[sterling_archer]

Typewriters and documents on paper opposite of digital documents is really way to go in this age of online surveillance. Russians know their shit. Only way for others to see that documents is to have a inside man and I think Russians are pretty thorough with background checks on persons who work with this sensitive information.

[Samseau]

Pretty amusing the best way to beat a high-tech world is by staying low-tech.

[Rigsby]

(05-13-2017 12:54 PM)Easy_C Wrote:  

And that's why if you're doing ANY kind of extremely sensitive work, you should stay the fuck away from anything made by Microsoft. They ALL have backdoors built in. Your best bet is to use an off-brand CPU with a home-built OS, or at least a reputable Linux build.

This is nothing to do with sensitive work. Your PC that you are posting on right now is vulnerable to this attack. Do you have sufficient back up plans in place? Do you browse from a sandbox/VM? I bet you don't. If you are using Linux, then Ok, you are safe, and my bad.

For most people, they can't stay away from Microsoft. It's impossible. They have purposely let this shit in their code on pain of death from the NSA. Microsoft are owned. This has nothing to do with Microsoft really. This is the NSA. They are terrorists.

This isn't about people using chinese cpus or migrating to linux. It is about the millions of machines that run the infrastructure of today - hospitals, railway stations. They can not migrate. The systems are too built in to the infrastructure.

The NSA created a monster. This is payback. The NSA have probably caused deaths here in the UK with their fuckwittedness. No one else is to blame. Ok, maybe the script kiddies a bit. But they didn't start the fire.

Most people can not stay away from Microsoft. It is just not possible at all. Keep in mind a lot of these systems affected were legacy XP. WinX rolled out the updates as a matter of course so it's not affected. But every other version of windows is.

It is not possible to re-write software for a lot of systems in place. Why the fuck it is all connected to the internet is another argument for another day.

And what is "an off-brand CPU", "a home-built OS", "a reputable Linux build"?

This worm coupled with ransomware is a massive attack. Thankfully very little damage done (few deaths but hey ho). It targeted the systems in place that can not be changed, will not be changed for the next decade or so. Impossible. Not financially possible, not pragmatic at all in any kind of sense.

It's the beginning. It gets worse from here. Many more deaths to come.

[DarkTriad]

(05-13-2017 09:17 PM)Rigsby Wrote:  

(05-13-2017 12:54 PM)Easy_C Wrote:  

And that's why if you're doing ANY kind of extremely sensitive work, you should stay the fuck away from anything made by Microsoft. They ALL have backdoors built in. Your best bet is to use an off-brand CPU with a home-built OS, or at least a reputable Linux build.

This is nothing to do with sensitive work. Your PC that you are posting on right now is vulnerable to this attack. Do you have sufficient back up plans in place? Do you browse from a sandbox/VM? I bet you don't. If you are using Linux, then Ok, you are safe, and my bad.

For most people, they can't stay away from Microsoft. It's impossible. They have purposely let this shit in their code on pain of death from the NSA. Microsoft are owned. This has nothing to do with Microsoft really. This is the NSA. They are terrorists.

This isn't about people using chinese cpus or migrating to linux. It is about the millions of machines that run the infrastructure of today - hospitals, railway stations. They can not migrate. The systems are too built in to the infrastructure.

The NSA created a monster. This is payback. The NSA have probably caused deaths here in the UK with their fuckwittedness. No one else is to blame. Ok, maybe the script kiddies a bit. But they didn't start the fire.

Most people can not stay away from Microsoft. It is just not possible at all. Keep in mind a lot of these systems affected were legacy XP. WinX rolled out the updates as a matter of course so it's not affected. But every other version of windows is.

It is not possible to re-write software for a lot of systems in place. Why the fuck it is all connected to the internet is another argument for another day.

And what is "an off-brand CPU", "a home-built OS", "a reputable Linux build"?

This worm coupled with ransomware is a massive attack. Thankfully very little damage done (few deaths but hey ho). It targeted the systems in place that can not be changed, will not be changed for the next decade or so. Impossible. Not financially possible, not pragmatic at all in any kind of sense.

It's the beginning. It gets worse from here. Many more deaths to come.

Most of this was purposeful. If they didn't play ball, they had Anti-trust problems fro the gov't. Hardly necessary considering the carrot was billions of dollars.

[Rigsby]

(05-13-2017 02:00 PM)DarkTriad Wrote:  

(05-13-2017 12:54 PM)Easy_C Wrote:  

And that's why if you're doing ANY kind of extremely sensitive work, you should stay the fuck away from anything made by Microsoft. They ALL have backdoors built in. Your best bet is to use an off-brand CPU with a home-built OS, or at least a reputable Linux build.

