Stranger is that they feel like they need to open a "hidden" browser instance to connect to the internet. A browser isn't really a necessary part of establishing a connection -- unless there's some missing context here. Is my grandmother running the CIA data ops division?
Edit: it's been made clear to me that of course this is one of few viable vectors when approaching outbound network with a really restrictive firewall (like Little Snitch). If a browser is already approved on making a given connection, then using a headless instance to do network talking is a smart way to do it. If you roll your own net code, a tool like LS will notify user and/or block. Dumb me!
Exactly. Firewalls like Little Snitch primarily filter traffic primarily based on the binary initiating the connection, and only secondarily based on the target port or address. When little snitch pops up the 10th time in 30 seconds, you will just approve all traffic from your browser, so using the browser to send all traffic is great way to avoid being caught.
As for what "injecting into little snitch" means, it could either mean injecting code into little snitch, because little snitch probably doesn't filter itself OR injecting a rule into little snitch.
Little Snitch does filter itself, but the Allow rules are there by default. I remember on a previous version, one of the steps to pirate LS was adding a rule to block it from connecting to it's servers.
Casually browsing the archive, I saw something related to injecting payloads into OSX applications. The application that did this required the latest version of XCode to compile, according to the installation and build docs.
I mean they could just write some net code that sends packets to whatever port, but launching IE and doing everything over HTTPS or whatever is much more stealthy when it comes to network monitoring and system logs.
But why not spend ten minutes and make their net code use SSL and then avoid it altogether?
I guess one could argue that the footprint of adding SSL client behavior to a sneaky hidden tracker might be shitty to do and make it more identifiable. But also SSL libraries are typically linkable on the host system anyway, no compilation past the headers needed.
It's just a weird "workaround" on their part if that's the intention.
Correct. It is likely users allow their primary browser full access to all hosts on ports 80 and 443, if not all ports.
Additionally, launching the browser gives you easy access to all the tastey session cookies and access to their keychain (I assume a lot of people give their default browser on OSX keychain access).
I would guess that the hidden browser could have access to data (login cookies, browser history, combined with another vulnerability maybe even anything the user enters in other browser windows) that a separate program would not have accesss to.
Little Snitch will warn you (ask permission) if a new process wants to connect to the internet. If the beacon can pass information through an browser process though, I expect most people have Little Snitch rules to allow their browser to send any traffic without warnings.
fun Microsoft fact - windows firewall is preconfigured with a build-in outbound traffic backdoor. You cant filter localhost, DNSCache listens on localhost and will happily relay everything. You have to manually disable dnscache service and give up caching to plug this hole. You want to be able to ping? cant do that, ICMP traffic originates in System process, so you either let everything send ICMP packets, or filter it all out, there is no middle ground.
1. Only a tiny minority of macOS users use Little Snitch, and they're not necessarily the most sensitive/interesting targets.
2. If you're competent and you have enough privileges to inject a DLL into anything, the odds are overwhelming that you also own the kernel. Why would you waste time with a goofy firewall add-on package?
I joked on Twitter but I'm "ha ha only serious" about this: if you had this entire portfolio of tools and exploits 2 years ago, I'm not sure you could have gotten a job at Immunity. The leak is fascinating. The technical details: not so much.
I thought the Shadow Brokers/Equation Group dump demonstrated a not-especially-skillful group of inexperienced-seeming pentesters who happened to have acquired some interesting bugs on the black market. Today's dump shows a team that's way less impressive even than that.
Little Snitch users are the kind of people who can and would expose CIA beacon signals. It's not so much that LS users are juicy targets, but rather that they are substantial exposure risks.
You might say, well, just piggy-back the signal on something else. Indeed, that is better. But that solution is far more complicated because you have to control (cooperatively, or coercively) a legitimate end-point.
Ergo, I don't think it's clownish at all for the CIA to target LS, it addresses a real threat (to them).
That's not what he was saying. Yes, it would of course be a good idea to try to hide the malware implants from tools like Little Snitch. It's just that the method they propose of going about it is really dumb.
