all this port scanning. One of these techniques is TCP Stealth, which can help prevent Hacienda and similar tools from identifying systems. TCP Stealth works by adding a passphrase on the user's device and on the system that needs to be protected. In case, if the passphrase is incorrect, the system simply doesn't answer, and the service appears to be dead.
This latest revelation may not surprise or impress the Internet security experts because the kind of port scanning software, such as nmap and Zmap, are fundamental tools for hackers, developers and other curious folks, the only thing noticeable about HACIENDA program is its wide-scale.