The Russians are back to using type writers. No joke. They assume no matter what the protections, the CIA has circumvented them. And they're usually right.

The Russians were the ones most massively targeted by this attack, or the ones the most hit - disproportionately so:



The Russians have massive infrastructure that can only be run from networked computers. A lot of those computers use Microsoft windows, of one flavour or another. This was a Worm type of virus that propagates over networks (internal) once opened by email as an attachment.

They will be pissed. Whoever let this loose, and it looks like they weren't totally competent, has signed their death warrant. Vlad won't let this go.

[Rigsby]

(05-13-2017 02:26 PM)sterling_archer Wrote:  

Typewriters and documents on paper opposite of digital documents is really way to go in this age of online surveillance. Russians know their shit. Only way for others to see that documents is to have a inside man and I think Russians are pretty thorough with background checks on persons who work with this sensitive information.

Are you seriously proposing that we abandon all our current infrastructure and start again? Just rip it up? Think man. Think. It's not possible.

Billions of electronic records that you want to write down with pen and paper?

Think!

[Easy_C]

Quote:

This is nothing to do with sensitive work. Your PC that you are posting on right now is vulnerable to this attack. Do you have sufficient back up plans in place? Do you browse from a sandbox/VM? I bet you don't. If you are using Linux, then Ok, you are safe, and my bad.

I keep windows installed on this computer for other purposes, but I also don't have any documents that are nefarious stored on this computer. Important records have a paper copy and/or thumbdrive backup. The documents I'm most worried about getting stolen are government issued so they already know about them and I suspect I've already been hit by the OPM breach.

Quote:

This has nothing to do with Microsoft really. This is the NSA. They are terrorists.

That may be, but it's still Microsoft products that are all more or less "infected". If you're doing ANYTHING that is extremely sensitive I would highly recommend an airgapped Windows 95/98 system and using external storage to transfer info.

Quote:

And what is "an off-brand CPU", "a home-built OS", "a reputable Linux build"?

Nothing yet for CPU's, unfortunately. However Chinese made chips are going to be hitting the market soon. A competing server CPU already exists: https://www.nextplatform.com/2017/02/02/...challenge/

Everything else has already been covered extensively by other forum users.


Again there isn't really that much you can do to completely stop an attack or monitoring in this era other than by using an airgapped system or by only using internet cafes, without bringing your cellphone, paying using cash, and not logging into any accounts you use elsewhere.


From an organizational perspective you're more or less fucked due to the NSA.

[Rigsby]

(05-13-2017 02:39 PM)Samseau Wrote:  

Pretty amusing the best way to beat a high-tech world is by staying low-tech.

It's not amusing at all. People have died/will die. Nothing amusing about that.

And you can't 'beat a high-tech world', not by 'staying low-tech' or by any other means.

We live in a 'high-tech world'. Given.

All those hospital records, all those train time-tables. Much much more.

I know that RVF is not a tech blog. When the information is presented to you it is too much too handle because you aren't autistic enough. Or don't work in the field. Many people are/do. Please listen to what they have to say. I'm trying to interface here.

There is no way to beat a high-tech world by staying low-tech. We are talking the very fabric and infrastructure of our society here. You really do not understand the gravity of the matter.

Typewriters? Really?

I think I've made my point.

[Rigsby]

(05-13-2017 09:34 PM)Easy_C Wrote:  

Quote:

This is nothing to do with sensitive work. Your PC that you are posting on right now is vulnerable to this attack. Do you have sufficient back up plans in place? Do you browse from a sandbox/VM? I bet you don't. If you are using Linux, then Ok, you are safe, and my bad.

I keep windows installed on this computer for other purposes, but I also don't have any documents that are nefarious stored on this computer. Important records have a paper copy and/or thumbdrive backup. The documents I'm most worried about getting stolen are government issued so they already know about them and I suspect I've already been hit by the OPM breach.

Quote:

This has nothing to do with Microsoft really. This is the NSA. They are terrorists.

That may be, but it's still Microsoft products that are all more or less "infected". If you're doing ANYTHING that is extremely sensitive I would highly recommend an airgapped Windows 95/98 system and using external storage to transfer info.

Quote:

And what is "an off-brand CPU", "a home-built OS", "a reputable Linux build"?

