Far out! A new way to do local site MITM interception. Got to do more surfing on GitHub ........... https://www.bleepingcomputer.com/news/security/wikileaks-dump-reveals-cia-tool-for-mitm-attacks/
It appears to me that an internet user that KNOWS the correct cert fingerprint would still be totally safe. I am trying to check this out firsthand but examination of the site fingerprint (cert) before logging in would eliminate, or more accurately SHOW that you are not in the right place. Does anyone else see this differently? My software confirms the full cert fingerprint before I issue login credentials.
Spy-Eye would not have detected this. The NSA hacked a device within the target's local network. Spy-Eye's purpose is to detect external MITM activity. Think along the lines of how a hidden local host proxy server works on a single PC. But in this case all local network outbound Internet traffic was being directed to the hacked device which resides within the local network. It in turn performed the MITM activity and then routed the traffic to the Internet. It is assumed the NSA installed a root CA store certificate on the hacked device that allowed it to decrypt the encrypted traffic.
Umber and Mister X, sorry personal script. Basically I keep a "master list" of known full fingerprints for the 6-8 sites I visit where security would be an issue if a connection failure where to happen. Then it quickly displays the actual fingerprint being presented by the website I brought up (before credentials of course). If they match I proceed. I like doing my own stuff. Further, I like keeping the "script" outside of my TOR browser so that I always appear to be using the generically fingerprinted TBB with no changes. My goal is to always look like the generic TOR user with no changes. I have some mild concerns that any addons present the machine as a more unique user and therefore makes it tend to stand out. Just my take on this. e.g. Right now I am using an absolutely generic TBB to make this post. Any and all vpn's, TOR relays, and other firewall stuff employed before this virtual machine are not visible to my workspace in any way. itman, I have tried to preach about this fundamental flaw in VPN application methods to many users. In the past there has been an underlying assumption that devices on LAN are "friendly". The procedure/hack you are discussing only highlights the peril of that assumption. I swear by and insist upon complete device isolation for my security needed computers. Configuring via the knowledge and assumption that in fact LAN devices, especially perhaps the router, are enemies of my security is the way I go. I am currently sitting on a LAN with 10 devices but NONE of them can get a ping response from this machine, nor can this machine see any of them in any way. It would take a full VM breakout to even have the possibility to breach the next step in my bridge going backwards. A fully hacked router on my end (I wouldn't be happy of course) would mean nothing regarding this post. The activity of this machine is beyond the router's ability to communicate with me or suspect where I am. Of course other LAN devices have even less abilities.
