Silk Road forums
Discussion => Security => Topic started by: ProudCannabian on August 22, 2012, 11:10 pm
-
http://www.theregister.co.uk/2012/08/22/malware_crisis/
This seems a little too sophisticated for the average virus writer... US Gov maybe?
-
This piece of malware from most accounts was written by a company to be sold to Government agencies and used to remotely access targets computers and related data.
-
That does not look like a very sophisticated virus. It requires user interaction. It is apparently using a CNC, and a single server at that. How elaborate does a virus need to be to spread from host to the virtual machine? Not at all. Spreading from internet to virtual machine? Not at all. Surviving through reboots, wowwie that is pretty impressive. The US gov can do shit that makes this look like childs play, and honestly it is not particularly impressive at all.
-
^ LOL, there's a Mr Ahmadinejad on the phone for you Mr Kmfkewn, something about a mislaid 'airgap' or something?
But seriously, it's interesting that it targets VMs. But can it spread from a virtual machine to a real machine, that's what I want to know. Article wasn't clear on that, but looks like a no upon initial impression
Also, what defense would there be against a LE malware that traversed from a VM to a real machine. What solution, virtual machines running virtual machines? Inception! We must go... deeper! *hans zimmer music*
And I don't see why there isn't a simple cost effective fix for this. If that ip address being reported to is static, because it sounds like it from the article, then I don't see why you shouldn't just bomb it with a legal DOS attack while you're trying to find who's running the server to shut it down?
-
Having key-loggers or any sort of malware on my PC is the only thing that really makes me paranoid. I have all the other bases covered.
Anyone have good methods for weeding out any malware?
I have tried installing Liberte onto a USB stick, as I believe this is the best solution to eliminate this threat, but an error comes up saying that the boot sectors cannot be fully written or something.
-
Having key-loggers or any sort of malware on my PC is the only thing that really makes me paranoid. I have all the other bases covered.
Anyone have good methods for weeding out any malware?
I have tried installing Liberte onto a USB stick, as I believe this is the best solution to eliminate this threat, but an error comes up saying that the boot sectors cannot be fully written or something.
Well, I have to tease kmfkewn because on this very subject he was once advocating the idea earlier of using a physical airgap, this would involve having 2 machines, 1 which connects to the net, and the other on which you do all your work etc. This would involve manually typing in with a keyboard, every single character from one machine to the machine :D
The best practical way, is as you say, to use a live-USB/live-CD operating system which wipes everything. One problem is that you need a way to store information like public keys, so you're not going to be able to do that unless there's some kind of persistent memory e.g. Liberte's ~/persist directory.
On your error, I suggest you take it up with Maxim, the developer of Liberte, but it sounds like your boot loader is protected or something like that. Could be a security feature of some anti-malware software. Maybe you need to turn off some feature in your BIOS or in the anti-malware software?
-
Having key-loggers or any sort of malware on my PC is the only thing that really makes me paranoid. I have all the other bases covered.
Anyone have good methods for weeding out any malware?
I have tried installing Liberte onto a USB stick, as I believe this is the best solution to eliminate this threat, but an error comes up saying that the boot sectors cannot be fully written or something.
Well, I have to tease kmfkewn because on this very subject he was once advocating the idea earlier of using a physical airgap, this would involve having 2 machines, 1 which connects to the net, and the other on which you do all your work etc. This would involve manually typing in with a keyboard, every single character from one machine to the machine :D
The best practical way, is as you say, to use a live-USB/live-CD operating system which wipes everything. One problem is that you need a way to store information like public keys, so you're not going to be able to do that unless there's some kind of persistent memory e.g. Liberte's ~/persist directory.
On your error, I suggest you take it up with Maxim, the developer of Liberte, but it sounds like your boot loader is protected or something like that. Could be a security feature of some anti-malware software. Maybe you need to turn off some feature in your BIOS or in the anti-malware software?
I don't think that the issue of malware is covered enough on this forum. Considering malware would render any FDE attempts useless, I'm quite surprised there isn't a sticky covering this subject. It's scary that LE can sit outside your house and inject such things as worms and alike onto your system as easy as that! RIPA allows them to do this easily too!