Nothing yet for CPU's, unfortunately. However Chinese made chips are going to be hitting the market soon. A competing server CPU already exists: https://www.nextplatform.com/2017/02/02/...challenge/

Everything else has already been covered extensively by other forum users.


Again there isn't really that much you can do to completely stop an attack or monitoring in this era other than by using an airgapped system or by only using internet cafes, without bringing your cellphone, paying using cash, and not logging into any accounts you use elsewhere.


From an organizational perspective you're more or less fucked due to the NSA.

This isn't about you man.

You recommend to air-gap systems? Who exactly are you? Does the 90 percent of infrastructure we are talking about fall under your recommendation? I don't think it does.

You have over shot the mark by a wide extent.

This is not about you or your opinions. For the last time: There is infrastructure in place that will be in place for the next 10 years at least that will be vulnerable to these attacks. This was just a shot over the bows. Next attack, well it will be much much worse and less able to be defended against.

You aren't helping with your 'install linux' crap. Give it up. No offense. We can talk about this in other threads. Major infrastructure is run on windows, and will be for the next 10 years. That will not change. What is so hard for you to understand about that?

[Rigsby]

So, I did a bit of research today.

As predicted, not much harm done. A few deaths here and there, but such is the price for fighting terrorism eh? NSA?

See this excellent article to understand what is going on here:
https://www.theregister.co.uk/2017/05/13...ware_worm/

I don't like el reg that much any more, coz they are rabidly anti-trump. But fair play for this article. It hits it out the park. Don't comment about this later on if you haven't read and digested that article. Oh and all the hundreds of comments. I did.

Everyone is vulnerable to this worm/virus. It propagates by a buffer overflow attack via SMB1. Lots more info in the article. Basically you open a dodgy email attachment and you are owned. If you don't have a back up then you are fucked. There is no way to crack the encryption used - it is un-crackable.

I don't want to quote too much of the article - it is imperative that you read it all yourself if this interests you, but I will put this here:

NSA exposure puts us all at risk

As described above, the worm uses the EternalBlue and DoublePulsar exploits swiped from the NSA's arsenal of hacking tools. It would have been great if the bugs targeted by the agency had been patched years ago; instead, they were fixed by Microsoft in March just before the Shadow Brokers dumped the programs online in April. We assume either the NSA or the brokers tipped off the Redmond giant so that updates to kill off the SMB bug could be pushed out before the exploits publicly leaked.

So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price. The initial infection point appears to be spear-phishing emails, thrown at people within organizations, with the malware hidden in attachments that, when opened, trigger a cyber-contagion on the internal network. The malware is a hybrid design that has a worm element, allowing it to spread through internal structures for maximum effect.

The comments are many. They give advice of how to protect yourself. I will be going through them the next coupla days and doing that.

Basically, the only way this did not get much worse was because an independent security researcher found a 'kill-switch' in the code when he reversed it. It was a call to a certain IP address that did not exist. So he took the initiative and registered the address for 10 bucks, and then the kill-switch was activated.

When this code was stolen and put up for auction by the Shadow Brokers, the NSA would have known. But they did not activate the switch? Why not? Because they were still targeting people with it. That's the theory.

Any current operation that relied on this malware attack will now be compromised. Now that the kill-switch is activated.

When this malware was contained and not out in the wild, the idea was that the NSA would activate the kill-switch so it would not spread further. The kill switch was just a call to an IP address that had not been registered: something like 'adksf;lfksafkjalkjaksa.com' - no one in this world was ever going to register that address.

The security researcher found this address by reverse engineering. He did not even know what would happen himself when he registered it. I think he was playing with fire, personally, but it worked. He stopped the spread of the infection.

It seems like those that found this code (not hard) were not that competent. Sure, they tacked on ransomware to a worm which is kind of (but not) a first) which is frightening enough in itself. But in their excitement they did not fully reverse the code themselves and the kill switch IP addy seems to have gone over their head. Just as well.

Next time, we now have the same code, but without a kill switch, still targeting the same vulnerable systems. Hospitals, railway networks, etc. etc.

This is why it is beyond criminal for governments to build in back doors to encryption and fuck about like this. The NSA, GCHQ, the whole lot are responsible now for people dying. The politicians will not listen.

This will only get worse. More people will die. No one will be accountable.

It's fucking happening. Or rather, it just fucking happened.

But as always, people will hand wave this away as their loved ones die from cancelled operations and cancelled trains to those operations (ever lived in the middle of nowhere and had no family and had to rely on the rail network?).

