We knew that NSA had (has) monitoring access to all Pakistani telecom operators, Pakistani Internet Service Providers and other government departments, but a new leak provides undeniable evidence that it was indeed happening.

Credited to ShadowBrokers — a hacker group that previously published tools, hacks and other exploits that NSA had used to infiltrate networks and governments across the world — leaked a new dump few hours ago that has information about more ways through which NSA was accessing mobile companies, private and public networks in various countries.

ShadowBrokers initially had put up this data online for auction, but since no one bought it, the group shared the password of the entire dump in protest.

Leaked dump, which is encrypted, is terabytes in size and security researchers have started to decrypt it already.

Initial decrypted files reveal step by step guide of how NSA used to gain access to Mobilink’s network. It explains the entire method on how NSA accessed servers, data and other information related to mobile phone users of Pakistan.

Method shows that NSA had access — around 2006 — to CDR (call detail record) of any Mobilink user and also that how many SIMs had been used on a single handset (to identify if the user had more than one SIMs).

NSA’s operators could get alerts in case a new call was made. They also had mechanism to clear any access records or logs to wipe out any traces.

This hacking method, which we believe is now patched, was made possible only after NSA hacked/exploited Solaris (Oracle’s proprietary) operating system, which was otherwise considered very solid and hack-proof.

As security researchers are in process of decrypting more leaked data, it is likely that step-by-step guides of hacking other Pakistani telcos and ISPs will also be revealed.

If you are wondering if NSA will be held accountable for all the illegal stealing of data (read crimes) or if Pakistani government will protest against such naked hacks, then its not happening.

Exactly like the elites in Pakistan, they are free to do whatever they want to. No repercussions, completel immunity from and zero accountability.

Way Forward?

I have often heard from friends in government about procuring ultra-expensive systems and hardware to ensure privacy, then — if I may speak frankly — there’s nothing private on the internet.

No matter how secure you get, the devices that are built (in West) are going to reveal your data to outsiders one day.

The only way forward, if possible, is to manufacture your hardware and write your code yourself to protect it. Even then you will just minimize the chances of it being getting hacked, but it won’t be as easy as it seems from above incidents.

It is an open secret now that certain loopholes are left on purpose, for activities like above. It is just like you are building a house and keep a back-door for emergency entries/exits, just in case. These back-doors, are then exploited and used by agencies like NSA.

Until you don’t start making hardware and software yourself, don’t get bothered much about these hacks and steals.