Full forum post quoted below (I didn't write it, just found it on social media a little while ago):
"Well, the story gets more interesting...
This morning, we read that information from the NSA's illegal surveillance databases has been routinely finding its way into DEA drug cases [1], with an entire government "training programme" in existence to mask the source of the information from defendants... as well as prosecutors and judges.
And this weekend, we've been working through the news that a large breach of security associated with the Tor network - it's been dubbed #torsploit [2] - has taken place. Exploit code is available (see earlier posts in this thread), and folks have been de-obfuscating and analysing the code.
There's also an IP address hard-coded into it - that's where the info gathered by the malware is being sent. That IP address is:
65.222.202.53
Now, the press reporting on the address so far has been saying it's a "Verizon business address in Virginia." Yes, that's what whois shows, but that's not exactly the full story, or the real story.
The folks at Baneki Privacy Labs have been chasing down that detail. They first asked [3], in a game-theoretic way, whether the entire situation isn't a bit too, well... obvious. I mean, did the FBI think nobody would notice? Everyone's been assuming it's the FBI, doing something like the "Darkmarket honeypot," [4] or some such. It's worth noting that nobody has taken public credit for this #torsploit [5] malware yet, so attributing it to the FBI is a leap of assumptive logic.
Turns out, the story is much more interesting than that.
Baneki dug deeper than whois, and got some clues things were spookier than they seemed. First, there's an open port (80) [6] sitting on the machine in question. So it's not some recycled or attempted-at-obfuscated IP address. It's still live and running. Then the fun starts... [7]
SAIC.png [a]
SAIC is, needless to say, deep in the core of the cyber-military complex... and certainly not the FBI.
Some further investigation by Baneki turns up the following information [8]:
NSA.png [b]
That IP address is part of IP space directly allocated to the NSA's Autonomous Systems (AS). It's not FBI; it's NSA.
What is an NSA IP address doing as a command & control contact for javascript malware being deployed in the #torsploit [9] attack? That remains to be seen... but we already know that PRISM data has been "jumping the wall" and leaking into other law enforcement hands. Is this an example of further abuse of PRISM's "national security only" dataset? That appears the most likely explanation, at this point in time.
Glenn Greenwald has been warning us this is happening - and here's another hard, objective, irrefutable data point. The NSA's Alexander - who only last week was at DefCon doing his best to charm the audience [10] - is once again caught lying bald-faced.
What happens now? We sit back to await developments..."
[8] doesn't seem to be quite the smoking gun they are making out. I did some digging into other hosts near that one and it looks like pretty standard business ISP stuff to me. Outlook Web Access, phone systems, a few company websites. (Although the companies themselves are interesting, military and pharmaceuticals from my brief survey of SSL certificates.) Not directly NSA.
Doesn't seem implausible for it to have been running on a compromised host if there's publicly accessible PBXs and stuff around there.
[8] seems to show that the ENTIRE IP RANGE is assigned to nsa.gov. Just seeing that some innocuous-looking services are running on some IPs in that range doesn't mean anything for or against.
The government uses Outlook, has phones ... and even owns businesses (sometimes surreptitiously, like CIA front companies).
In fact, if the intelligence apparatus of this country didn't own or directly control at least one ISP, I'd be very, very surprised.
What [8] shows is that nsa.gov resolves to 65.196.127.226. 65.196.127.226 is part of the range 65.192.0.0/11 assigned to AS (autonomous system) 701, which is "UUnet Technologies, Inc". From Wikipedia, "Today, UUNET is an internal brand of Verizon Business".
Both 65.196.127.226 (the server that hosts nsa.gov) and 65.222.202.53 fall in the same /11 block (i.e. a block of 2,097,152 addresses) assigned to UUnet / Verizon Business.
However, that is a huge block of IP addresses, and numerous other servers are also hosted by Verizon Business on that block - http://route.robtex.com/65.192.0.0-11.html will give you a list.
It is entirely possible that the Verizon Business is providing services to some US government agency to run 65.222.202.53, but the fact that NSA also uses Verizon Business to host its website is hardly conclusive proof of anything.