What tptacek is saying is that instead of writing some hand-tailored userspace code to specifically fool Little Snitch, they should just be using a kernel module that will hide the network and process activity from all analysis tools. That's what most nation-state malware does (or tries to do).
Using kernel implants to hide signals from these kinds of network security tools is literally 1990s-grade hacker opsec. It's the actual, precise use case for which "amodload" was written, in 1996, by a 20-year-old, for a closed-source OS. I stand by my assessment.
I don't swim in these circles so forgive my ignorance -- What is significant about Immunity? Are you saying these exploits are trivial and/or old news?
The whole wiki that this leak released is full of the most basic configuration options for vim/VS etc. They have version control tutorials. They can't be hiring pros.
I'm just a little weirded out how this list is, in style, identical to many of the lists I've created and have open right now. I need this to be a bit more "henchmanny" and a bit less "average Joe/Jane sitting at their desk under the florescent lights drinking coffee and idly thinking about the workweek ahead."
This actually made me burst out laughing and conveyed my thoughts exactly. It's like when you become old enough to realize your parents are fallible and have been winging it the whole time.
It's possible I've misunderstood, but I don't think they're trying to inject Little Snitch. I think they're trying to inject into Little Snitch, in order to evade its restrictions.
Little Snitch is a host-based application firewall for Mac OS X. It can be used to monitor applications, preventing or permitting them to connect to attached networks through advanced rules.
If you only need to send data once per week, and that data is less than 2K, simply encrypt it, make it part of a URL that you control, then tell the default browser to open that URL. Nearly everybody has configured Little Snitch so that the browser can connect to anything (because the popups quickly annoy). Then do a redirect on your server to something innocuous, and the user will quickly forget.
Or even better use window.close() then the user will only see the browser window open briefly. Of course if the user has JavaScript disabled, use HTTP 302 Found or HTML meta refresh to redirect, blah blah.
So, apart from not demonstrating very high skill level (already discussed in other comments written by people that seem knowledgeable), how is this even remotely morally shady? They clearly discuss penetrating particular target systems — isn't that exactly what you would expect your intelligence/counter-intelligence service to do?
I'd wager LS users are more tech-savvy and less likely to be using more mainstream tools like Norton or McAfee - they want one tool that gives them control over what programs have network access, not a bloated adware platform.
Their goal is to suborn and evade it. In context, "inject into" should be understood to mean "to inject code or configuration of choice into a software package".
You are giving Thomas Ptacek too much credit by asking these questions. His only? engineering product was a gimmick that did "firewall rule management" and I doubt he had much to do with the engineering part. Yet he feels obligated to comment on the quality of CIA/NSA cyberespionage toolkits.
This is a pretty interesting fly-by attack. Insinuation, not evidence based. Asking questions and having a conversation is why the rest of us are here. What is your goal by attacking the credibility of other people in the conversation?
EDIT: 128 days old, no prior comments or submissions.
Stranger is that they feel like they need to open a "hidden" browser instance to connect to the internet. A browser isn't really a necessary part of establishing a connection -- unless there's some missing context here. Is my grandmother running the CIA data ops division?
Edit: it's been made clear to me that of course this is one of few viable vectors when approaching outbound network with a really restrictive firewall (like Little Snitch). If a browser is already approved on making a given connection, then using a headless instance to do network talking is a smart way to do it. If you roll your own net code, a tool like LS will notify user and/or block. Dumb me!
Exactly. Firewalls like Little Snitch primarily filter traffic primarily based on the binary initiating the connection, and only secondarily based on the target port or address. When little snitch pops up the 10th time in 30 seconds, you will just approve all traffic from your browser, so using the browser to send all traffic is great way to avoid being caught.
As for what "injecting into little snitch" means, it could either mean injecting code into little snitch, because little snitch probably doesn't filter itself OR injecting a rule into little snitch.
Little Snitch does filter itself, but the Allow rules are there by default. I remember on a previous version, one of the steps to pirate LS was adding a rule to block it from connecting to it's servers.
1 reply →
Casually browsing the archive, I saw something related to injecting payloads into OSX applications. The application that did this required the latest version of XCode to compile, according to the installation and build docs.