I scanned my system with the ESSET Online scanner as well as my system scanner which showed no results for any malware. I downloaded a process explorer to see if I could find any suspicious processes running that are not listed as a Microsoft one and check .dll files and file types associated with keylogger. Googled any that were not. I checked the programs listed in my firewall to see if there are any I didn't recognise, as they have to send data back to the owner, and nothing out of the ordinary was there. Scanned my system in safe mode with spybot as well as my usual antivirus and again nothing came up!
I hear such things can be impossible to detect even with good antivirus. Also that your firewall might not necessarily detect malware sending data back as the packets are small and slip under the radar. All this is 'bro science' I read from the web, so any corrections in what I have said are welcomed :)
As for Liberte not running... I think that maybe the USB drive might have some bad sectors on it that could be stopping it from writing. Just a guess. I tried installing it from the .iso format and it failed also. Tried installing tails to see if that worked, but again that failed. I did disable my antivirus for a short while whilst attempting again, but same error :P
I will buy a new USB drive and try again.
Checking for malware on my system is not really becuase I want to use Windows permanently, rather its to see if my SR activity has been monitored by local authorities -adjusts tinfoil hat- 8) I really can't be bothered will the ballache of having my post monitored and deliveries not showing up.
-
I don't think that the issue of malware is covered enough on this forum. Considering malware would render any FDE attempts useless, I'm quite surprised there isn't a sticky covering this subject. It's scary that LE can sit outside your house and inject such things as worms and alike onto your system as easy as that! RIPA allows them to do this easily too!
I agree it's important, but at the same time it's a last resort defense, your primary defense should be your anonymity, then plausible denibility. After that, you probably should stop thinking 'evasive maneuvers' and lawyer up by putting an awesome attorney on retainer. I'd be interested to hear other opinions on general strategy vs tactics though.
I scanned my system with the ESSET Online scanner as well as my system scanner which showed no results for any malware. I downloaded a process explorer to see if I could find any suspicious processes running that are not listed as a Microsoft one and check .dll files and file types associated with keylogger. Googled any that were not. I checked the programs listed in my firewall to see if there are any I didn't recognise, as they have to send data back to the owner, and nothing out of the ordinary was there. Scanned my system in safe mode with spybot as well as my usual antivirus and again nothing came up!
The problem is that there are certain kinds of keyloggers, that are literally impossible for software to pick them up. Unless you live in China, these should have to be installed as physical components though. That's why I'm a big fan of anonymity first. In order to compromise a machine, they first need to know where it lives.
I hear such things can be impossible to detect even with good antivirus. Also that your firewall might not necessarily detect malware sending data back as the packets are small and slip under the radar. All this is 'bro science' I read from the web, so any corrections in what I have said are welcomed :)
It is possible. I mean a malware could hypothetically encrypt the data e.g. recordings from a microphone, screenshots, keystrokes and send it as (pseudo) SSL packets. I doubt the best hackers would want to work for LE though, kinda doesn't fit with the entire ethos of being a hacker, albeit I'm sure there's a few hypocrites out there.
As for Liberte not running... I think that maybe the USB drive might have some bad sectors on it that could be stopping it from writing. Just a guess. I tried installing it from the .iso format and it failed also. Tried installing tails to see if that worked, but again that failed. I did disable my antivirus for a short while whilst attempting again, but same error :P
I will buy a new USB drive and try again.
Checking for malware on my system is not really becuase I want to use Windows permanently, rather its to see if my SR activity has been monitored by local authorities -adjusts tinfoil hat- 8) I really can't be bothered will the ballache of having my post monitored and deliveries not showing up.
I think you are best off moving to Linux if you're concerned about LE malware. I too think LE malware is going to be an issue in the future, with possible mass surveillance programs (unlike ECHELON, which as far as I can gather passively sifted for threats to western powers, existential attacks on the State as opposed to the normal back and forth of internal dynamics of government and its host environment).
Also, even if Linux was not more secure (which it is), Macintosh and Windows are pieces of software which are made by organizations which are LE attention whores beyond reason. Look at all the cock mongling Skype and Microsoft are doing for the FBI and other LE, it's ridiculous, our tech companies, from Cisco Systems to Vodafone to Websense are doing their level best to aid blatantly despotic regimes while Julian Assange and Jacob Applebaum are being monitored like they were trying to blow up buildings. Good job guys. Real patriotic.
