> I made local presentations at 0xOpoSec and BSidesLisbon but those slides were never published for obvious reasons (aka live implants all over the Internet).
I don't understand. Or does this mean because the malware was being used you refused to publish documentation about it? Because you think people targeted by nation states are evil?
Intelligence services are the worst terrorist organizations, and most people targeted by them are in fact very friendly persons. If only intelligence services dealt with the actual criminals and not revolutionaries, we wouldn't be having corruption and power abuse scandals every other week in all "developed" nations.
If you've got root RCE can't you use it to "close" the implant and make sure noone gets hurt like some have been doing to counteract IoT botnets? How is leaving a gaping hole better?
EDIT: To those saying it would be a legal liability risk, isn't it a criminal offense in your jurisdiction if you know about a danger to someone else, not to do something about it if only warn them? (non-assistance à personne en danger, in french law) Or couldn't you partner with a security research lab with better legal counsel?
That's illegal. You can't break into someones house to kick out a burglar. The people that have counteracted and kicked out bots from botnets broke laws in several countries (fed crime in US), which is why they don't publicize their identity (even if they did, prosecutors may not come after them). You need the consent of the system owner to help them with the intrusion, otherwise anyone can hack into someone else's computer and say they were there to get rid of some malware.
> isn't it a criminal offense in your jurisdiction if you know about a danger to someone else, not to do something about it if only warn them?
In America where the NSA is located? I’ve never written “lol” on this site, but this time called for it.
Since you’re in France I’ll now explain nicely. Not even our cops have any legal requirement to intervene: both when there’s an active crime or even if they see another cop committing a crime in the line of duty (e.g. excessive force).
And civilians (in the American press both military and “deputized” police are called non-civilian) will frequently ignore all manner of crimes, from shootouts to a person overdosing on drugs.
US LEO here. This is not exactly correct. At least this bit: "both when there’s an active crime or even if they see another cop committing a crime in the line of duty (e.g. excessive force)."
Cops generally have no duty to protect anybody. That's not their job, no matter what the decals on the squad say. But if you're on duty, and you witness a crime being committed right in front of you, especially if it's something as serious as a violent felony, and literally ignore it, and anybody finds out, you'll at least probably be fired. Depending on the jurisdiction and totality of circumstances, it may also be a crime.
There's a case working its way through the courts where LEOs disarmed someone at the behest of some thugs and then watched him get beat to death by said thugs.
The LEOs are arguing that they had no duty and that they're not responsible for the consequences of said disarming.
The nature of "anyone finds out" is relative to departmental corruption, yes. But that doesn't change the actual rules. And it should be noted that most people's understanding of law enforcement procedure comes from tv fiction or the news. The unreliability of the former should be obvious, and the latter.. well the only things that make the news are things that are newsworthy and out of the ordinary. Which is probably not a good basis for making sweeping judgements about all LEOs and agencies everywhere.
The point of mentioning the court case is that case and statutory law are NOT a slam dunk for "LEOs are required to act." in even cases where "the rest of us" would expect. The last I heard, the LEOs in that case were prevailing....
Doesn't work like that in Seattle. Police actively ignore drug use in the (clean) parks, even with complaining witness. Police point and laugh at homeless fighting each other. Source: my eyes.
I know where it comes from. And regardless of management, my observations are counter to the parent comment, claiming an LEO would be fired for ignoring violent crime.
Off topic, but I’ve been curious about moving from tech to working in LEO (cyber, fraud, etc) but the FBI/SS requirements around mobility are untenable for me. I’d be interested to hear your experience and any advice around opportunities (in Texas) that are compatible with family life.
I don't know much about Texas specifically, but I work for a state level agency. Federal requirements can be onerous for sure, and the work I do (cyber) is still interesting. Life-balance wise it's basically a normal 9-5 with a moderate amount of travel, but rarely away from home for longer than a day or two. And even that's only a few times a year.
But the victims have already been compromised by one of the most malicious organizations on the planet. Being further compromised would probably be more likely to help than hurt, as it would make it more likely that whatever the NSA is doing is discovered or disrupted.
