Hacking Team hacked

Discussion in 'privacy general' started by mirimir, Jul 5, 2015.

  1. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    My level of sympathy for the Hacking Team is negative.

    I dont see a difference between the Hacking Team and the people in the despot nations that used the information to torture or kill people. Obviously legally there is a difference and that is the unfortunate thing from all of this.
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    And who didn't see this coming? The US tries to do this under the guise of national security, then hide the fact. The US seems to think that only they have such rights. Has Pandora's Box been opened?
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I think it was opened long ago. Still, I don't know who opened it...
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Hacking Team promises to rebuild controversial surveillance software
    https://threatpost.com/hacking-team-promises-to-rebuild-controversial-surveillance-software
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    http://blog.trendmicro.com/trendlab...ootkit-to-keep-rcs-9-agent-in-target-systems/
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It looks like this hack will bring out a lot of vulnerabilities. Should we be thankful to people that released this data?
    Setting up UEFI password was long on my to-do list. Today I've forced myself to do it.
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Minimalist - hah, I'd never even considered that might help with BIOS/UEFI rootkits. Will have to do that on my home PCs.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    “Gifts” From Hacking Team Continue, IE Zero-Day Added to Mix
    http://blog.trendmicro.com/trendlab...cking-team-continue-ie-zero-day-added-to-mix/
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Hacking Team broke Bitcoin secrecy by targeting crucial wallet file
    http://arstechnica.com/security/201...oin-secrecy-by-targeting-crucial-wallet-file/

     
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    Source code of the HT trojan here explained in details:
    • HM_Pstorage.h and HM_PWDAgent (folder): grabs stored passwords from Firefox, Internet Explorer, Opera, Chrome, Thunderbird, Outlook, MSN Messenger, Paltalk, Gtalk, and Trillian.
    • HM_IMAgent.h and HM_IMAgent (folder): records conversations from Skype, Yahoo IM (versions 7 through 10), MSN Messenger (versions 2009 through 2011, now discontinued), and ICQ (version 7 only).
    • HM_SocialAgent.h and Social (folder): grabs session cookies for Gmail, Facebook, Yahoo Mail, Outlook (web client), and Twitter from Firefox, Chrome, and IE.
    • HM_MailCap.h, HM_Contacts.h, HM_MailAgent (folder) and HM_ContactAgent (folder): captures emails and contacts from Outlook and Windows Live Mail.
    • HM_AmbMic.h and HM_MicAgent (folder): records ambient noise picked up by any attached microphones.
    • wcam_grab.h and wcam_grab.cpp: periodically snap and save photos from attached webcam.
    • HM_Clipboard.h: grabs any data that is stored on the clipboard.
    • HM_KeyLog.h: logs all keystrokes.
    • HM_MouseLoh.h: logs all mouse movements and clicks.
    • HM_UrlLog.h: records visited URLs in Firefox, Chrome, IE, and Opera.

    http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    In the Bromium Labs report, did you see this?
    I haven't used it in a while, but isn't Virtualbox also capable of running VMWare disks? If they can infect VMWare, is Virtualbox safe? It might become prudent to keep virtual images on read only media.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Infecting virtual images (which are not encrypted) is simple - the file formats are known, and there are APIs to assist code-writers. The disk is completely open to modification, without any protection. Any VM image software would be vulnerable to this, if not encrypted. Further, if the host is owned, then so are the VMs one way or another.

    I'm very interested in (selectively) read-only media, but I don't think it exists! And in any case, is vulnerable while in use. My version of read-only is to remove pendrives and run the system in RAM!

    Of course, any attack on the hypervisor itself is extremely big news, particularly if it offers opportunities to attack the host. But I don't believe the material implies this.

    Stepping back from these very useful details, and also of the nature of the HT company, I've been reflecting some more on the implications of this hack. Supposing HT had been a wholly wonderful company, only supplying to the (nominally) legal and democratic LEAs of the completely democratic and accountable Free World, and they notified vendors of vulnerabilities... It would still be the case that their source code could - and ultimately would - be hacked. And either put into the public domain, or be sold to the highest bidder. There is no combination of software, controls and people that can keep determined attackers from doing so - whether these are insiders or external.

    Furthermore, the exact same considerations apply to the attack tool source code for our legal and accountable TLAs. After all, details of Regin and Quantum Insert have now emerged, and I have no doubt that other countries intelligence services have the source code for these and have had it for some time.

    This is the consequence of the weaponisation of the internet. Industrialised attack tools will fall into the hands of pretty much anyone within 5-10 years of being NOBUS, sometimes sooner. And the consumers - they are the defenceless prey.

    Attack is easy. When are our governments going to put any focus on the hard but necessary job of hardening our systems and encouraging (by corporate liability) better defensive stances? Never?
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    No. I'm arguing that only working in VMs will protect the host from rootkits. Unless the rootkit can break out from VMs to host, anyway.
    Yes, VirtualBox can run VMware virtual disks, and probably vice versa. The host owns the VMs, so anything that owns the host also owns the VMs. But the point, I think, is to keep the host as isolated as possible, so it won't get rooted. If a VM gets rooted, the host and other VMs may be safe.
     
  19. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Does anybody know whether their UEFI rootkit would work on a laptop with dual UEFI/BIOS support, and "Legacy-Only" boot is selected (the OS is using MBR)? From what I've read UEFI is an immature insecure mess so I don't touch it.
     
  20. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    It's not news that they have solutions like this for Linux, what would be news is if they had 0days for linux programs. It seems that they rely on physical access for infecting Linux machines afaik, the 0days were for Windows and Flash which isn't incredibly impressive.
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The term "selectively" is the problem. The closest I can think of are CD-R and DVD-R, custom built and equipped on an air gapped machine. Copying it to a RamDrive would solve the speed issues. Compromising such a system is still possible, but doing so on a permanent basis would be much harder.
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    When one looks at the number of linux servers that are compromised, physical access is clearly not required. Can one really assume that the desktops are any different? The desktops might have less attack surface but they still have one. The one that really scares me is the auto-update systems against an adversary with MITM abilities, stolen certificates, credentials, etc.
     
  23. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Comparing web servers to desktops isn't fair at all. Programs on Linux like Firefox, Java, Evince or god forbid Flash are not inherently any more secure than their Windows counterparts, but we are still a relatively meaningless 1% so HT and others don't care enough to invest the money into exploiting us, at least not yet. Gamma didn't have any Linux or even OS X 0days either when their leak happened last year. The obscurity aspect isn't a perfect defense by any means but there are of course other tools to implement in order to mitigate risks.

    As for auto-updates, Ubuntu and Debian check GPG signatures of all downloaded packages, which should make MITM moot, right?
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Provided that the adversary hasn't stolen the private key.
     
  25. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489

    I am amazed Microsoft havent capitalized on this as a marketing opportunity. They actually bothered writing their agent for the 10 people in the world that use windows phone. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.