-
I still advocate for air gaps they are an insanely powerful security technique. If your plaintexts / private keys / passphrases are never exposed to the internet then you don't have very much to worry about malware. You also do not need to type over every character, you can use disposable one time use media such as a CD to copy over from the machine without internet connection to the machine with internet connection, the only copying you need to do is to bring public keys from the internet connected machine to the isolated by air machine, as if you expose it to a CD that has been exposed to the internet it could be bugged and transmit back via the CD you use to transfer ciphertexts from it.
Using a live CD is not particularly helpful against malware, sure it protects from persistent malware but it doesn't do shit to stop an attacker from deanonymizing you or temporarily being able to eavesdrop on your keystrokes. A live USB could even have persistent malware installed to it. The best solution is to layer isolation I believe, I am thinking that SElinux is the way to go about this. Of course making sure that you are taking full advantage of ASLR , and hardening your OS and browser, will also go a long way towards protecting you from malware.
scanned my system with the ESSET Online scanner as well as my system scanner which showed no results for any malware.
The thing to keep in mind about virus scanners is that they are a complete joke and if any half skilled attacker wants to they can circumvent them with a targeted payload that is not released into the wild. Making a virus that is not detected by any anti-virus software is a fairly trivial task, and you can easily confirm when your virus has reached such a state by running anti virus products against it until it becomes undetectable. Ninety nine out of a hundred times an anti virus program is not going to be able to detect a targeted payload that has not been released into the wild for the anti virus people to be able to get a copy of it. Also the first thing a good virus does is disable your anti viruses ability to detect it, so even if the anti virus company does end up protecting from a virus, it isn't likely to do you much good if you have already been infected.
I agree it's important, but at the same time it's a last resort defense, your primary defense should be your anonymity
Anonymity doesn't protect you from malware (generally speaking, although in some cases it can make life harder for an attacker), and malware can deanonymize you. I imagine you have heard of CIPAV?? You can use the best encryption algorithms in the world and the best anonymity network around and it is all going to do jack shit to protect your plaintexts or identity if an attacker roots you. Having strong data and location security without strong defenses from malware is similar to having a fortified door with an open window next to it.
In order to compromise a machine, they first need to know where it lives.
This is 110% wrong. In fact, they can find where a machine lives by compromising it. An attacker who manages to root SR and finds a multi-platform exploit for firefox could theoretically take over the computers of everyone using firefox to surf SR, by for example adding malicious javascript to it that exploits a vulnerability in firefox to take over its permissions, which (in most configurations) includes the ability to stop routing through Tor and deanonymize you, and very likely to spy on your plaintexts prior to encrypting them with GPG (through lack of isolation in X for example). In practice it might be more difficult for them to simultaneously pwn every single person here, because some might be using different browsers, some may have javascript turned off, some may be protected by default OS features like ASLR, etc...but it is entirely possible in theory for such an attack to be carried out. So far such things seem like they are far more common for intelligence agencies to do than police forces though.
-
If you are really worried about LE malware your best bet is to use air gaps where possible, SElinux where not, make sure to use a 64 bit OS with ASLR, configure a firewall and intrusion detection/prevention system (IPS/IDS) and generally harden your OS and browser.
-
I still advocate for air gaps they are an insanely powerful security technique. If your plaintexts / private keys / passphrases are never exposed to the internet then you don't have very much to worry about malware. You also do not need to type over every character, you can use disposable one time use media such as a CD to copy over from the machine without internet connection to the machine with internet connection,
*pine faints from relief* :D
the only copying you need to do is to bring public keys from the internet connected machine to the isolated by air machine, as if you expose it to a CD that has been exposed to the internet it could be bugged and transmit back via the CD you use to transfer ciphertexts from it.
That gave me an idea, probably not an original one.
What if you collect your encrypted messages and public keys et al, and sum up the total number of bytes for each plain text file. Then you burn to CD. If the CD has > the total number of bytes burnt to it, then a sneaky piece of malware is trying to hop along for the ride.
There's probably some caveats, but this seems fairly foolproof to me. You could pop all the plain text files into a compressed folder and then do a SHA hash or checksum of it, but the problem there is that you might be counting/adding the malware along with the plaintext files without being aware of it (this is all on the internet machine, with any checks to be done at the air gapped machine). Do you have any better ideas than mine for detecting malware stowaways on these read only disks?
