WikiLeaks Unveils CIA Implants That Steal SSH Credentials From Windows, Linux PCs (thehackernews.com) 140
An anonymous reader quotes a report from The Hacker News: WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors. Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network. Dubbed BothanSpy -- implant for Microsoft Windows Xshell client, and Gyrfalcon -- targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu. Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
Illegal (Score:5, Informative)
I thought hacking was illegal under the computer crimes and abuse act?
Re:Illegal (Score:5, Informative)
For you yes it is illegal... For the government? Not so much...
Re:Illegal (Score:5, Insightful)
It's also illegal for the government. But they just look the other way like any good tyrant would. The way law works is to either take specific rights away from citizens by saying "thou shalt not X" (for example you will not break into someone's computer and steal information), or to grant specific rights to governments by saying "The government can X" (you can break into someone's computer and seize information IF YOU HAVE A WARRANT).
Unfortunately governments over time adopt the attitude that they are allowed to do things if it's not prohibited by law. That is completely wrong. It's the citizen who is allowed to do anything that's not prohibited by law. Government requires law to grant them the right to do anything, otherwise they can't do it. But when you just ignore the law anyway because you know no one will prosecute you, or you can just pull out the "National Security" card...
Re: (Score:3)
It also creates loopholes for people, and smart people. Look at the case of the guy who was arrested and charged with CP. He either ended up with a severely reduced sentence, or it being dropped by the court(can't remember which), because while the government broke the law to discover who he was -- they were unwilling to disclose how they found out who he actually was. In western law there's a fundamental right of full disclosure, if the prosecution is unwilling to do that you're likely going to walk awa
Re: (Score:3)
ZDNet article on that case. [zdnet.com]
Re: (Score:2)
Unfortunately governments over time adopt the attitude that they are allowed to do things if it's not prohibited by law.
I'd say that viewpoint is remarkably ignorant of history; the notion that governments are "constrained" is a neologism at best.
In the US, the Bill of Rights is dominated by a list of restrictions on the government's abilities. The government won't restrict free speech, it won't favor a religion, it won't prevent weapon ownership, it won't house soldiers in your home, won't take your property without due process... a large portion of it expresses that there were restrictions on the government, not a list of
Re:Illegal (Score:5, Insightful)
For foreign governments, still very much so and according to the US government, a declaration of war, as they have stated repeatedly. According to the US Government's own big fat fucking mouths, when they hack your countries network, they have committed an act of war and should face the consequences. It would seem according to the US Governments own stance, that the US government should be publicly rebuked by the United Nations for committing acts of war all over the world, as defined by the US government.
Re: (Score:1)
"publicly rebuked by the United Nations "
You have got to be kidding me. Name one country on the planet that actually listens to anything the UN says. Especially if the UN's strident declarations effect their own countries. The US, Russia,and China are all for following UN directives targeted at other countries but routinely tell the UN to fuck off when they are the UN's target. US foreign intelligence and counter intelligence agencies can do anything they want outside of the US. The only rule is don't get c
Re: Illegal (Score:2)
Spontaneous outbreaks of terror attacks appear to have a chilling effect on such expressions of dismay.
Re:Illegal (Score:5, Interesting)
they have committed an act of war and should face the consequences.
What consequences? The previous US gov't admitted to Stuxnet, a clear act of war - major sabotage, not just spying. And the consequences?
None, except setting a precedent for everybody else. Its hard for the US to be taken seriously now if condemning other countries for cyber-attacks.
Re: (Score:1)
"Its hard for the US to be taken seriously"
Yup, the US can go get fucked.
Re: (Score:1)
Its hard for the US to be taken seriously now
We stopped taking your government seriously YEARS ago. I think it started with Bush Jr.
Re: (Score:2)
Re: (Score:1)
Did they? There's little doubt, and even some sly statements, but did they actually admit it?
Re: (Score:2)
Did they? There's little doubt, and even some sly statements, but did they actually admit it?
Not officially, but by multiple orchestrated "leaks" of details to the media. They certainly did not follow the usual "neither confirm nor deny" approach. See NY Times June 1, 2012
.
http://www.nytimes.com/2012/06... [nytimes.com]
https://www.theregister.co.uk/... [theregister.co.uk]
https://arstechnica.com/tech-p... [arstechnica.com]
Re: (Score:1)
Kidder you are ! Face the consequences ... ? Only the weak face consequences. The strong state does as it will. Always was; since Gobeki-Tepi cave-men fought with sticks and stones. Always will be. No feckin-A Princess Leia or holodeck.
Re: (Score:3, Informative)
I thought hacking was illegal under the computer crimes and abuse act?
You thought wrong.
18 U.S. Code 1030 - Fraud and related activity in connection with computers
(a) Whoever—
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information....
