My level of sympathy for the Hacking Team is negative. I dont see a difference between the Hacking Team and the people in the despot nations that used the information to torture or kill people. Obviously legally there is a difference and that is the unfortunate thing from all of this.
According to this report, it's not only HT software that has been supplied/used by Ethiopia. A case starts tomorrow to allow standing in order to prosecute the Ethiopian government (an American in the US was attacked, he claims, by the Ethiopian government using Gamma's FinSpy software). https://www.eff.org/press/releases/...governments-illegal-use-spyware-court-tuesday
And who didn't see this coming? The US tries to do this under the guise of national security, then hide the fact. The US seems to think that only they have such rights. Has Pandora's Box been opened?
Hacking Team promises to rebuild controversial surveillance software https://threatpost.com/hacking-team-promises-to-rebuild-controversial-surveillance-software
It looks like this hack will bring out a lot of vulnerabilities. Should we be thankful to people that released this data? Setting up UEFI password was long on my to-do list. Today I've forced myself to do it.
@Minimalist - hah, I'd never even considered that might help with BIOS/UEFI rootkits. Will have to do that on my home PCs.
“Gifts” From Hacking Team Continue, IE Zero-Day Added to Mix http://blog.trendmicro.com/trendlab...cking-team-continue-ie-zero-day-added-to-mix/
Hacking Team broke Bitcoin secrecy by targeting crucial wallet file http://arstechnica.com/security/201...oin-secrecy-by-targeting-crucial-wallet-file/
Source code of the HT trojan here explained in details: HM_Pstorage.h and HM_PWDAgent (folder): grabs stored passwords from Firefox, Internet Explorer, Opera, Chrome, Thunderbird, Outlook, MSN Messenger, Paltalk, Gtalk, and Trillian. HM_IMAgent.h and HM_IMAgent (folder): records conversations from Skype, Yahoo IM (versions 7 through 10), MSN Messenger (versions 2009 through 2011, now discontinued), and ICQ (version 7 only). HM_SocialAgent.h and Social (folder): grabs session cookies for Gmail, Facebook, Yahoo Mail, Outlook (web client), and Twitter from Firefox, Chrome, and IE. HM_MailCap.h, HM_Contacts.h, HM_MailAgent (folder) and HM_ContactAgent (folder): captures emails and contacts from Outlook and Windows Live Mail. HM_AmbMic.h and HM_MicAgent (folder): records ambient noise picked up by any attached microphones. wcam_grab.h and wcam_grab.cpp: periodically snap and save photos from attached webcam. HM_Clipboard.h: grabs any data that is stored on the clipboard. HM_KeyLog.h: logs all keystrokes. HM_MouseLoh.h: logs all mouse movements and clicks. HM_UrlLog.h: records visited URLs in Firefox, Chrome, IE, and Opera. http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/
In the Bromium Labs report, did you see this? I haven't used it in a while, but isn't Virtualbox also capable of running VMWare disks? If they can infect VMWare, is Virtualbox safe? It might become prudent to keep virtual images on read only media.
Linux users aren't safe either. They have an RCS agent for linux. https://bromiumlabs.files.wordpress.com/2015/07/malware1.png In image 8, they list 26 security products that they could evade including Kaspersky and Comodo. Interesting that there are no classic HIPS in that list.
Infecting virtual images (which are not encrypted) is simple - the file formats are known, and there are APIs to assist code-writers. The disk is completely open to modification, without any protection. Any VM image software would be vulnerable to this, if not encrypted. Further, if the host is owned, then so are the VMs one way or another. I'm very interested in (selectively) read-only media, but I don't think it exists! And in any case, is vulnerable while in use. My version of read-only is to remove pendrives and run the system in RAM! Of course, any attack on the hypervisor itself is extremely big news, particularly if it offers opportunities to attack the host. But I don't believe the material implies this. Stepping back from these very useful details, and also of the nature of the HT company, I've been reflecting some more on the implications of this hack. Supposing HT had been a wholly wonderful company, only supplying to the (nominally) legal and democratic LEAs of the completely democratic and accountable Free World, and they notified vendors of vulnerabilities... It would still be the case that their source code could - and ultimately would - be hacked. And either put into the public domain, or be sold to the highest bidder. There is no combination of software, controls and people that can keep determined attackers from doing so - whether these are insiders or external. Furthermore, the exact same considerations apply to the attack tool source code for our legal and accountable TLAs. After all, details of Regin and Quantum Insert have now emerged, and I have no doubt that other countries intelligence services have the source code for these and have had it for some time. This is the consequence of the weaponisation of the internet. Industrialised attack tools will fall into the hands of pretty much anyone within 5-10 years of being NOBUS, sometimes sooner. And the consumers - they are the defenceless prey. Attack is easy. When are our governments going to put any focus on the hard but necessary job of hardening our systems and encouraging (by corporate liability) better defensive stances? Never?
No. I'm arguing that only working in VMs will protect the host from rootkits. Unless the rootkit can break out from VMs to host, anyway. Yes, VirtualBox can run VMware virtual disks, and probably vice versa. The host owns the VMs, so anything that owns the host also owns the VMs. But the point, I think, is to keep the host as isolated as possible, so it won't get rooted. If a VM gets rooted, the host and other VMs may be safe.
Does anybody know whether their UEFI rootkit would work on a laptop with dual UEFI/BIOS support, and "Legacy-Only" boot is selected (the OS is using MBR)? From what I've read UEFI is an immature insecure mess so I don't touch it.
It's not news that they have solutions like this for Linux, what would be news is if they had 0days for linux programs. It seems that they rely on physical access for infecting Linux machines afaik, the 0days were for Windows and Flash which isn't incredibly impressive.
The term "selectively" is the problem. The closest I can think of are CD-R and DVD-R, custom built and equipped on an air gapped machine. Copying it to a RamDrive would solve the speed issues. Compromising such a system is still possible, but doing so on a permanent basis would be much harder.
When one looks at the number of linux servers that are compromised, physical access is clearly not required. Can one really assume that the desktops are any different? The desktops might have less attack surface but they still have one. The one that really scares me is the auto-update systems against an adversary with MITM abilities, stolen certificates, credentials, etc.
Comparing web servers to desktops isn't fair at all. Programs on Linux like Firefox, Java, Evince or god forbid Flash are not inherently any more secure than their Windows counterparts, but we are still a relatively meaningless 1% so HT and others don't care enough to invest the money into exploiting us, at least not yet. Gamma didn't have any Linux or even OS X 0days either when their leak happened last year. The obscurity aspect isn't a perfect defense by any means but there are of course other tools to implement in order to mitigate risks. As for auto-updates, Ubuntu and Debian check GPG signatures of all downloaded packages, which should make MITM moot, right?
I am amazed Microsoft havent capitalized on this as a marketing opportunity. They actually bothered writing their agent for the 10 people in the world that use windows phone.