Also, this air gapped machine. It can't be just any machine. If you're to take this seriously, then you need a machine that physically does not have networking capability, whether wi-fi, Ethernet, or Bluetooth, absolutely anything.
Using a live CD is not particularly helpful against malware, sure it protects from persistent malware but it doesn't do shit to stop an attacker from deanonymizing you or temporarily being able to eavesdrop on your keystrokes.
How is that possible if it's impossible (in some cases live CD setups) to save any files? How can this be possible without making some manner of change to the client end? Or perhaps I misunderstand you, and you mean many situations in which an live-CD or live-USB may have access to the hard disk. e.g. installing a malware to Liberte's ~persist directory?
Still, I would have thought that this isn't really possible when you have an entire Operating System as being read only with a severely controlled list of possible changes (e.g. like switches on a dashboard, but no alterations to permissions, Liberte if I remember correctly does not allow any permissions changes, unless you quickly enter a certain command/series of steps the second the OS loads, and after a couple of minutes it is impossible to even do this).
Please explain more explicitly how an exploit can occur in the typical environment of a live-USB or live-CD, because we're all interested in preventing just that.
A live USB could even have persistent malware installed to it. The best solution is to layer isolation I believe, I am thinking that SElinux is the way to go about this. Of course making sure that you are taking full advantage of ASLR , and hardening your OS and browser, will also go a long way towards protecting you from malware.
Most live-USB OS that people will be running is Linux, open source. So if a live USB could have a persistent malware, then so could the Tor software. At some point you have to trust that something works or you'd never get anything done. I would agree though, that specific distributions tailored to the security conscious ought to be closely watched for any red flags. e.g. Liberte, hardened Gentoo, Tails.
I tried using SELinux stuff once. I have to say, it was not exactly accessible and it was a struggle to get anything useful done, even to a geek. Maybe you could point to a tutorial or something that would be the most relevant for what we do here in our situation. Ima practical animal, or at least I try to be.
I must admit, I've never even heard of ASLR until now (it randomly pushes your data stuff/programs about in memory folks, so a hacker has trouble pinpointing where to exploit). How do you optimize this ASLR stuff best? Does it just mean having the latest OS? By hardening your OS/Browser, I'm assuming you're talking about using SELinux, and that by Browser you mean the Tor browser. If you modify the TBB or however you've setup the Tor software on your computer, isn't it possible you'll separate yourself from the crowd on the Tor network. e.g. could change your browser settings to ones that are relatively unique, potentially deanonymizing you. Maybe I misunderstand this, but I like to be sure.
tldr to lurkers; just use linux, safe against 99.9% of the general malware floating around out there.
I agree it's important, but at the same time it's a last resort defense, your primary defense should be your anonymity
Anonymity doesn't protect you from malware (generally speaking, although in some cases it can make life harder for an attacker), and malware can deanonymize you. I imagine you have heard of CIPAV?? You can use the best encryption algorithms in the world and the best anonymity network around and it is all going to do jack shit to protect your plaintexts or identity if an attacker roots you. Having strong data and location security without strong defenses from malware is similar to having a fortified door with an open window next to it.
I have heard of CIPAV, it is the FBI software used to obtain ip addresses and I think, to keylog information. I think it was most famously used in a project called Magic Lantern, to compromise some Mafia dudes. And some kid threatening to bomb a school or something equally stupid (although every kid wants this really :D), as per one of your intel reports.
I agree hardening security against malware is important, but I think you're overstating the case to illustrate the point. I'm pretty sure anonymity does protect me from malware to some extent, otherwise I doubt I would be typing this. In order for an attacker to place a rootkit on my machine, they must first put it on my machine. They cannot do that, unless A: they find my machine or B: they rootkit everybody (I think we call this the Chinese approach, lol).
In order to compromise a machine, they first need to know where it lives.
This is 110% wrong. In fact, they can find where a machine lives by compromising it. An attacker who manages to root SR and finds a multi-platform exploit for firefox could theoretically take over the computers of everyone using firefox to surf SR, by for example adding malicious javascript to it that exploits a vulnerability in firefox to take over its permissions, which (in most configurations) includes the ability to stop routing through Tor and deanonymize you, and very likely to spy on your plaintexts prior to encrypting them with GPG (through lack of isolation in X for example). In practice it might be more difficult for them to simultaneously pwn every single person here, because some might be using different browsers, some may have javascript turned off, some may be protected by default OS features like ASLR, etc...but it is entirely possible in theory for such an attack to be carried out. So far such things seem like they are far more common for intelligence agencies to do than police forces though.
Ok. But SR does not need JavaScript and many of us don't have it enabled by default. Unless your rootkit is somehow able to manipulate a scriptless browser.
On that subject, I wanted to ask you from before. Can you physically remove the ability of the Tor browser to use scripts? I mean, removing the actual code that would allow an extension, allow a script to be run etc. Seems to me, if you remove that kind of stuff, the odds of exploitation are zilch. My concern would be that such modification might alter the browser signature though. So I was hoping for some input on that idea, whether it's realistically possible and what the ramifications might be.
--
Question. If the malicious JavaScript stops you routing through Tor, then how exactly does this help the enemy? I mean, once you stop routing through Tor, you're on clearnet right, so it's not as if you're going to reach a url like http://dkn255hz262ypmii.onion with this newly clearnetted browser, right? I don't get how stopping Tor routing will deanonymize me. Seems like it just kicks me off the Tor network.
And how the hell is a JavaScript, any JavaScript, going to influence the X window system? JavaScript cannot modify the Operating System. JavaScript can't go about editing configuration files since it can't access the local directories and write to the hard disk. So how in the name of fuck it is possible to spy on GPG software via the X Window system? I am seriously dubious in case you couldn't tell. :D You have surely got to be missing a few steps there. :p
Anyway, I'm not trying to be the Grand Inquisition here, just trying to distill your noggin into a potential series of helpful pint sized tutorials that make sense to anybody, that would be good. Share the wealth! :)
Hardening your machine stuff might be good, but hardening some people out of everybody is better, increases the Anon-Set.
Lastly; isn't there a special piece of hardware, a particular kind of CPU that makes it really tough to compromise encryption? It might have been while it's being done. Your reference to ALSR reminded me of it but I can't remember the name now.
P.S. Who is the author of PolyFront, was that yourself or some other fellow? Curious mammal is curious. Reply by PM if necessary. Actually PM me anyway, I have some interesting shiny new factoids that came my way I'm pretty sure you'll be salivating over or something. :D
-
That gave me an idea, probably not an original one.
Actually I made a mistake, you would need to type over ciphertexts from the internet facing machine to the isolated machine as well. You could use CD to copy over ciphertexts and public keys from the internet facing machine to the isolated machine, or ciphertexts from the isolated machine to the internet facing machine, but not in both directions.
What if you collect your encrypted messages and public keys et al, and sum up the total number of bytes for each plain text file. Then you burn to CD. If the CD has > the total number of bytes burnt to it, then a sneaky piece of malware is trying to hop along for the ride.
There's probably some caveats, but this seems fairly foolproof to me. You could pop all the plain text files into a compressed folder and then do a SHA hash or checksum of it, but the problem there is that you might be counting/adding the malware along with the plaintext files without being aware of it (this is all on the internet machine, with any checks to be done at the air gapped machine). Do you have any better ideas than mine for detecting malware stowaways on these read only disks?
What if the malware is encrypted in the GPG message along with an exploit for a vulnerability in the GPG decryption engine , and you are rooted as soon as you decrypt the message? If it sounds far fetched it isn't, there have been a few remote code execution vulnerabilities in GPG that worked in similar ways to this. That would qualify for a sophisticated piece of malware :D. Also if the internet machine is infected with malware you will need to end up hand counting the bytes instead of just typing them over, and I think it would still be rather risky. Good hackers can do amazing things and they are good at hiding that attacks have taken place.
Also, this air gapped machine. It can't be just any machine. If you're to take this seriously, then you need a machine that physically does not have networking capability, whether wi-fi, Ethernet, or Bluetooth, absolutely anything.
Yup. Iran learned that the hard way with stuxnet. They had a network with no internet and considered it to be air gapped but it had external USB devices plugged into it that had been exposed to the internet.
How is that possible if it's impossible (in some cases live CD setups) to save any files? How can this be possible without making some manner of change to the client end? Or perhaps I misunderstand you, and you mean many situations in which an live-CD or live-USB may have access to the hard disk. e.g. installing a malware to Liberte's ~persist directory?