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the
Re: (Score:3)
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
And therein lies the problem. No law, Act, nor Executive Order can allow the government to legally violate the US Constitution. They pretend it's not so, but it is and they are in violation of their oaths of office as well as guilty of numerous and blatant violations of civil rights under color of law and should be incarcerated for the rest of their lives with no chance of parole, at minimum.
An unconstitutional law is no law at all. And no, nine guys in black robes are *not* the final arbiters, the people a
Re: Illegal (Score:1)
Thank God the founding fathers had enough foresight to include the clause "don't hax me bro!" in the constitution.
Re: (Score:2)
Thank God the founding fathers had enough foresight to include the clause "don't hax me bro!" in the constitution.
Yes, and it can be found (not necessarily in order of relevance/applicability) in the 1st, 4th, and 5th Amendments (depending on individual context) to the US Constitution.
They had the foresight to lay out a design for government based on universal principles that stand regardless of the advances of civilization, technology, & science.
Strat
Re: (Score:3)
The people want free healthcare, and free housing, and free income. They DON'T want freedom nor the responsibility that comes with it.
There's already a place right here in the US and in every nation on Earth where those people can have all of that free stuff and enjoy a life free from responsibility.
It's called a "prison".
Strat
Re: (Score:3)
In many jurisdictions, it's technically illegal for an emergency service vehicle (e.g. police car, fire engine, ambulance) to speed or break red lights. It's also illegal to prosecute them if they're attending to an emergency.
Re: (Score:2)
In many jurisdictions, it's technically illegal for an emergency service vehicle (e.g. police car, fire engine, ambulance) to speed or break red lights. It's also illegal to prosecute them if they're attending to an emergency.
It is legal under emergency law/necessity. You don't need special laws to make it legal to break the law when saving human law, it is already covered by "necessity".
Re: (Score:2)
Re: (Score:2)
I read that particular act that it is only illegal if you hack a financial system or government property?
So... (Score:5, Informative)
FTA
BothanSpy is installed as a Shellterm 3.x extension on the target machine and only works if Xshell is running on it with active sessions.
The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."
You need an attack vector to implant the malware.
Re:So... (Score:5, Informative)
Not only that, the Gyrfalcon User Manual (Page 6) says:
1. Extract the files from the 'upload' directory in the tarball (see section 2.3.1). Both the gyr64-linux .gfconf) are needed. The /gyrfalcon/working/directory .. .gfconf gyr64-linux ./gyr64-linux /dev/null
(or gyr32-linux) and the encrypted config file (in the example,
executable can be renamed to suit the operation.
2. Upload the files to the target using whatever means available. Place them in the 'Working
Directory' (as specified in the configuration).
3. Change to the working directory and execute gyrfalcon as root:
$ su – (if necessary)
# cd
# ls -a
.
#
#
So, someone who has root access to a Linux system can get the SSH keys of any user of that system. Well, duh....
Re: (Score:2)
The key is in collecting them from the openssh client/key agent memory between the time you enter the passphrase to decrypt it, and the time it's eventually unloaded from RAM.
Re: (Score:2)
Re: (Score:1)
The NSA's SELinux?
https://www.nsa.gov/what-we-do... [nsa.gov]
Re: (Score:1)
You do realize NSA has both a defensive and offensive side of the house right? Guess which one created SELinux....
Re: (Score:2)
You do realize NSA has both a defensive and offensive side of the house right?
You know, you're absolutely right!
Why, just the other day I spotted the NSA defense boys by their van, down by the river!!!
Strat
Re: (Score:2)
Does this mean that SELinux, properly configured to reduce root privileges, would in fact result in the logging and/or defeat of the gyrfalcon payload, without further kernel-level exploits regaining them permissions?
I'm certainly not an selinux expert; but, given that the root user can change the security context of most files and directories, I don't see how selinux would make a meaningful difference.
Corrections are welcome, though.
Re: (Score:2)
I'm now interested to see if enforcing SELinux prevents this.
Re: So... (Score:2)
Re: (Score:3)
You need an attack vector to implant the malware.
Did many Bothans die to bring you this information?
Re: So... (Score:3)
Just because the manual is written as if you had a human typing commands into a shell doesn't necessarily mean that's how it was expected to be used. I imagine that when you're writing the manual for a piece of secret software you're supposed to be discreet about describing the exact capabilities other pieces of secret software have. At least I would be.
In any case the precise vector used probably changes over time
Re: (Score:2)
You need an attack vector to implant the malware.
The user.
Done.
I thought you had a problem that would make this not work?
Again? (Score:3)
I think I remember seeing this very tool in the "NSA catalog" type thing from the big ES leak.
Just more proof; if it's on a computer, its insecure.
There's no security hole here (Score:5, Informative)
The manual says, "Upload the files to the target using whatever means available."
This is something an agent puts on an already-compromised machine.
Re: (Score:2)
Some times the code will be added on a usb device by hand and the data collected in the same way.
