DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th February 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last

From http://arstechnica.com/security/2015...found-at-last/

Quote:
CANCUN, Mexico — In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn't know it then, but the disk also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.

It wasn't the first time the operators—dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group's extensive library. (Kaspersky settled on the name Equation Group because of members' strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)
EDIT:

A shorter version of this story submitted by "frcc" : http://www.theinquirer.net/inquirer/...kdoor-epidemic

And as the idiom says "three times lucky" a quote from the New York Times submitted by "Mike-Sanders" :

Quote:
Some of the implants burrow so deep into the computer systems, Kaspersky said, that they infect the “firmware,” the embedded software that preps the computer’s hardware before the operating system starts. It is beyond the reach of existing antivirus products and most security controls, Kaspersky reported, making it virtually impossible to wipe out.

In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents.
See http://www.nytimes.com/2015/02/17/te...firm-says.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 18th February 2015 at 12:15 AM. Reason: Added two more reports of this story ;)
Reply With Quote
  #2   (View Single Post)  
Old 17th February 2015
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Kaspersky Labs seems to be on a roll.

Two aspects of the story caught my attention. One is the need to have flash able memory in a hard drive. I can think of one hard drive I owned where the SATAI (1.5) needed a windows *exe file to set SATAII (3.0) transfer rates. I did not, and still do not, have windows. The last time I purchased a hard drive, I looked for one that used jumper pins.

The second aspect is the large size of the flashable memory. If the functionality was coded in a memory efficient manner and the physical memory space for the code had no extra room, this would not have been possible.
Reply With Quote
  #3   (View Single Post)  
Old 17th February 2015
Mike-Sanders Mike-Sanders is offline
Fdisk Soldier
 
Join Date: Dec 2012
Posts: 52
Default

Yet, isn't extra space a requirement in order to reflash firmware for updates? That appears to be the loop-hole for the exploit...
__________________
www.tacoshack.xyz
Reply With Quote
  #4   (View Single Post)  
Old 17th February 2015
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Quote:
Originally Posted by Mike-Sanders View Post
Yet, isn't extra space a requirement in order to reflash firmware for updates? That appears to be the loop-hole for the exploit...
I do no know for sure, but wouldn't reflashing remove extraneous code?
Reply With Quote
  #5   (View Single Post)  
Old 17th February 2015
Mike-Sanders Mike-Sanders is offline
Fdisk Soldier
 
Join Date: Dec 2012
Posts: 52
Default

Yes, but I keep wondering: If the routines that launch/accept the update are now controlled by the exploit, then the exploit simply need deny the reflash...

Code:
// pseudo code, just thinking aloud

// oem firmware
if exists update-fimrware.bin then patch && reboot

// nsa exploit
ignore update-fimrware.bin && boot

// or worse still
if nsa == happy then just reboot
else if nsa not happy then...
__________________
www.tacoshack.xyz
Reply With Quote
  #6   (View Single Post)  
Old 18th February 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Both our regulars frcc and Mike-Sanders submitted additional reports about these Kaspersky findings.

I added the URLs of these reports to the first post of this thread.

My conclusions: "These days, the only things you can count on, are your fingers" and "If the men in the dark suits are going to get you, they are going to get you"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 18th February 2015
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

More thinking out loud. Edward Snowden is working in Moscow on aspects of computer security and the Kaspersky reports are consistent with Snowden's NSA disclosures. I imagine searching for security flaws to be akin to looking for needles in haystacks. It is easier if it is narrowed down to a specific flashable chip in a specific piece of hardware. Could the string of Revelations from Moscow have a guide on a mission?
Reply With Quote
  #8   (View Single Post)  
Old 18th February 2015
Mike-Sanders Mike-Sanders is offline
Fdisk Soldier
 
Join Date: Dec 2012
Posts: 52
Default

Apologies in advance for such a long post, just hoping to share my findings. Certainly skepticism is highly warranted with respect to the links below, & I'm applying that same rigor to the US government equally. Here's a dump of my notes to date, you guys tell me what you think (I dont know anymore, its all very Orweillian):

'Last fall, Kaspersky and the US security company Symantec both reported for the first time the discovery of a cyber-weapon system which they christened "Regin". According to Kaspersky, the malware had already been in circulation for 10 years and had been deployed against targets in at least 14 countries, including Germany, Belgium and Brazil but also India and Indonesia.' <http://goo.gl/fn86zT>

'Microsoft's operating systems require all cryptography suites that work with its operating systems to have a digital signature. Since only Microsoft-approved cryptography suites can be installed or used as a component of Windows, it is possible to keep export copies of this operating system (and products with Windows installed) in compliance with the Export Administration Regulations, which are enforced by the US Department of Commerce Bureau of Industry and Security .' <http://goo.gl/0KXNV>

'The National Security Agency has backdoor access to all Windows software since the release of Windows 95, according to informed sources, a development that follows the insistence by the agency and federal law enforcement for backdoor “keys” to any encryption, according to Joseph Farah’s G2 Bulletin.' <http://goo.gl/IdGkb>

'The Court is troubled that the government's revelations regarding NSA's acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.' <http://goo.gl/4v7tNO>

'The N.S.A.'s Sigint Enabling Project is a $250 million-a-year program that works with Internet companies to weaken privacy by inserting back doors into encryption products. This excerpt from a 2013 budget proposal outlines some methods the agency uses to undermine encryption used by the public.' <http://goo.gl/uwQfXu>

'The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.' <http://goo.gl/vbwxmP>

'The Justice Department had told Judge Bates that N.S.A. officials had discovered that the program had also been gathering domestic messages for three years. Judge Bates found that the agency had violated the Constitution and declared the problems part of a pattern of misrepresentation by agency officials in submissions to the secret court.' <http://goo.gl/kA0DVV>

'A little-known provision of the Patriot Act, overlooked by lawmakers and administration officials alike, appears to give President Obama a possible way to keep the National Security Agency’s bulk phone records program going indefinitely — even if Congress allows the law on which it is based to expire next year.' <http://goo.gl/lvcKHH>

'According to Bloomberg's sources, Microsoft provides information about security flaws and other bugs in its software in advance of public releases of fixes.' <http://goo.gl/OLzw9>

'It is common for individuals or companies who discover zero-day attacks to sell them to government agencies for use in cyberwarfare.' <http://goo.gl/wup7> (huh? dude!)
__________________
www.tacoshack.xyz
Reply With Quote
  #9   (View Single Post)  
Old 18th February 2015
Mike-Sanders Mike-Sanders is offline
Fdisk Soldier
 
Join Date: Dec 2012
Posts: 52
Default

Quote:
Originally Posted by shep View Post
Could the string of Revelations from Moscow have a guide on a mission?
Now that's a spooky thought shep...
__________________
www.tacoshack.xyz
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware MIPS Tempts Hackers With Raspbery Pi-like Dev Board J65nko News 4 31st August 2014 09:29 PM
Secret contract tied NSA and security industry pioneer J65nko News 1 24th December 2013 01:29 AM
Security FBI warns of U.S. government breaches by Anonymous hackers LeFrettchen News 0 16th November 2013 03:06 PM
OpenBSD Hackers in need of hardware J65nko News 1 29th January 2010 04:28 AM
BSD hackers game! DNAeon FreeBSD General 8 2nd August 2009 11:19 AM


All times are GMT. The time now is 10:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick