Hacking Team hacked

Discussion in 'privacy general' started by mirimir, Jul 5, 2015.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That could be enough for people to determine if they've been targeted by someone who can afford their wares. That info in itself would go a long way in determining if you've made any powerful enemies. It should also be an incentive to adopt a much more serious security policy.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    How do you view them ?
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,421
    Location:
    Here
    http://blog.trendmicro.com/trendlab...ger-vulnerability-from-the-hacking-team-leak/
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    RockLobster

    Good question. I havn't got round to it yet, so hopefully someone can chime in
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    From Ars Technica article:
    This should make it clear just how worthless HTTPS really is. Worse yet, the response is the same that's used by AVs, an ever growing list of detections that's never complete and never up to date. As long as certificate authorities give certificates to companies like these, the problem will have no end.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,255
    Location:
    Outer space
    I just read the document, it's bad journalism. Yes, they "bypass" pinning and HSTS. But it's the how that matters. They install a local root cert AFTER infecting your machine in the first place.
    https://docs.google.com/gview?url=https://t.co/dhEzQt4YQF

    Not saying that HTTPS is all fine, especially the CA system is utterly broken, but pinning and Certificate Transparancy are 2 good initiatives to improve it.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Improving a system that's broken by design is futile.
     
  9. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    381
    The leak has one of the engineer's appdata folder. It has flash cokies, firefox and thunderbird profiles, screenshots of his desktop which reveals his ~Snip~ computer usage. I would expect an engineer from a survelliance company who has a risky job to become a target would use his computer in more apropriately.
     
    Last edited by a moderator: Jul 8, 2015
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,255
    Location:
    Outer space
    I also rather have a new system, but adoption would be a major issue, and it looks like there are no good alternatives anyway.

    Yeah, I saw one of the SSH passwords is P4ssword o_O
    Btw, it appears there are screenshots from at least January, so they were infected for quite a while.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's a perfectly vicious circle. A secure key exchange requires a connection that can't be MITM'd. A connection that can't be MITM'd requires that each already has the others keys. For parties that don't know each other, aka general public, I don't see a way out of this circle that an adversary with MITM abilities can't compromise.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    With the keybase.io approach, one uses signed proofs to link a GnuPG key to multiple online accounts. As long as all of the accounts have valid proofs, the public key is arguably trustable. And then it can be used to sign other credentials.

    But this wouldn't work for the general public. Not without hiding the guts, anyway.
     
  13. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I still think it can be done, when we discussed this before on that other thread I think we both forgot one very important factor, X.509 certs can be used to digitally sign messages.
    So imagine this scenario.
    • Client connects to server and requests secure connection
    • Server responds by digitally signing its own certificate info and sending it to the client.
    • Client digitally signs its own cert and sends it to server using server public key to encrypt.
    • The rest of the handshake continues in the same vein using each others public key to encrypt and their own key to digitally sign.
    Only the owner of the private key can digitally sign so this rules out a MITM interfering with the handshake not withstanding an entirely stolen server cert, or a fake root cert planted on the users computer.
    The fake root cert problem needs to be addressed too and could probably be fixed by a better implementation of OCSP. Currently the OCSP server just checks the servers certificate status to see if it is revoked or not and the response is digitally signed with the CA's certificate.
    MITM could impersonate OCSP server and sign response with the same fake root cert it has planted on users computer.
     
    Last edited: Jul 9, 2015
  14. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,332
    Location:
    Surrey, England.
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
  16. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @mirimir

    Probably because Windows is the ubiquitous low-hanging fruit. Everyone uses it, AFAIK including a lot of NGOs and activist organizations; and its design history makes it (IMO) impossible to really secure, unless you're running it in pieces on top of Qubes or something. Also, just given that an organization is only as secure as its most vulnerable machine and/or most gullible person, I think it makes sense that companies like Hacking Team would go for the easy targets.

    So, basically I get two things out of your observation:
    a) Windows is a really, really big target (but we already knew that)
    b) Perhaps more to the point, Hacking Team may have been successful enough against Windows that they didn't need to attack Linux systems most of the time. All the organizations and companies I've worked for, thus far, have had heterogeneous environments with lots of Windows machines. Get onto a Windows box in such an environment, and be clever about how you communicate with the compromised machine, and you may never need a Linux zero-day.

    So yeah, the lack of Linux zero-days may be good news for the average Linux user; but reading between the lines, I suspect that blackhats not caring enough about Linux to develop zero-day attacks against it is a much scarier message.

    (Then again, I could be reading too much into it. It's been a long day, and I'm tired.)
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    @Gullible Jones

    Right. I wonder how vulnerable Linux boxes are to compromised Windows boxes on LAN. But I'm sure that it depends entirely on how stuff is configured.

    Still, one would think that Linux boxes would be configured to not trust Windows boxes.
     
  18. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,218
    Location:
    Southern Rocky Mountains USA
    How it is configured is indeed the key. Add to that, how it is used. Linux has a better architecture and default configuration than Windows but that doesn't mean that it is invulnerable, especially if the configuration is sloppy.

    Any compromised machine or device on a lan can do damage. With wifi nodes, there can be Ios and Android to worry about as well. Once again, configuration is the key. On a sloppy network, the compromised machine will have much easier access to the rest of the LAN and its traffic.
     
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    Not only Windows boxes, but also BYOD tablets and smartphones.

    Initially, they will be after contacts, account and password files, which people obligingly put on their most-used devices. Which is HT's market, they are not typically providing facilities to hack corporates or ISPs.

    But unfortunately, the "low-hanging fruit" argument is less viable now, and certainly the TLAs and organised crime will have attack mechanism for Linux boxes through industrialised exploit mechanisms, perhaps mediated by infected Windows machines (or tablets/smartphones) on the LAN.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,421
    Location:
    Here
    CVE-2015-5122 - Second Adobe Flash Zero-Day in HackingTeam Leak
    https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    Have been reading and reflecting more, in an armchair psychology way, about how the employees and CEO of HT justify themselves - most of all to themselves - about the morality and good of their work. Humans are known to care deeply about reputation management and want to reduce cognitive dissonance between obviously immoral actions and wanting to be seen as reputable and beneficent. So, for example, David Vincenzetti is outspoken about how important their work is to help apprehend bad guys, paedophiles etc. And scathing about privacy advocates and organisations.

    It would also seem to me that Adobe has a fairly obvious civil case for substantial damages against HT. At the very least, HT should have offered Adobe details of the unpublished zero-day, for money. But I doubt Adobe will pursue that, more's the pity.
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,421
    Location:
    Here
    What it took for Ethiopia to lose access to hacking tools it used against journalists in the U.S.
    https://www.washingtonpost.com/blog...tools-it-used-against-journalists-in-the-u-s/

     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Wow, this is a very cool use for the data!
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,421
    Location:
    Here
  25. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,464
    Couldn't of happened to a better bunch of ~ Snipped as per TOS ~. These people are just greedy. How can you justify selling to those countries. You can't.
     
    Last edited by a moderator: Jul 12, 2015
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.