So you notify the victims so they can do something about it. I mean you yourself just said how sophisticated the threat was, shouldn't they know an implant accessed sensitive data and may have tampered with the integrity if data as well? Cutting off access is just containment, not eradication. Any operator worth his salt would have multiple ways back in for when the primary implant is burned. A proper incident response involves the consent and participation if the victim,the implant/malware is not the problem, what was and might be done using it is.
You don’t understand why somebody wouldn’t want to publicly kick the beehive that is the NSA.
I’d imagine He didn’t want to get thrown in the back of a van and disappeared.
Even more mundane punishment could be quite severe.
Slightly off topic, but at the end of the article he says he is looking for Linux devs and says something like "Send me an email to bla bla at put.as". The domain sounded wrong in Spanish (like bitch.es), and when I visited the website it had a NSFW logo. I found it strange.
Definitely is the right website though... The first link on it says "Reverse" and that article is the one at the top of the list. But I agree with your sentiment, I saw the domain name on HN before even getting to the article and it did raise my brow for that same reason.
From the article:
“.. a port knocking backdoor with multiple targets such as Solaris, Linux, FreeBSD, HP-UX, JunOS, OS X”
So this was far more reaching than Windows.
To answer what ordinary users can do: Against a well funded adversary hell bent on getting access to your systems/data - probably not a lot! In the case of NSO group even a fully patched iPhone wasn’t going to help you.
However, on reading this article my first thoughts are if this method evades detection by not having a listening port that a network scan or locally using ss/netstat can detect then perhaps you would still be able to benefit from egress filtering (only allowing outbound connections to things you need and blocking the rest). On a router most connections are through the router (FORWARD table) as opposed to directly locally originated and outbound (OUTPUT table).
> To answer what ordinary users can do: Against a well funded adversary hell bent on getting access to your systems/data - probably not a lot! In the case of NSO group even a fully patched iPhone wasn’t going to help you.
Well, you can - you just need to live a mostly offline live with few, highly hardened devices and enter you passwords under a blanket. Edward Snowden does manage, after all. But you'll have to skip on a lot of enjoyment - new software, games, even Netflix - forget it.
The real question is, is it worth to you to live such a live. Probably not.
The NSO could get root on anyone’s device knowing only the phone number.
If NSO does it, so could the intelligence agencies of dozens of countries. Looks like a hopeless situation, where a small percentage of population have access to anyone’s data (but not conversely).
This is posing a threat to the democratic society.
I think one way to add the difficulty is to conduct everything offline. Since they don't have a full profile for you online, they have to mobilize field teams which are scarce and expensive. On the other hand, if they can sniff you online, it's going to be automated and almost free.
But again, maintaining an offline life could be very tricky given that the society as a whole is moving everything online. For example, if you earn salaries like me, there is no way to avoid a bank account and a mobile number.
In this spirit I've been playing with spun up Firefox instances in a Google Cloud Run. The container is stateless and goes away after I close the page that connects to video stream of the other container in my browser.
I'm assuming they want some protection against adtech companies or the local coffee shop sysadmin. Running Firefox in the cloud "to avoid detection by the NSA" would indeed be quite foolish.
Way back in 2009 I helped design and implement basically "Firefox on AWS EC2" - I had YouTube audio and "video" working, in the subwindow, not Fullscreen. It was roughly 5-10FPS, about what you'd get with VNC, with perfect audio.
I had an idea that thin clients were going to be big - and I stupidly pitched ideas for cloud based software to Adobe, Newtek, and Autodesk.
I don't really think ordinary people (and rich people TBF) can completely defend themselves against any state player.
Anonymous guides I read mostly recommend Tor, anonymous sim card and purchasing electronics with cash. But I don't think it's going to render any state player's work impossible. I mean if they are really onto you.
On the other side, three char agencies cannot waste resources on every individual, so the best way is to stay out of the radar.
Most ordinary users will connect to the internet using a router provided by their ISP so port knocking does not work. Unless they plant the malicious code on the router - that would be even harder to detect.
I don't understand. Or does this mean because the malware was being used you refused to publish documentation about it? Because you think people targeted by nation states are evil?
Intelligence services are the worst terrorist organizations, and most people targeted by them are in fact very friendly persons. If only intelligence services dealt with the actual criminals and not revolutionaries, we wouldn't be having corruption and power abuse scandals every other week in all "developed" nations.