Slashdot Mirror

← Back to Stories (view on slashdot.org)

Leaked Documents: GCHQ Made Port-Scanning Entire Countries a Standard Spy Tool

Posted by timothy on from the small-island-nation-with-a-lot-of-curiosity dept.

Advocatus Diaboli writes with this excerpt from Heise: Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations. Twenty-seven countries are listed as targets of the HACIENDA program in the presentation, which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail. Also from the article: The list of targeted services includes ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration) (Figure 4). Given that in the meantime, port scanning tools like Zmap have been developed which allow anyone to do comprehensive scans, it is not the technology used that is shocking, but rather the gargantuan scale and pervasiveness of the operation.

58 comments

  1. So what? by Anonymous Coward · · Score: 0

    I use nmap to find what address my Boxee has. It is faster then check the dhcpd logs.

    1. Re:So what? by Anonymous Coward · · Score: 1

      They are not trying to set up their Boxees.

    2. Re:So what? by billstewart · · Score: 1

      Well somebody set up us the boxee, captain!

      --

      Bill Stewart
      New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  2. Phew by Anonymous Coward · · Score: 1

    SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration)

    I'm glad that was made clear, us nerds know very little about IT in reality.

    1. Re:Phew by Antique+Geekmeister · · Score: 2

      > I'm glad that was made clear, us nerds know very little about IT in reality

      I'm afraid that you're quite right. Many of our nerd friends and colleagues keep their SSH private keys un-passphrase-protected on backups and on NFS shares or removable media, we leave defaults in place for SNMP access. Moreover, a majority of the companies I've worked with in the last 10 years rely on their external firewalls to protect their internal networks from monitoring. This is even though people with VPN and laptop access connect to those internal networks all the time.

      More generally, the Windows admins and most developers don't generally need to or try to understand how other protocol works. They click a few boxes on their configuration tools, they read a Google how-to, and that's the extent of their review. They don't bother to ready the man pages or do an "snmpwalk" because they don't _have_ to.

      And it's not just the Windows admins or software developers. I spent an hour on Thursday walking a senior Linux administrator through SNMP. He'd never realized that SNMP was the core tool for scanning remote network devices. I could explain why, but that's a separate post.

    2. Re:Phew by beatboxchad · · Score: 1

      You know, not to tangent off (oh wait this is slashdot) but this reminds me of a little soapbox I go on a lot lately:

      I dropped out of high school and taught myself how to use Linux, which taught me computing because I'm a reasonably clever human who finds things interesting and the command line is a layer of abstraction closer to the computing than a Windows UI.

      As I got some chops up from playing around with making websites for my guitar lessons and running various other services for my little LEGO camp business, I thought I should break into doing this stuff for a living. It sure paid better than what I was doing. But I was intimidated to the point of shaking as I looked at the job postings.

      This was two years ago. I'm NO hot-shot (I've met them. They're incredible. I'm still a few years away), but two years into my career, I'm about as appalled as I was intimidated. I've worked places where I was the only one who knew how to use SSH keys. I'm still in the Support phase of my career and I routinely work with "Senior IT Architect Engineer High-Salary Genius" titled people who can't cd to /var/tmp in a Linux-dominated environment they're responsible for. They use the UI on every vendor-provided tool and I encountered one who had Gnome running on their servers!

      We're talking hour-long conference calls just to get 'em to tar up the logs so I can run grep on them and tell them what's wrong. And these cats probably make twice as much as I do. (I'm only assuming, it's not like I ask 'em. It's just the titles in their email sig I'm going on here.)

      It really reassures me about the next phase of my career. I will have to go back to school to get into the deep levels of software development I want to get into (I know enough to know what I don't. You just have to have that math and algorithms and other background. I'm talking low-level C), but there are plenty of well-paying gigs for me to save up with.

      I had a really screwed up, rough start to life, but I made it into the industry and it's gonna be a great ride from here... Those clowns have taught me I'll have no problem. I mean, there's no guarantee I'll never be that engineer that has to have something basic explained to him, but I love computing almost as much as I love playing music, and I seem to know more than many of my colleagues in some areas. I'm lucky right now, I work in a place where I have access to lots of people who know more than I do.

      Anyway yeah there's a lot of IT people who don't know what SNMP is.

    3. Re:Phew by Anonymous Coward · · Score: 0

      Piss off. While I know what SSH stands for and have done for several years, it's a massive ballache when you have an article which has several arcane acronyms that are unexplained so you need to so a handful of searches to work out what the fuck an article is about.

      Providing additional information which may not be of use to all readers is courteous. Withholding information because you believe 'everyone should already know this' is a dick move.

  3. And we're surprised why? by BitZtream · · Score: 4, Insightful

    So basically this is an article about the intelligence agencies using the same tricks criminals and security specialists in the industry have been using for years?

    Let me show you my shocked face ... :|

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    1. Re:And we're surprised why? by Gaygirlie · · Score: 1

      Let me show you my shocked face ... :|

      I raise you my face ... (^_~(__*__)

    2. Re:And we're surprised why? by pjt33 · · Score: 5, Interesting

      Well, if we use the same kind of accounting principles that were used to try to extradite Gary McKinnon, this is an article about an intelligence agency causing potentially billions of pounds/dollars/euros of damage to computers, 99%+ of which were not "legitimate targets" for a black bag job. It may not be a surprise, but it's still rather embarrassing.

    3. Re:And we're surprised why? by AmiMoJo · · Score: 1

      Not that surprising, but still worth confirming so that we can defend against it.

      It's also confirmation that there is a cyber cold war going on, with countries actively probing each others defences and running an arms race in cyber security.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:And we're surprised why? by Archtech · · Score: 2

      No, no, no! You've got it all wrong! When private individuals do such things, they are terrorists, saboteurs, or thieves. But when governments do them, it's perfectly in order - they are only doing what all governments do.

      "Il est défendu de tuer; tout meurtrier est puni, à moins qu’il n’ait tué en grande compagnie, et au son des trompettes".
      ("It is forbidden to kill; therefore all murderers are punished unless they kill in large numbers to the sound of trumpets").

      - Voltaire

      --
      I am sure that there are many other solipsists out there.
    5. Re: And we're surprised why? by Anonymous Coward · · Score: 0

      Are you taking you frustrations out on him because it's safe to do so? You're in desperate in need of an easy target because you know you are powerless? Do you bite your pillow through the night, burning with seething rage? Your displays of anger are amusing.

  4. waste of money by Anonymous Coward · · Score: 0

    what a waste of tax payers money.. everybody knows you can use Shodan to do it for "free"

  5. Oh the naivete! by Anonymous Coward · · Score: 0

    Gotta love how the folks who get their panties in a wad when big out-of-control government does this kind of thing are the same ones who want to make that government even BIGGER by putting it in charge of health care.

    Hey, guess what: A government that abuses you with X amount of power and resources will abuse you even MORE when it gets 3X power and resources.

    1. Re:Oh the naivete! by robsku · · Score: 1

      Word! When I got my ADHD diagnosis from finnish health care system I felt so ass-raped and abused I still can't sleep without crying.

      --
      In capitalist USA corporations control the government.
  6. Two things by Anonymous Coward · · Score: 0

    Spy agencies need to care only about two things. Following the laws of their countries and not getting caught.

  7. Re:Isn't this exactly what a spy agency DOES? by Mashiki · · Score: 2

    It's not so much of them "spying" it's more so "were they doing it legally." And if not, who inside the organization and government is going to pay for the travesty. It seems to me that in the UK, the government wishes to throw the social contract not only in the dirt, but shit on it, burn both, and then piss on the ashes.

    --
    Om, nomnomnom...
  8. So this is news? by Anonymous Coward · · Score: 0

    I though it was common knowledge.

    1. Re:So this is news? by Anonymous Coward · · Score: 0

      Not common knowledge. One can easily imagine a spying agency doing something like this, but we often do not precisely know what they are up to.

  9. We are surprised because... by Kludge · · Score: 4, Insightful

    We are surprised because these are our governments spending our tax payer dollars to find exploits in computers in foreign countries that have done us no wrong. While you may have no scruples about this sort of thing, most of the rest of us are offended when something is done in our names that we would never stand having done to us.

    1. Re:We are surprised because... by Anonymous Coward · · Score: 0

      I'm not surprised, and I don't like this. Anyone who finds this surprising doesn't have much knowledge about history.

    2. Re:We are surprised because... by Intrepid+imaginaut · · Score: 1

      The idea behind a spy agency is to catch em before they do wrong. Really all alliances and agreements in international politics are matters of convenience, not moral obligation.

    3. Re:We are surprised because... by CrimsonAvenger · · Score: 2
      A phrase you might be searching for (or not) is "national technical means".

      It's the enforcement mechanism in a great many treaties involving things like, oh, nuclear weapons development, for instance.

      In case it's not obvious, "national technical means" is more or less synonymous with "spying". Yes, we can't actually count on people we make treaties with abiding by the treaties absent some enforcement mechanism. So we spy on them to make sure they do.

      And yes, this may involve spying on perfectly innocent civilians in the process. It's not like the other fellow's secret projects are going to be marked secret_nuclear_project.gov after all....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    4. Re:We are surprised because... by Anonymous Coward · · Score: 0

      Port scanning is now a l33t skillset tool?