Other times down a network and the data collected in the same way.
It just depends on the nation, the ability to get site access and tell a good story about needing computer access.
The security hole is left to what is needed. The collection method works as expected.
At one point (Score:2)
This type of shit should stop! What else is hidden from public by those goons?
Do they have any decency? Probably not, needs a certain character to feel superior and protect the country....
Re:At one point (Score:5, Insightful)
C'mon... I'd be mad if our intelligence agencies didn't have this. This is just post-exploit kit. They'd be incompetent if they didn't have it. Even more incompetent than they were for letting this material escape the barn.
The thing to get mad about is sabotage of products to maintain backdoors, and keeping bugs secret.
Re: (Score:2)
Wait so which is it? They should have this sort of thing or they should make bugs public
They should have post-exploit kit. Once they have found a way in they should have tools to take advantage of an adversary's system. That's all this is. It isn't a way into the system, it's just a way to discretely use the system once it has already been hopelessly p0wned.
They should also have a rolling inventory of exploits. They should find lots and lots of exploits. In the case that exposure of the exploit would harm the economic interests of the U.S. either due to making our IT industry's products l
Re: (Score:3)
What are you whining about? It's their job to be sneaky and surreptitiously collect data.
You think they should announce to the world all the vulnerabilities they've found so those means can be closed? If those attack vectors are on the machine of a foreign government they provide invaluable ways of collecting data which don't involve putting someone's life at risk.
What do you think a spy agency does? Tell their target, "Hey, we're going to put this software on your machine so we can listen in and record ev
Re: (Score:2)
You think they should announce to the world all the vulnerabilities they've found so those means can be closed?
Yes, because we all become less safe when they are kept secret. Unless you're dumb to think only the US can find the vulnerabilities.
Re: (Score:2)
...
You think they should announce to the world all the vulnerabilities they've found so those means can be closed? ...
...
Maybe - so what did those WikiLeak dumps accomplish and who paid the price? Normal folks getting their machines encrypted!
And why? Because those known holes are not plugged to have maybe _some_ advantage there over others.
And - if the code is leaked, what about the data collected? Who owns them, who gets them for good money maybe and for what can they be used?
Trust anyone in that clandestine scene?
Nobody wins in that game, so why play it?
Every other day something comes up what the spooks are doing and b
Re: (Score:2)
You think they should announce to the world all the vulnerabilities they've found so those means can be closed?
But this isn't a vulnerability. It's a post-intrusion toolkit for simplifying collecting data. The vulnerability here is that the operating systems were designed to have a superuser.
Re: (Score:2)
Re: (Score:2)
I'm sure he thinks he can broker a deal - the FSB will pinky swear promise that they won't spai and the CIA will do the same and go skipping into the sunset together arm in arm. Now those North Koreans are a little tricky but I'm sure with enough hand wringing he thinks he can get them to stop being meanies and put away their nuclear weapons. We might have to promise to buy them puppies or something but it'll be totally worth it for a safer world! What's that? Russia just invaded the rest of Ukraine?! But t
Windows, Linux... (Score:2)
But NOT macOS.
Tee Hee.
Re: (Score:3, Funny)
Nope. Apple installed their own implants except they have round edges.
Re: (Score:2)
It's just a python script. It could probably be easily tweaked to run on MacOS.
Re: (Score:2)
It's just a python script. It could probably be easily tweaked to run on MacOS.
Spoilsport!
Re: (Score:2)
But NOT macOS.
Tee Hee.
They're still arguing over which shade of black their hats should be.
Re: Windows, Linux... (Score:2)
Re: (Score:2)
Clearly they only have an interest in getting the keys of people who might have enough competence to be dangerous :^) Seriously, Your assumption that the don't have a tool for Mac just because this isn't it makes you look pretty fucking stupid.
And your assumption that it doesn't exist only because there is no interest is equally arrogant.
sort of like exposing the bows and arrows (Score:2)
It's Python! (Score:2)
I knew Python would eventually slither in and undermine my security with it's whitespace of doom!
The POSIX Shell Script Master Race prevails again! ;)
Um ... (Score:1)
Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.
[ The restraint exhibited in explaining SSH, on a tech site, but *not* "cryptographic" is amazing. /sarcasm ]
Re: root password (Score:2)
So the CIA has a rootkit (Score:1)
So it seems the CIA has their own rootkit. Backdoored SSH clients are absolutely nothing new at all. I remember seeing crap like that in the early 2000s. What next, are they going to tell me about their SUPER AWESOME tty snooper too?
Stallman would say... (Score:2, Informative)
Re: (Score:2)
Passwords? For an SSH session? Is this the 90s or something?
Sanctions necessary (Score:1)
Its time for the rest of the world to force the United States to disarm. This is clearly an unstable regime and a constant source of military aggression.
online security while Browsing (Score:1)
Re: (Score:2)
Re: (Score:2)