But the best comes. Dams that break their banks. Nuclear power stations that go in to meltdown. But they aren't on the net are they? Aren't they? Air traffic control. But they aren't on the net are they? Mmm..

Why did the NSA pay money to GCHQ? For what? Why do NSA and GCHQ develop tools in tandem?

The NSA spies on the UK. GCHQ spies on the Americans. They exchange information. Job done. Plausible deniability.

The people that did this were fucking amateurs. I've got these tools on my hard drive. I could wreak absolute fucking havoc in this world. One day, someone that knows what they are doing, with enough malice will bring it all down. Talk to any security expert worth his salt, and he'll tell you the same. I'm not an expert. I don't plan on deploying these tools. I'm a fuckwit. But someone somewhere, with no interest in money that just wants to see the world burn, will work it out soon.

That is why our governments need to be stopped. We are going to die! And they will be responsible, not the terrorists.

But don't listen to me. No one else did over six months back. I predict even better things for the next six months.

What scares me is that I'm not that bright. Not that well connected. But these tools are fucking frightening in their ability. How long before someone comes along and really uses them? A bit of de-compilation? A bit of disassembly? A tweak here a tweak there. Combine a ransomware with a worm?

Read that register thread. Here it is again:
https://www.theregister.co.uk/2017/05/13...ware_worm/

And don't go opening any attachments from strange people.

One day, someone somewhere will crack the Thames flood barrier and open it when there is a storm and cause thousands of deaths. But the Thames barrier is not connected to the internet I hear you say. Really. Is it not?

Don't go opening any attachments from strange people.

Go over that article and patch your system up. It's not just businesses and corporations vulnerable to this. The Register has gone to shit these days with their SJW posturing, but fair play to them - that is an excellent article. A must read. And the 300 comments too. I read them all, I suggest you do too.


What is to be done?

This is just the first wave: there is nothing stopping someone from making a new worm that attacks the MS17-010 bug to silently compromise vulnerable systems, or adapting the WannaCrypt binaries to cause more damage.

So, what's the solution? If you're already infected then there's not a lot you can do other than wipe the system and reinstall from offline unaffected backups – if you have them.

It's possible that the malware writers will have screwed up and put the decryption key in the code itself – such slip-ups have happened in the past. Researchers are picking the code apart byte by byte trying to find such clues, but this looks like a reasonably sophisticated piece of software so that's a long shot.

If you haven't been infected, make sure your security patches are up to date. Kill off SMBv1 at the very least, and block access to it from outside your network. The exploits the malware uses have already been patched, and there's no excuse for getting caught out as a private user. It's understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them. If you can update your installations, drop everything and get patching.

And we'd sure appreciate it if you could stop clicking on attachments from unknown parties, too.

[The Beast1]

^^^A small correction on that kill switch.

It wasn't actually a kill switch, but a randomly generated website used to let the malware know when it is in a sandbox. Any sort of sandbox used by a security research to analyze the malware allows all outbound traffic to be reported as available and successfully sent.

When the malware would detect it could actually reach the site it would shut down.

They recently released a new variant of the ransomware to not have that feature so the risks are still present.

[Transsimian]

(05-13-2017 02:26 PM)sterling_archer Wrote:  

Typewriters and documents on paper opposite of digital documents is really way to go in this age of online surveillance. Russians know their shit. Only way for others to see that documents is to have a inside man and I think Russians are pretty thorough with background checks on persons who work with this sensitive information.

We need to strike an appropriate balance between accessibility and security.

Typewritten paper locked in a high-security and hard to access vault is secure, but it's effectively useless if you need to access it easily.

[sterling_archer]

(05-13-2017 09:32 PM)Rigsby Wrote:  

(05-13-2017 02:26 PM)sterling_archer Wrote:  

Typewriters and documents on paper opposite of digital documents is really way to go in this age of online surveillance. Russians know their shit. Only way for others to see that documents is to have a inside man and I think Russians are pretty thorough with background checks on persons who work with this sensitive information.

Are you seriously proposing that we abandon all our current infrastructure and start again? Just rip it up? Think man. Think. It's not possible.

Billions of electronic records that you want to write down with pen and paper?

Think!

No, I meant it could be useful for governments and its agencies to have hard copies of their sensitive information, not that we should abandon everything digital.

[DarkTriad]

(05-13-2017 09:32 PM)Rigsby Wrote:  

(05-13-2017 02:26 PM)sterling_archer Wrote:  

Typewriters and documents on paper opposite of digital documents is really way to go in this age of online surveillance. Russians know their shit. Only way for others to see that documents is to have a inside man and I think Russians are pretty thorough with background checks on persons who work with this sensitive information.