      Anyone know just how much bandwidth all this spy-on-everyone practice consumes? throttling and bottleneck side-effects?

    5. Re:We are surprised because... by houghi · · Score: 1

      Hey, you have voted for them. Several times. And will do so agian.

      --
      Don't fight for your country, if your country does not fight for you.
    6. Re:We are surprised because... by Drewdad · · Score: 1

      Well, I'm sure that the military has all sorts of contingency plans.

    7. Re:We are surprised because... by Noah+Haders · · Score: 1

      We are surprised because...

      dude, the gchq are spies. what do you think they were doing? What surprises you about this?

    8. Re:We are surprised because... by Anonymous Coward · · Score: 0

      "rest of us are offended when something is done in our names that we would never stand having done to us"

      By all means, be offended. It's done to you as well. Probably also by your closest ally.

    9. Re:We are surprised because... by AmiMoJo · · Score: 3, Interesting

      It's not about looking for people with sensitive information. They know who the nuclear scientists are and go after them more directly. What this mass port scanning is aimed at is finding vulnerable PCs and turning them into bots that serve up exploits.

      One favourite tactic GCHQ likes to use is to spoof a site and server up a malware infested version, or at least one they can monitor more easily. They use other people's computers to do it, because they can't install their own hardware in the network centres of target countries.

      It's not just that they spy on everyone indiscriminately, they actually hijack innocent people's computers and use them to break the law in foreign countries. Clearly anyone who owns a computer should be concerned that GCHQ, a government agency with considerable funding, resources and access to zero day vulnerabilities may wish to use their property for criminal activity.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:We are surprised because... by Anonymous Coward · · Score: 0

      I was expecting them to at least follow the law..

    11. Re:We are surprised because... by grep+-v+'.*'+* · · Score: 1

      most of the rest of us are offended when something is done in our names that we would never stand having done to us.

      But I like being screwed!

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  10. I don't get it. by Anonymous Coward · · Score: 0

    Let me show you my shocked face ... :|

    I raise you my face ... (^_~(__*__)

    You are raising one eyebrow and winking while burying our face in boobies?

    1. Re:I don't get it. by TapeCutter · · Score: 1

      No, a fat woman is sitting on his neck.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    2. Re:I don't get it. by Anonymous Coward · · Score: 0

      Ohhhhh! The asterisk is the anus!

      Got it!

  11. Ya by Sycraft-fu · · Score: 1

    It seems like the press has run out of new interesting things to report with regards to spy agencies, so rather than do some informed discussion on the stories or something, they are digging for shit.

    Yes, we know, spy agencies spy. That is their purpose, that is the reason they get funding. If this shocks you then you've had your head in the sand. Now if you think governments shouldn't have spy agencies, ok, but that is a different argument (and you might want to look in to why they do). But acting all surprised that they spy, and use known tricks to spy, is stupid.

    It also takes away from the real issue, the story that needs to be discussed: That spy agencies were illegally spying on their own populace. THAT is the story that should be getting coverage. However it seems like the press did their thing on it, and now wants to move on to "something new" no matter how irrelevant it is.

    If the GCHQ is spying on other countries, Brits shouldn't be concerned. That is why they have a GCHQ. If the GCHQ is spying on their own subjects, they should be concerned, since that is illegal.

  12. Folks at Spy Agencies Caught Doing Their Jobs! by Anonymous Coward · · Score: 0

    Tomorrow on Slashdot:

    Folks at Spy Agencies Caught Doing Their Jobs AGAIN!

    1. Re:Folks at Spy Agencies Caught Doing Their Jobs! by Anonymous Coward · · Score: 0

      Folks at Spy Agencies Caught Breaking the Law AGAIN!

      There, FTFY.

  13. What countries by Anonymous Coward · · Score: 0

    These leaks are all meaningless, wikileaks, blackvault..etc. all the same obfuscated, redacted crap that tell u f-all..

  14. Re:Isn't this exactly what a spy agency DOES? by Electricity+Likes+Me · · Score: 3, Interesting

    It's a freaking port scan. It is not a denial of service attack. It is not remotely illegal and any private citizen is legally allowed to exactly the same and many researchers do without any need for special permissions.

    This article could not possibly be any more pathetically sensationalist.

  15. The scale isn't that impressive by Anonymous Coward · · Score: 1

    There are faster ways to scan large address blocks - at least for TCP. We used a customized form of stateless scanning based on scanrand almost 10 years ago that could do the "usual suspects" across an entire 10/8 block off a single Linux machine in the space of about 8 hours. This was in a corporate environment much of the space was >=1G but also covered lower speed international routes. The 8 hrs was a balance between performance and network impact so could have been reduced.

    1. Re:The scale isn't that impressive by Anonymous Coward · · Score: 0

      This does more obviously, but discovery is the main challenge.