1 reply →
I mean they could just write some net code that sends packets to whatever port, but launching IE and doing everything over HTTPS or whatever is much more stealthy when it comes to network monitoring and system logs.
But why not spend ten minutes and make their net code use SSL and then avoid it altogether?
I guess one could argue that the footprint of adding SSL client behavior to a sneaky hidden tracker might be shitty to do and make it more identifiable. But also SSL libraries are typically linkable on the host system anyway, no compilation past the headers needed.
It's just a weird "workaround" on their part if that's the intention.
5 replies →
Intent is to evade firewalls that allow per-application rules, such as Little Snitch (I think?) and Windows firewall.
> such as Little Snitch (I think?)
Correct. It is likely users allow their primary browser full access to all hosts on ports 80 and 443, if not all ports.
Additionally, launching the browser gives you easy access to all the tastey session cookies and access to their keychain (I assume a lot of people give their default browser on OSX keychain access).
Oh, duh. Wow, dumb me. One of those "can't see the forest for the trees" mistakes on my part. Thanks for the reality check!
I would guess that the hidden browser could have access to data (login cookies, browser history, combined with another vulnerability maybe even anything the user enters in other browser windows) that a separate program would not have accesss to.
What if they use it to establish an unsavory browsing history on a target's computer without their knowledge?
Could you imagine.
deletes browsing history
If there is a page stating the CIA can create an unsavory browsing history, let me know, just for future reference.
2 replies →
Also it helps get you through proxies.
Hackers are going to hack (a solution).
Little Snitch will warn you (ask permission) if a new process wants to connect to the internet. If the beacon can pass information through an browser process though, I expect most people have Little Snitch rules to allow their browser to send any traffic without warnings.
fun Microsoft fact - windows firewall is preconfigured with a build-in outbound traffic backdoor. You cant filter localhost, DNSCache listens on localhost and will happily relay everything. You have to manually disable dnscache service and give up caching to plug this hole. You want to be able to ping? cant do that, ICMP traffic originates in System process, so you either let everything send ICMP packets, or filter it all out, there is no middle ground.
This is clownish:
1. Only a tiny minority of macOS users use Little Snitch, and they're not necessarily the most sensitive/interesting targets.
2. If you're competent and you have enough privileges to inject a DLL into anything, the odds are overwhelming that you also own the kernel. Why would you waste time with a goofy firewall add-on package?
I joked on Twitter but I'm "ha ha only serious" about this: if you had this entire portfolio of tools and exploits 2 years ago, I'm not sure you could have gotten a job at Immunity. The leak is fascinating. The technical details: not so much.
I thought the Shadow Brokers/Equation Group dump demonstrated a not-especially-skillful group of inexperienced-seeming pentesters who happened to have acquired some interesting bugs on the black market. Today's dump shows a team that's way less impressive even than that.
Little Snitch users are the kind of people who can and would expose CIA beacon signals. It's not so much that LS users are juicy targets, but rather that they are substantial exposure risks.
You might say, well, just piggy-back the signal on something else. Indeed, that is better. But that solution is far more complicated because you have to control (cooperatively, or coercively) a legitimate end-point.
Ergo, I don't think it's clownish at all for the CIA to target LS, it addresses a real threat (to them).
That's not what he was saying. Yes, it would of course be a good idea to try to hide the malware implants from tools like Little Snitch. It's just that the method they propose of going about it is really dumb.
What tptacek is saying is that instead of writing some hand-tailored userspace code to specifically fool Little Snitch, they should just be using a kernel module that will hide the network and process activity from all analysis tools. That's what most nation-state malware does (or tries to do).
Using kernel implants to hide signals from these kinds of network security tools is literally 1990s-grade hacker opsec. It's the actual, precise use case for which "amodload" was written, in 1996, by a 20-year-old, for a closed-source OS. I stand by my assessment.
4 replies →
I don't swim in these circles so forgive my ignorance -- What is significant about Immunity? Are you saying these exploits are trivial and/or old news?
He is saying the latter. They indeed are. They are cool infection vectors but nothing new.
I think you're over-reacting. It's just a discussion (powerpoint?)