Are you seriously proposing that we abandon all our current infrastructure and start again? Just rip it up? Think man. Think. It's not possible.

Billions of electronic records that you want to write down with pen and paper?

Think!

Not quite sure if you read the comment on the previous page, it wasn't as much a suggestion as observation on what the Russian gov't has in fact ALREADY done with their most sensitive stuff (or the obvious reasons listed in the above graph). If your opponent has the best navy, you don't fight them at sea, if they have the best head to head army, you don't fight them head to head, and if they have the best cyberwarfare guys, you don't try and play cybersecurity games with them because you've already lost, the only question is how bad and how often.

I don't think anyone suggests never using computers, but if you have something you need secure, it's not going to be secure long against a cyber-superpower.

[DarkTriad]

(05-13-2017 11:12 PM)Transsimian Wrote:  

(05-13-2017 02:26 PM)sterling_archer Wrote:  

Typewriters and documents on paper opposite of digital documents is really way to go in this age of online surveillance. Russians know their shit. Only way for others to see that documents is to have a inside man and I think Russians are pretty thorough with background checks on persons who work with this sensitive information.

We need to strike an appropriate balance between accessibility and security.

Typewritten paper locked in a high-security and hard to access vault is secure, but it's effectively useless if you need to access it easily.

Another tool in the toolbox IMHO.

[Easy_C]

(05-13-2017 09:48 PM)Rigsby Wrote:  

(05-13-2017 09:34 PM)Easy_C Wrote:  

Quote:

This is nothing to do with sensitive work. Your PC that you are posting on right now is vulnerable to this attack. Do you have sufficient back up plans in place? Do you browse from a sandbox/VM? I bet you don't. If you are using Linux, then Ok, you are safe, and my bad.

I keep windows installed on this computer for other purposes, but I also don't have any documents that are nefarious stored on this computer. Important records have a paper copy and/or thumbdrive backup. The documents I'm most worried about getting stolen are government issued so they already know about them and I suspect I've already been hit by the OPM breach.

Quote:

This has nothing to do with Microsoft really. This is the NSA. They are terrorists.

That may be, but it's still Microsoft products that are all more or less "infected". If you're doing ANYTHING that is extremely sensitive I would highly recommend an airgapped Windows 95/98 system and using external storage to transfer info.

Quote:

And what is "an off-brand CPU", "a home-built OS", "a reputable Linux build"?

Nothing yet for CPU's, unfortunately. However Chinese made chips are going to be hitting the market soon. A competing server CPU already exists: https://www.nextplatform.com/2017/02/02/...challenge/

Everything else has already been covered extensively by other forum users.


Again there isn't really that much you can do to completely stop an attack or monitoring in this era other than by using an airgapped system or by only using internet cafes, without bringing your cellphone, paying using cash, and not logging into any accounts you use elsewhere.


From an organizational perspective you're more or less fucked due to the NSA.

This isn't about you man.

You recommend to air-gap systems? Who exactly are you? Does the 90 percent of infrastructure we are talking about fall under your recommendation? I don't think it does.

You have over shot the mark by a wide extent.

This is not about you or your opinions. For the last time: There is infrastructure in place that will be in place for the next 10 years at least that will be vulnerable to these attacks. This was just a shot over the bows. Next attack, well it will be much much worse and less able to be defended against.

You aren't helping with your 'install linux' crap. Give it up. No offense. We can talk about this in other threads. Major infrastructure is run on windows, and will be for the next 10 years. That will not change. What is so hard for you to understand about that?

Stop being a condescending ass.

This isn't about me, it's about other folks on here who are a lawyers, doctors, financial advisors, or own other businesses with sensitive data that they need to protect in order to stay in business. Those people are also liable for loss of that data so they need to protect it.


Second if you're going to insult be and call me an idiot, you at least might want to use facts that are accurate. https://www.quora.com/What-is-the-Server...rket-share

[Leonard D Neubache]

I feel sorry for techs.

"Yeah, I suppose we could spend billions of dollars hack-proofing our networks, or maybe you dumb fucks could just stop clicking on shit sent to you from people you don't know."

It's like trying to teach a pack of fucking monkeys not to play with medical waste.

[DJ-Matt]

1. Security

2. Convenience

Pick one

[BrewDog]

The days of anonymity are long past. If you were a fugitive or drug trafficker in the 70's, it must have been a helluva great time to do business.