  16. State or war. by Anonymous Coward · · Score: 0

    Should we not now be at a state of war with the nations? They have entered our sovereign space, friend or not they have broken a trust between country's.

    Let the bombing begin.

    -

  17. Government waste by Drewdad · · Score: 1

    Wasted time and money, but hardly shocking or evil.

    Every IP address exposed on the Internet is constantly scanned.

  18. Why? by PPH · · Score: 2

    Bulk port scanning is something I'd expect criminals to do looking for vulnerable systems to exploit. Its not going to tell you anything about the use of that system or the motives of its owners unless you install some sort of exploit. The only thing this will reveal is the possible presence of certain peer-to-peer apps that use well known ports.

    I'd expect the intelligence agencies to develop a list of likely terrorists and then concentrate on breaking into their systems. This looks like GCHQ has given up on al Qaida and is chasing file sharers full time. Public funds expended to protect the Disney companies property. When can I expect the local police department to pay two officers to guard my old pickup truck parked in my driveway every night?

    --
    Have gnu, will travel.
  19. So what? by Anonymous Coward · · Score: 0

    '..it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations. '

    2009? then we were a bit late at getting into the game there then.
    In the late '90s/early 2000 it wasn't uncommon for me to spot countrywide port scans originating from a handful of IP numbers at a certain chinese technical institute (At the time, I was looking after machines for various organisations in widely different geographical locations here in Britain).
    I'm sure If I dug through all of the old backup tapes/cds from that time I've still got I could probably find records of similar port scans originating from 'unassigned' IP numbers lurking in US Gov/Military netblocks I'd logged, they used to happen occasionally back then too.

    Portscans? I always regarded them as the networking equivalent of this

  20. Welcome to 1999 by Gothmolly · · Score: 1

    nmap as a "hacking" tool reveals such an old mindset. Back then the prize was finding a service, which was inevitably not locked down or was easily compromisable. Nowadays even basic installs are secure thanks to sane package managers and distributions. The old "find an old version of sendmail and open a shell" tricks don't work.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Welcome to 1999 by allo · · Score: 1

      People like you are the people, whose mailservers spam the rest of us.

  21. Re:Isn't this exactly what a spy agency DOES? by Noah+Haders · · Score: 1

    i don't see what the social contract has to do with anything here. if UK is port scanning other nations then fine whatever. but if UK were portscanning the UK to identify vulnerabilities then that would be sucky and make me feel icky inside.

  22. Port sentry by bl968 · · Score: 1

    Port Sentry is your friend :)

    A. The Sentry tools provide host-level security services for the UNIX platform. PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis.

    It can also automatically respond to scans by blocking the originating hosts.

    I have been using it continuously since the 1990's

    http://sentrytools.sourceforge...

    --
    "GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
  23. Re:Isn't this exactly what a spy agency DOES? by Anonymous Coward · · Score: 0

    Unless they were contacting the owners of the UK computing infrastructure and advising them how to protect that infrastructure from foreign agencies and hackers. Then it might be good.

  24. Re:Isn't this exactly what a spy agency DOES? by Anonymous Coward · · Score: 1

    Security researchers are required to get written consent before port scanning for an audit.
    So you can see why this sounds like a massive endeavor following no ethical rules.
    Whether it's as bad as it sounds... meh... but really, it is quite contrary to all one would hold ethical.

  25. Re:Isn't this exactly what a spy agency DOES? by Anonymous Coward · · Score: 1

    It is not remotely illegal and any private citizen is legally allowed to exactly the same and many researchers do without any need for special permissions.

    That's a bit like saying it is OK to break into peoples' houses because it is legal to enter into someones house when they give you permission, and they are essentially the same thing, right?

    Your logic is beyond broken. It is incredibly illegal to commit any type of computer fraud, including brute force attacks (which includes port scanning), unless you have explicit permission before doing so.

  26. Server security still sucks by gweihir · · Score: 1

    I would estimate that in the last decade, any host visible on the Internet has gotten between 10 and 100 full port-scans per year, and most not from these people but other criminals.

    So let me say this clearly: If a port-scan is a risk for your server, you should
    a) Fix the damned thing already!
    b) If you cannot, stop administrating systems when you have no clue how to do it!

    Hell, in many countries port-scans are even perfectly legal.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  27. Whiny Americans by Anonymous Coward · · Score: 0

    Your EXPECT of your government to do it to foreigners, well guess what 'us' foreigners expect our government to do the same to you.

  28. Re:Isn't this exactly what a spy agency DOES? by Electricity+Likes+Me · · Score: 1

    No. No it isn't, and literally every single thing you wrote is either factually wrong, or completely unrelated to what I was saying.