Well a USB is not a read only device. Also it could be possible for the attacker to write to the hard drive. But primarily what I mean is that the attacker is concerned with your RAM to exploit and root you, everything else is just for persistence. In fact there are some viruses that can hide in persistent memory in locations that you would never expect, such as your keyboards firmware. It is not impossible for you to be pwnt using a live CD, the attacker becomes persistent in your keyboard and then infects your hard drive when you boot into your non-live OS.
Still, I would have thought that this isn't really possible when you have an entire Operating System as being read only with a severely controlled list of possible changes (e.g. like switches on a dashboard, but no alterations to permissions, Liberte if I remember correctly does not allow any permissions changes, unless you quickly enter a certain command/series of steps the second the OS loads, and after a couple of minutes it is impossible to even do this).
Please explain more explicitly how an exploit can occur in the typical environment of a live-USB or live-CD, because we're all interested in preventing just that.
Live CD and USB do absolutely nothing to prevent you from being pwnt, that all happens in RAM. They just make it harder to become persistent. But not impossible, especially for a USB.
Most live-USB OS that people will be running is Linux, open source. So if a live USB could have a persistent malware, then so could the Tor software. At some point you have to trust that something works or you'd never get anything done. I would agree though, that specific distributions tailored to the security conscious ought to be closely watched for any red flags. e.g. Liberte, hardened Gentoo, Tails.
I think you confuse malware and exploits and backdoors. You seem to be worried about a backdoor. In general there are two types of backdoor, code that has vulnerabilities intentionally left in it to be exploited by the creator at a later point in time, and then things like subseven or back orifice where there is actually malicious code included in the software instead of the harder to detect exploitable code intentionally left in the software. I think you may not realize that an attacker can exploit vulnerabilities in code to remotely install software onto your machine. That is the sort of exploit / malware I am discussing, not so much malicious code included in the program from the start. And 99.9999999% of software has vulnerabilities that can be exploited for remote code execution.
I tried using SELinux stuff once. I have to say, it was not exactly accessible and it was a struggle to get anything useful done, even to a geek. Maybe you could point to a tutorial or something that would be the most relevant for what we do here in our situation. Ima practical animal, or at least I try to be.
It is on my list of things to do :).
I must admit, I've never even heard of ASLR until now (it randomly pushes your data stuff/programs about in memory folks, so a hacker has trouble pinpointing where to exploit). How do you optimize this ASLR stuff best? Does it just mean having the latest OS? By hardening your OS/Browser, I'm assuming you're talking about using SELinux, and that by Browser you mean the Tor browser. If you modify the TBB or however you've setup the Tor software on your computer, isn't it possible you'll separate yourself from the crowd on the Tor network. e.g. could change your browser settings to ones that are relatively unique, potentially deanonymizing you. Maybe I misunderstand this, but I like to be sure.
Operating systems implement ASLR differently. I think OpenBSD may be the only OS that has full ASLR by default. You need to be using a 64 bit OS to take full advantage of ASLR because with a 32 bit OS it can be brute forced. Some operating systems don't even have ASLR, FreeBSD actually does not although it uses some other technique instead. Some operating systems support ASLR but you need to specifically compile your software with the special PIE (position independent executable) flag for it to be able to take advantage of it.
tldr to lurkers; just use linux, safe against 99.9% of the general malware floating around out there.
Are you worried about general malware or a targeted attack against you? Because just using Linux, although a good step in the right direction, is not enough to protect you from a skilled targeted attack.
I agree hardening security against malware is important, but I think you're overstating the case to illustrate the point. I'm pretty sure anonymity does protect me from malware to some extent, otherwise I doubt I would be typing this. In order for an attacker to place a rootkit and backdoor on my machine, they must first put it on my machine. They cannot do that, unless A: they find my machine or B: they rootkit everybody (I think we call this the Chinese approach, lol).
