All times are UTC + 1 hour




Post new topic Reply to topic  [ 34 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: FBI spyware
PostPosted: Sat Apr 18, 2009 21:11 
http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html
https://www.jondos.de/en/node/1579

At least they seem to be obtaining warrants and not relying on the Patriot Act, although there is some concern that the spyware may be misused for trivial cases.

However, if the FBI can do it, so could a knowledgeable hacker whose intentions are purely malicious.

So what do we think they were using? JavaScript is too weak, most of the time. JavaScript alone should not allow such an infection, but unfortunately JavaScripts insecure design mean that it is possible to deploy viruses with it.

Java and Flash seem more likely, since they are much more vulnerable. Also, the article suggests that the spyware can be deployed on a variety of operating systems and browsers, so it is probably not JavaScript, in which the bugs tend to be browser-specific.

I guess the concerning thing is that many of the criminals infected by the spyware look like they were much more knowledgeable about computers than I am, and yet still they were infected. There are certainly browser bugs outside of JavaScript and plugins, just read Secunia, but they are generally more difficult to exploit.

But then there are reports of hackers not getting infected, so maybe those were the ones who thought to disable plugins.

I wish a group of people with the paranoia level of the OpenBSD people would design a new browser. It would be nice to have plugins all running in chrooted jails.


Top
  
 
 Post subject:
PostPosted: Sat Apr 18, 2009 21:19 
I would not be surprised if the trojan is simply installed with Windows Update (with Microsoft's cooperation).


Top
  
 
 Post subject:
PostPosted: Sat Apr 18, 2009 21:27 
[quote]I would not be surprised if the trojan is simply installed with Windows Update (with Microsoft's cooperation).[/quote]

I think it is easier to use Windows Bugs insteed of Windows Update ;)


Top
  
 
 Post subject:
PostPosted: Sat Apr 18, 2009 21:31 
Hmm, that post is not very clear. I mean if they fail to do it with a browser vulnerability. (There was some talk about a failed attempt in the article.)

Browser vulnerabilities are found all the time and it is possible that the US government knows about some vulnerabilities which are not (yet) public knowledge.

What I am trying to say is that it is very unlikely you can hide from the government. They will get you one way or another.


Top
  
 
 Post subject:
PostPosted: Sat Apr 18, 2009 23:24 
User avatar

Joined: Thu May 24, 2007 14:52
Posts: 1197
[quote]So what do we think they were using? JavaScript is too weak, most of the time. JavaScript alone should not allow such an infection, but unfortunately JavaScripts insecure design mean that it is possible to deploy viruses with it. Also, the article suggests that the spyware can be deployed on a variety of operating systems and browsers, so it is probably not JavaScript, in which the bugs tend to be browser-specific.[/quote]

JavaScript alone IS strong enough. And I'm quite sure they used pure JavaScript for these attacks. The reason for this are buffer overflows in the JavaScript engine, for which every some weeks a new exploit is found for every browser. JavaScript bugs are browser dependent, and therefore independent from the operating system.

Maybe it would be a good idea for the future to support Java browsers? They are by design not be affected by this, as a JavaScript engine implemented in Java would not allow direct memory manipulation? Other JavaScript attacks still work for them, like XSS etc., but these will not let the attacker get direct control of your computer (he may just steal some cookies and passwords).


Top
 Profile  
 
 Post subject:
PostPosted: Sun Apr 19, 2009 5:06 
https://www.jondos.de/en/node/1579


Top
  
 
 Post subject:
PostPosted: Sun Apr 19, 2009 5:46 
[quote=jondos][quote]So what do we think they were using? JavaScript is too weak, most of the time. JavaScript alone should not allow such an infection, but unfortunately JavaScripts insecure design mean that it is possible to deploy viruses with it. Also, the article suggests that the spyware can be deployed on a variety of operating systems and browsers, so it is probably not JavaScript, in which the bugs tend to be browser-specific.[/quote]

JavaScript alone IS strong enough. And I'm quite sure they used pure JavaScript for these attacks. The reason for this are buffer overflows in the JavaScript engine, for which every some weeks a new exploit is found for every browser. JavaScript bugs are browser dependent, and therefore independent from the operating system.
[/quote]

So you believe they went through the trouble writing code to exploit different buffer overflow attacks for the JavaScript of each different browser they wanted to be able to attack? That is quite a feat.

[quote]
Maybe it would be a good idea for the future to support Java browsers? They are by design not be affected by this, as a JavaScript engine implemented in Java would not allow direct memory manipulation? Other JavaScript attacks still work for them, like XSS etc., but these will not let the attacker get direct control of your computer (he may just steal some cookies and passwords).[/quote]

What do you think of OpenBSD's PROT_* purity, W^X, .rodata, and propolice?

http://kerneltrap.org/node/573

But even then Mr. Raadt says we could still be screwed by hardware vulnerabilities which the operating system cannot work around.

http://www.darknet.org.uk/2007/07/intel-core-2-duo-vulnerabilities-serious-say-theo-de-raadt/


Top
  
 
 Post subject:
PostPosted: Sun Apr 19, 2009 6:25 
[quote=jondos][quote]

Maybe it would be a good idea for the future to support Java browsers? They are by design not be affected by this, as a JavaScript engine implemented in Java would not allow direct memory manipulation? Other JavaScript attacks still work for them, like XSS etc., but these will not let the attacker get direct control of your computer (he may just steal some cookies and passwords).[/quote]

Funny,cause the JAVA"sandbox"often failed. :)
so its no good idea to tell people that they can activate scripting in their browser.

And what the FBI did was plain,simple old school cracking-nothing mistyc.


Top
  
 
 Post subject:
PostPosted: Sun Apr 19, 2009 7:09 
User avatar

Joined: Thu May 24, 2007 14:52
Posts: 1197
[quote]So you believe they went through the trouble writing code to exploit different buffer overflow attacks for the JavaScript of each different browser they wanted to be able to attack? That is quite a feat.[/quote]

This is not so difficult than you might think.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Apr 19, 2009 11:16 
Maybe we should have a JonDoLynx.

There have been few Secunia vulnerabilities for Lynx, and all are patched now.

http://secunia.com/advisories/product/5883/?task=advisories


Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 34 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC + 1 hour


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Free Trial for Premium Services
Free Trial for Premium Services
JonDonym News
New OpenPGP signatur key
Tue, 11 Nov 2014
New SSL certificate for webserver
Fri, 31 Oct 2014
Speaker's Corner
UK Data Retention and Investigation Powers Bill
Fri, 11 July 2014
NSA and Tor
Fri, 04 July 2014
For your web site - free!
Get your free IP check image for your web site or forum here!
Latest software releases
JonDo 0.19.001
Tue, 29 Aug 2013
JonDoFox 2.10.0-2
Fri, 17 Oct 2014
JonDo Live-DVD 0.9.67
Tue, 04 Nov 2014