I would consider it negligent if no-one in the CIA was asking these questions.
[edit:grammar/clarification]
Plot twist: the dump is a list of summer intern projects
Hypothetical or real? If real, link to source please.
1 reply →
The whole wiki that this leak released is full of the most basic configuration options for vim/VS etc. They have version control tutorials. They can't be hiring pros.
You can't make a conclusion from that. Any large software org is going to have similar type things.
We already knew they probably don't care about hiring "the best" since they cut out a large part of the pool that they'd be able to hire from: https://mobile.nytimes.com/2015/06/30/us/state-marijuana-law...
I'm just a little weirded out how this list is, in style, identical to many of the lists I've created and have open right now. I need this to be a bit more "henchmanny" and a bit less "average Joe/Jane sitting at their desk under the florescent lights drinking coffee and idly thinking about the workweek ahead."
This actually made me burst out laughing and conveyed my thoughts exactly. It's like when you become old enough to realize your parents are fallible and have been winging it the whole time.
It's possible I've misunderstood, but I don't think they're trying to inject Little Snitch. I think they're trying to inject into Little Snitch, in order to evade its restrictions.
You haven't misunderstood. That's what they're talking about. This is a bad headline.
Ok, we injected an 'into' into 'inject Little Snitch'.
That's what I figured. It probably makes sense if you don't know what "inject" means in a context like this.
Little Snitch is a host-based application firewall for Mac OS X. It can be used to monitor applications, preventing or permitting them to connect to attached networks through advanced rules.
https://en.wikipedia.org/wiki/Little_Snitch
If you only need to send data once per week, and that data is less than 2K, simply encrypt it, make it part of a URL that you control, then tell the default browser to open that URL. Nearly everybody has configured Little Snitch so that the browser can connect to anything (because the popups quickly annoy). Then do a redirect on your server to something innocuous, and the user will quickly forget.
Or even better use window.close() then the user will only see the browser window open briefly. Of course if the user has JavaScript disabled, use HTTP 302 Found or HTML meta refresh to redirect, blah blah.
So, apart from not demonstrating very high skill level (already discussed in other comments written by people that seem knowledgeable), how is this even remotely morally shady? They clearly discuss penetrating particular target systems — isn't that exactly what you would expect your intelligence/counter-intelligence service to do?
visions of https://www.youtube.com/watch?v=sRcHt-sxcPI (Defcon 24: various bypasses of Little Snitch)
Why LS and not one of many other programs? Is it for the humour value of its name to specifically alter it?
I'd wager LS users are more tech-savvy and less likely to be using more mainstream tools like Norton or McAfee - they want one tool that gives them control over what programs have network access, not a bloated adware platform.
"Inject into" is their wording. The meaning is unclear. Is the goal to disable a working installation of Little Snitch?
Their goal is to suborn and evade it. In context, "inject into" should be understood to mean "to inject code or configuration of choice into a software package".
Adding their proxy/reverse shell/network tool to the firewall whitelist, most likely.
You are giving Thomas Ptacek too much credit by asking these questions. His only? engineering product was a gimmick that did "firewall rule management" and I doubt he had much to do with the engineering part. Yet he feels obligated to comment on the quality of CIA/NSA cyberespionage toolkits.
Personal attacks are not allowed on Hacker News. We ban accounts that do that. Please post civilly and substantively, or not at all.
https://news.ycombinator.com/item?id=13814135 and marked it off-topic.
95-96: EnterAct, OpenBSD
97-99: Secure Networks, Ballista scanner lead, vulnerability research lab
99-01: Doomed multicast startup
01-05: Lead dev, Arbor Networks
05-15: Cofounder, Matasano
15-16: Doomed recruiting startup
17-: Startup dooming startup
Hope that helps.
I like the idea that we squeezed 10 years out of that firewall rule thingy at Matasano. Sick burn!
This is a pretty interesting fly-by attack. Insinuation, not evidence based. Asking questions and having a conversation is why the rest of us are here. What is your goal by attacking the credibility of other people in the conversation?
EDIT: 128 days old, no prior comments or submissions.
Hmm... lame