Anonymity does not protect you from malware unless you are running a bunch of listening network applications like Apache and because they are hidden services an attacker can not port scan the entire server looking for alternative paths to attack instead of only what is directly presented to them. In your case as a non-server client anonymity doesn't do a damn thing to protect you from malware, you are still exposing the exact same amount of attack surface when you browse a website with Tor as when you do without Tor. You have a very fundamental misunderstanding of how hacking works. Let's say that firefox has a vulnerability in it's code, an attacker who pwns SR could then for example craft malicious javascript that runs client side on your computer in memory (RAM) and then buffer overflows into attack code that they then get firefox to run on your system, and which itself installs a virus onto your computer from one of their servers. Hacking is all about remotely installing viruses on computers, you do not need to know their IP address you only need to have some vulnerable path to them, that can be in the form of Firefox, a PDF reader, an instant message program, GPG decryption engine, ANYTHING that you put potentially malicious input into.
Ok. But SR does not need JavaScript and many of us don't have it enabled by default. Unless your rootkit is somehow able to manipulate a scriptless browser.
Rootkits are installed by exploits in order for the hacker to cover their tracks. There are a lot of Firefox vulnerabilities that can be exploited without any scripting being enabled, although by not having scripting enabled you can remove the ability of a hacker to exploit some vulnerabilities and also you can make others harder to exploit.
On that subject, I wanted to ask you from before. Can you physically remove the ability of the Tor browser to use scripts? I mean, removing the actual code that would allow an extension, allow a script to be run etc. Seems to me, if you remove that kind of stuff, the odds of exploitation are zilch. My concern would be that such modification might alter the browser signature though. So I was hoping for some input on that idea, whether it's realistically possible and what the ramifications might be.
Yes that would be possible to do but it does not remove the chance of being exploited. A lot of Firefox vulnerabilities are through font rendering even, there are a lot more areas to cover than just scripts.
Question. If the malicious JavaScript stops you routing through Tor, then how exactly does this help the enemy? I mean, once you stop routing through Tor, you're on clearnet right, so it's not as if you're going to reach a url like http://dkn255hz262ypmii.onion with this newly clearnetted browser, right? I don't get how stopping Tor routing will deanonymize me. Seems like it just kicks me off the Tor network.
You will not reach a website like dkn255hz262ypmil.onion but you will have no trouble reaching fbi-ip-address-gathering-server.gov
And how the hell is a JavaScript, any JavaScript, going to influence the X window system? JavaScript cannot modify the Operating System. JavaScript can't go about editing configuration files since it can't access the local directories and write to the hard disk. So how in the name of fuck it is possible to spy on GPG software via the X Window system? I am seriously dubious in case you couldn't tell. :D You have surely got to be missing a few steps there. :p
Attacker finds vulnerability in Firefox code. Attacker crafts code that exploits it with javascript. You go to attacker controlled website with this javascript and it runs on your machine client side, exploits the firefox vulnerability. Attack code overflows a buffer and the attacker gets it to execute with the abilities of firefox. Firefox is in a x window. There is no isolation between x windows, every x window gets keystrokes to all other x windows, so the attacker can already entirely keylog you at this point, including getting your root password when you su. Attacker can also have firefox install whatever they want onto your system that it is privileged to do, so they take over root on your computer with the password they just sniffed and install a rootkit and backdoor for persistence.
Lastly; isn't there a special piece of hardware, a particular kind of CPU that makes it really tough to compromise encryption? It might have been while it's being done. Your reference to ALSR reminded me of it but I can't remember the name now.
You do not need a special CPU to make it very hard to compromise properly implemented encryption...but skilled attackers spend less time trying to crack encryption than they do on trying to bypass it by hacking around it.
P.S. Who is the author of PolyFront, was that yourself or some other fellow? Curious mammal is curious. Reply by PM if necessary. Actually PM me anyway, I have some interesting shiny new factoids that came my way I'm pretty sure you'll be salivating over or something. :D
I made polyfront, although it is out dated and I would not try to keep it alive personally. Someday when I get more time I will write a new one that will be much better, it has been a running thing for several years now actually where I periodically compile my security knowledge and make tutorials and such. I can do way better than Polyfront now. But I am currently busy developing software and learning new things. Maybe in half a year you will start to see a lot of new cool things from me :). I hear the feds quite enjoyed polyfront at one of their conferences , glad to know that they were so impressed and circumstances allowed me to hear about it !!
-
Well a USB is not a read only device.
IN BEFORE NEITHER ARE USB MEMORY STICKS
-
kmfkewm Kudo's on polyfront! While yes it may be outdated some it has great _base_ for people to start from.