Sorry to be ignorant, but I don't see where 65.222.202.53 is shown to be NSA-owned? I don't see that in the robtex record. Am I reading it wrong? I'm not familiar with this notation, I don't often look into IP allocation issues.
It isn't NSA owned according to the records. 65.192.0.0/11 is UUnet (Verizon Business) owned. nsa.gov is hosted on 65.196.127.225, and both 65.196.127.225 and 65.222.202.53 fall in the block of 2(32-11) = 2,097,152 addresses designated 65.192.0.0/11 and owned by Verizon Business.
Verizon rents out those 2,097,152 addresses to their customers, but they are unlikely to tell you which customer is assigned which address at which time without customer permission (and neither address is set up in Verizon's nameservers to reverse resolve back to a hostname).
There is as much evidence that the NSA is behind this as there is that the YMCA USA (another Verizon customer) is behind this (or any of the numerous other Verizon Business customers): http://dns.robtex.com/ymcausa.net.html#records (that is just an example to show the flaw in saying that link [8] is a smoking gun that the NSA owns the server; I don't think the YMCA is behind this).
"Well, the story gets more interesting...
This morning, we read that information from the NSA's illegal surveillance databases has been routinely finding its way into DEA drug cases [1], with an entire government "training programme" in existence to mask the source of the information from defendants... as well as prosecutors and judges.
And this weekend, we've been working through the news that a large breach of security associated with the Tor network - it's been dubbed #torsploit [2] - has taken place. Exploit code is available (see earlier posts in this thread), and folks have been de-obfuscating and analysing the code.
There's also an IP address hard-coded into it - that's where the info gathered by the malware is being sent. That IP address is:
65.222.202.53
Now, the press reporting on the address so far has been saying it's a "Verizon business address in Virginia." Yes, that's what whois shows, but that's not exactly the full story, or the real story.
The folks at Baneki Privacy Labs have been chasing down that detail. They first asked [3], in a game-theoretic way, whether the entire situation isn't a bit too, well... obvious. I mean, did the FBI think nobody would notice? Everyone's been assuming it's the FBI, doing something like the "Darkmarket honeypot," [4] or some such. It's worth noting that nobody has taken public credit for this #torsploit [5] malware yet, so attributing it to the FBI is a leap of assumptive logic.
Turns out, the story is much more interesting than that.
Baneki dug deeper than whois, and got some clues things were spookier than they seemed. First, there's an open port (80) [6] sitting on the machine in question. So it's not some recycled or attempted-at-obfuscated IP address. It's still live and running. Then the fun starts... [7]
SAIC.png [a]
SAIC is, needless to say, deep in the core of the cyber-military complex... and certainly not the FBI.
Some further investigation by Baneki turns up the following information [8]:
NSA.png [b]
That IP address is part of IP space directly allocated to the NSA's Autonomous Systems (AS). It's not FBI; it's NSA.
What is an NSA IP address doing as a command & control contact for javascript malware being deployed in the #torsploit [9] attack? That remains to be seen... but we already know that PRISM data has been "jumping the wall" and leaking into other law enforcement hands. Is this an example of further abuse of PRISM's "national security only" dataset? That appears the most likely explanation, at this point in time.
Glenn Greenwald has been warning us this is happening - and here's another hard, objective, irrefutable data point. The NSA's Alexander - who only last week was at DefCon doing his best to charm the audience [10] - is once again caught lying bald-faced.
What happens now? We sit back to await developments..."
[1] http://mobile.reuters.com/article/idUSBRE97409R20130805?irpc... [2] https://twitter.com/search?q=%23torsploit&src=typd [3] https://twitter.com/Baneki/status/364323285003014144 [4] https://www.cryptocloud.org/viewtopic.php?f=17&t=87 [5] https://twitter.com/search?q=%23torsploit&src=typd [6] https://twitter.com/Baneki/status/364336090057949184 [7] https://twitter.com/Baneki/status/364340406361665536 [8] http://pop.robtex.com/nsa.gov.html#records [9] https://twitter.com/search?q=%23torsploit&src=typd [10] https://twitter.com/CryptoCloudVPN/status/362864059105820674 [a] http://i.imgur.com/9d3fj2G.png [b] http://i.imgur.com/PGnNvx9.png