Now there are so many entities tracking everything you do. Every investigator has people he can call to make things happen. There's always some well-meaning citizen working for Mastercard or Experian that will phone into an agent when a guy uses his credit card or ATM.

That being the case, I can only imagine that there are people inside MS or Facebook that will hand over whatever the government wants without a subpoena. It doesn't have to be a corporate policy to collaborate with the government, some workers will just do it on the downlow.

[budoslavic]

WikiLeaks' Vault 7 released documents from the CherryBlossom project.

Quote:

Cherry Blossom
15 June, 2017

Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International).

CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for "Man-In-The-Middle" attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.

The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.

Missions may include tasking on Targets to monitor, actions/exploits to perform on a Target, and instructions on when and how to send the next beacon. Tasks for a Flytrap include (among others) the scan for email addresses, chat usernames, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions, the copying of the full network traffic of a Target, the redirection of a Target’s browser (e.g., to Windex for browser exploitation) or the proxying of a Target’s network connections. FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation. When the Flytrap detects a Target, it will send an Alert to the CherryTree and commence any actions/exploits against the Target. The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).

There's a lengthy technical article about it.

Quote:

Advanced CIA firmware has been infecting Wi-Fi routers for years
Latest Vault7 release exposes network-spying operation CIA kept secret since 2007.

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.



The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Missions can target connected users based on IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers. Mission tasks can include copying all or only some of the traffic; copying e-mail addresses, chat user names, and VoIP numbers; invoking a feature known as "Windex," which redirects a user's browser that attempts to perform a drive-by malware attack; establishing a virtual private network connection that gives access to the local area network; and the proxying of all network connections.



All the communications between the FlyTrap and the CIA-controlled CherryTree, with the exception of copied network data, is encrypted and cryptographically authenticated. For extra stealth, the encrypted data masquerades as a browser cookie in an HTTP GET request for an image file. The CherryTree server then responds to the request with a corresponding binary image file.

A decade of hacking routers

In many respects, CherryBlossom isn't much different from DNSChanger and other types of router malware that have infected hundreds of thousands of devices over the past few years. What sets the CIA implant apart the most is its full suite of features, including its user interface, command-server support, and a long list of mission tasks. Also significant: the documents date back to 2007, when router hacking was less developed than it is now.

CherryBlossom is the latest release in WikiLeaks Vault7 series, which the site purports was made possible when the "CIA lost control of the majority of its hacking arsenal." CIA officials have declined to confirm or deny the authenticity of the documents, but based on the number of pages and unique details exposed in the series, there is broad consensus among researchers that the documents are actual CIA materials.

What's more, researchers from security firm Symantec have definitively linked at least one Vault7 release to an advanced hacking operation that has been penetrating governments and private industries around the world for years. While WikiLeaks said Vault7 was intended to "initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons," little or nothing published to date has shown the CIA running afoul of its legal mandate.

Like the other Vault7 releases, Thursday's installment doesn't include the source code or binaries that would allow other hacker groups to appropriate the CIA's router-hijacking capabilities. That makes the leaks significantly less damaging than those by the Shadow Brokers, the name used by a still-unknown group that has been published advanced hacking tools developed by and later stolen from the National Security Agency. April's release of an NSA-developed tool codenamed EternalBlue resulted in the WCry outbreak that infected an estimated 727,000 computers in 90 countries.

Thursday's Vault7 release does, however, provide so-called indicators of compromise that targets can use to determine if they were hacked. As pointed out by a researcher who tweets under the handle Xorz, it may allow people to identify CIA-controlled CherryTree servers, since they all seem to use the word "CherryWeb" in their default URLs.

A general defense more technically inclined users can take against router-based malware that monitors and tampers with Internet traffic is to put the router in question into passive mode and connect it to network hub and a trusted router. This allows the person to see all traffic going into and out of the network.

[spokepoker]

Yeah I'm sure that will only be used on terrorists.

[Paracelsus]

(06-16-2017 03:08 AM)spokepoker Wrote:  

Yeah I'm sure that will only be used on terrorists.

At some point some enterprising lawyer is going to figure out a way to sue the alphabet agencies for negligence in securing their tools and claim damages on behalf of someone who's hacked by one of them. I've no idea how this would come about, or what it would take to prove it, but the moment one of these claims is made out, the US government will either start getting serious about security or it'll flush all of its hacking tools entirely.

Patriotism and the sense of a free society will not move these clowns, and as we've seen even D. Trump is not interested in removing the surveillance state, so it's going to have to come back down to removing money from someone's pocket or raising someone's insurance premium.