These two days, NSA is black, (or formula) or The Shadow Brokers (domestic media as "the shadow broker") events is still in full swing in fermentation. Many smaller partners would have seen a lot of reports, if you missed the details does not matter, this article will give you comb NSA black sequence of events, as well as those words were about, what exactly is meant.Question: who is being hacked?Last week, a group of hackers claim that invade the NSA, or United States National Security Agency–in fact, reading "NSA black" those words are shocking enough. NSA is the Prism two years before the events of the protagonist, the Agency under the United States Department of Defense, is a United States Government agency, the largest intelligence service, specializing in the collection and analysis of communication data (including United States abroad).Prism gate incident that year, former NSA employee Edward Snowden NSA internal documents disclosed a large number of stunning, the sword refers to the NSA, through various means, and science and technology cooperation, wantonly listens United States national network activity, and the tentacles are extended to foreign countries.This is the NSA be dark, black targets, specific organization is NSA's equation (Equation Group). Organization of this equation exactly what organization? As early as February 2015, Kaspersky Lab released a report, pointing out that NSA since 2001, inside there is a hacking group. Kaspersky the organization naming formula for organizations.Formula features, a "complex" 0-day malicious programs targeting of businesses launched intelligence spying activities. According to Kaspersky's report said, the equation organization combines a variety of complex and advanced strategies and tactics, technologies and highly consistent processes. Within the Organization have many complex tools–the invasion of these tools is said to need to spend a lot of energy can be developed.Kaspersky for formula one organization's evaluation is fairly "high": the secret techniques used by the complexity and refinement of "beyond any known information". Prominent Stuxnet stuxnet virus and Flame flame, before involving 0day that could have been used for equations–equation associated with those behind the malicious activity. For instance, 2008 with Fanny malicious programs, new variant of stuxnet to 2009 and 2010 began to be used. VR iPhone caseFormula one's reach could extend to more than 30 countries around the world tens of thousands of (even tens of thousands) of the victim. The equation "special care" area includes Government and diplomatic agencies, communications, aerospace, energy, oil, military, nanotechnology, nuclear research, mass media, transportation, finance, development, Muslim and other encryption technology. For students interested in the equation to read Kaspersky report.Such a funky APT organization, turned out to be black!?Question two: who the hell is black?This intrusive hacking group called The Shadow Brokers within the equation. This is in fact the attacker who has mastered all the exact information, the name "The Shadow Brokers."Problem three: into what is the purpose?We mentioned earlier, equations developed in-house a variety of high-end information stolen tools, and most use a variety of products, including security 0-day vulnerability to intrusion. So The Shadow Brokers after penetrated NSA equations within the Organization, steal a lot of tools in this organization, the 13th of this month, to be precise to a large number of files published online (on GitHub and Tumblr, but have been deleted), including malicious programs, hacker attacks, exploit tools.But The Shadow Brokers these tools into two parts, some of which provided free trial downloads, there are some (allegedly 40% of the best files) are clearly sold, priced at 1 million coins (about 578 million dollars, funny! Buy a company on this point). GitHub was soon deleted the relevant pages, but it is interesting, deleted not because of Government pressure, but GitHub's policy does not allow for the theft of assets offered for sale.From this obvious behavior, can we believe that The purpose of Shadow Brokers really is about money?Things have gone to this point, most security practitioners wanted to know, in fact, is the release of these documents is not really, is reliable. In the fermentation of this matter in the next few days, and only let people with sensory horror. First Kaspersky came forward to confirm, these files are absolutely real and effective (foreign media the term is legitimate), and from all appearances, and equations related.Researchers at Kaspersky Lab announced the details of the study of these materials:The Shadow Brokers of this data publicly available for free download size is approximately 300MB, which contains some firewall products that exploit, hacker tools and scripts, tools, specific names like BANANAUSURPER, BLATSTING, BUZZDIRECTION. But they have at least 3 years of history, time point is the subject of the latest time stamp in October 2013.So exactly what formula one now? Kaspersky Lab has said: "Although we are unable to determine the identity or motives of the attackers, also do not know where or how to get these tools, but we can definitely leaked hundreds of tools, and definitely closely related equation organizations. ”The Shadow Brokers about more than 300 files in a published document, RC5 and RC6 encryption algorithm is used as a general policy, exactly the same methods and equations. virtaul reality case"Code similarity we confirmed that The Shadow Brokers disclose malicious programs and equations are indeed linked. "The comparison is on the earlier equation RC6 code, and this time The Shadow of Brokers in the leaked document code, same functions, constraints, and some rare features can explain the problem.Other than Kaspersky, NSA other a mysterious TAO (specific Office of the invasion) former employees also believe that these tools and tools for formula one. Washington Post have reported on this.Shang Friday, The Intercept announced has new a round of Snowden leaks document, which has many tool and this times leaked of tool exists is strong of associated, these are is evidence: like Snowden disclosure of document in the contains a paragraph SECONDDATE using tool, this tool can in network layer interference Web requests, and will of heavy directed to FOXACID server, "operation manual" 28th page mentioned, NSA employees must using ID, To mark the victims sent to the FOXACID server, which refers to ID for ace20468bdf13579, the ID in the The Shadow Brokers leaks appeared in 14 different file.These tool what can used to do what, we also can slightly lift some example, like security research personnel test has EXTRABACON using tool, confirmed using this paragraph tool, in not need provides effective identity voucher of situation Xia, on can access Cisco Firewall: this paragraph tool using Cisco ASA software SNMP agreement in the of 0-day vulnerability (CVE-2016-6366), can to "without authorized of remote attack who" completely control equipment.In addition, there are 0-day using Cisco earlier vulnerabilities using tools such as Cisco CVE-2016-6367 vulnerability, the vulnerability exists in Cisco ASA command line interface parser software, can result in unauthorized local attackers constructed DoS attacks, as well as the risk of arbitrary code execution-from leaking EPICBANANA and JETPLOW tools take advantage of that vulnerability.For example, there is a tool to decrypt Cisco PIX VPN traffic, plant malicious programs in the motherboard firmware, this attack can hardly be detected, is no way to remove … This spread to the vendors including Cisco, Juniper, Fortinet, etc, is particularly worth mentioning is that leak tools also include the TopSec firewall products that exploit tools. Cisco also confirmed the existence of these vulnerabilities in the first and issued the corresponding patch – think about it, mentioned the timestamp of the leaked documents at least 3 years ago, one can imagine how much these 0day vulnerability 0day.FreeBuf has also recently made a few articles about analysis of leaked documents, like this one: the NSA (United States National Security Council) leaks file depth analysis (PART 1), which essentially is how scary is the equation.Question four: really for 1 million coins?On this issue, the industry views the issue. To answer this question, it would have to find out who is behind the attacks, mainstream attitude at present, there are two, one is the NSA insiders (foreigner's Word is insider's job) – Matt Suiche is famous in the industry think so, he said he and former NSA TAO employees chatted on the matter. He wrote in his blog:"The leaked files also contain the NSA TAO tool set, these tools were originally stored on is physically isolated network, would not have access to the Internet. ”"There is no reason to put those files in the staging server on the server, unless it was meant to do. File hierarchy, there are file name has not changed, this should make it clear that these documents are copied directly from the source. ”In addition considered insiders, Snowden on a Twitter special on the matter, and he thinks it is "Russia United States response", although the "response" seem a little scratching their heads, said to be the previous United States condemned Russia on the DNC Democratic National Committee about the invasion (Lol). Two weeks ago, Wikileaks ' release from the DNC (there is another for the DCCC Democratic Congressional Campaign Committee) an internal document, United States over security and intelligence agencies believed that the matter with Russia, although Russia denied it."This spill, looks like someone signals, indicating that this drama will continue to rapidly expand. This is like the kind of warning, someone wants to prove that United States needs for this malicious program server is responsible for all attacks. This event would greatly impact on subsequent policy abroad, especially those with the United States as a goal, and those who want to United States General elections of external organizations. ”Snowden penetrated equation server to Russia is not so difficult for a hacker. Even if NSA has such complex tools behind it, Russia on NSA has a very deep understanding of network sector, also has the ability to detect all attacks NSA. He also said the hackers did not obtain data after June 2013, because during that time coincided with the Snowden published confidential documents of the NSA, NSA is likely therefore to replace the infrastructure.The mainstream view is that foreign media, The Shadow Brokers ask for the 1 million coins was just a smokescreen, it is confusing. As to the truth and what estimates also need more analysis.Problem five: new progress?In fact, we have a very big problem is not resolved, is the equation of how The Shadow Brokers into the server–this thing now, of course, no one can be announced. Famous Italy Claudio Guarnieri researchers speculated that the hackers may be black into a "listening post" (listening post? ), Which is part of the equation of the entire information infrastructure.Strange transactions per 0.001337 currencyAnd The Shadow is Brokers who probably many people curious. There's an interesting thing: reports from Security Affairs, two days before the Internet appeared a very strange deal, The Shadow Brokers accounts changed, a few days ago into about $ 990. Feels strange is that this $ 990 from the Silk Road coins account. For a while! Silk Road Bitcoin did not already under the control of the FBI (after the arrest of a black market)? Not only that, there are also other transfers account (stream? )。 It is a mystery!The NSA to be black is still a problem, we will continue to wait for the event to further ferment, tracking and reporting. But having said that, do you have any security at all in the world?Lei Feng network Note: writer Ouyang onions, FreeBuf hackers and geeks (FreeBuf.COM) authorizes the release of Lei Feng network (search for "Lei feng's network" public concerns), please indicate the source and author, no deletion of content.