Faceplams Faceplams:  0
Page 1 of 2 1 2 LastLast
Results 1 to 30 of 31

Thread: wikileaks year zero vault 7 - CIA hacking files

  1. #1
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)

    wikileaks year zero vault 7 - CIA hacking files

    So "Year Zero" per Wikileaks is the CIA using cyber weapons.

    "Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
    Origin of the term = HERE.

  2. #2
    Join Date
    Dec 2011
    Location
    Laughingstock of the World (America)
    Posts
    4,579
    Mentioned
    104 Post(s)
    Does it make me sound like a crazy conspiracy theorist to wonder if WL didn't time this to help turn public opinion against the intelligence committee and thus make people think that anything damning they say about 45 and Russia is either false, politically motivated, or both?

  3. #3
    Join Date
    May 2012
    Location
    W/A
    Posts
    8,168
    Mentioned
    233 Post(s)
    Quote Originally Posted by theimage13 View Post
    Does it make me sound like a crazy conspiracy theorist to wonder if WL didn't time this to help turn public opinion against the intelligence committee and thus make people think that anything damning they say about 45 and Russia is either false, politically motivated, or both?
    This whole year is doing that to everyone.

  4. #4
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by theimage13 View Post
    Does it make me sound like a crazy conspiracy theorist to wonder if WL didn't time this to help turn public opinion against the intelligence committee and thus make people think that anything damning they say about 45 and Russia is either false, politically motivated, or both?
    Or, that Obama didn't need to order any "wiretaps" as the CIA has been spying on American citizens since shortly after 9/11.

  5. #5
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by allegate View Post
    This whole year is doing that to everyone.
    new term just learning about the deep state http://www.alternet.org/trump-vs-deep-state

  6. #6
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)

  7. #7
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    ^^^ speaking of Deep State....


    it's worth pointing out the decryption passphrase on the wikileaks dump (SplinterItIntoAThousandPiecesAndScatterItIntoTheW inds) is a reference to a quote by JFK about the CIA a month before his assassination.



    Whoa! Wtf.

  8. #8
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Maybe they're trying to tell 45 that they're all hacking his Android phone

  9. #9
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    It goes way beyond that. Read the "How the CIA dramatically increased proliferation risks" portion of the wikileaks release.

    They lay out an interesting legal dilemma, which I don't know if its true or not. But basically the way the CIA created & used the tools on the internet would have violated classification rules... IF the tools were classified. So they didn't classify the tools. So that means anyone can use those tools and even the US Gov can't claim ownership/copyright.
    you would be surprised at the amount of NDA's and legal document's security research teams and pen-testers have to sign to even look at a system or face prosecution there are also disclosure agreements, that also state all findings must be disclosed to affected parties or face prosecution
    -louie

  10. #10
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    Very aware. Pentest scoping and legal engagement rules are a pain. But that has little to do with the CIA.

    CIA has tools that don't fit classification models easily. More importantly, they are categorizing all these tools as "weapons" which makes little sense when shoved into existing arms rules.
    i would agree i would like to know more about importantly, they are categorizing all these tools as "weapons"i can still download free versions of Kali, burp suite, wire shark and python IDE, are these "weapons"?
    just curious
    -Louie

  11. #11
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    you should read up on the church committee if you really want to go down the rabbit holeand that was in the '70's
    -louie

  12. #12
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    So, on that car control system infection capability... Remember when Michael Hastings died in a high speed car crash just before he was about to break a big story on the CIA?

    https://en.wikipedia.org/wiki/Michae...ay_controversy
    what i was trying to say a lot of the "weapons" stated in the wiki-leaks, were pre-existing tools for security researchers. pen-testers, and no more a weapon then a pipe wrench, but then again i would not want to be smacked up-side my noggin with a pipe wrench
    -Louie

  13. #13
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    Very aware. Pentest scoping and legal engagement rules are a pain. But that has little to do with the CIA.

    CIA has tools that don't fit classification models easily. More importantly, they are categorizing all these tools as "weapons" which makes little sense when shoved into existing arms rules.
    But, cyber is a (potential) weapon. It's the modern way to destroy. Look what we (shhhhh) did to Iran's nuclear power plants, repeatedly. Look what China did with our OPM database. Look what could happen if our grid was hit, or if bank networks were hit (taking out all our access to our money in a cashless society). This is espionage (it IS the CIA, not the FBI) but cyber weapons have the intent not only to obtain intel but also the desire to neutralize a threat. I'm not sure everybody follows rules. All of this, of course, is dependent on vulnerability (computer or human).



    Can they really remotely hack an iPhone? Or only if they get us to install an app that allows them access?
    Last edited by allegro; 03-08-2017 at 06:24 AM.

  14. #14
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    So, on that car control system infection capability... Remember when Michael Hastings died in a high speed car crash just before he was about to break a big story on the CIA?

    https://en.wikipedia.org/wiki/Michae...ay_controversy
    Whoa!!!! Holy shit.

    Like, this makes hacking into Cheney's pacemaker lightweight.

  15. #15
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    Here is a short, easy to understand, but most importantly a SKEPTICAL counterbalance to the press coverage.

    It's focused on the tech and doesn't touch much on anything else, but if you only read one article right now, this is the one to read.


    http://blog.erratasec.com/2017/03/so...ault7.html?m=1
    very good non-parania enduing balance, non-bs and non-cyber kabuki
    -louie
    thanks for posting this DC!

  16. #16
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    Here is a short, easy to understand, but most importantly a SKEPTICAL counterbalance to the press coverage.

    It's focused on the tech and doesn't touch much on anything else, but if you only read one article right now, this is the one to read.


    http://blog.erratasec.com/2017/03/so...ault7.html?m=1
    Good shit, thanks

  17. #17
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    thanks again dc. bookmarked, big help phone has been blowing up all day, no sir the CIA can't suddenly tap your phone, i don't think they really care, and please don't call me with every piece of crap you happen to read on the internet.
    -louie

  18. #18
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    I like this part:

    There's no overlap or turf war with the NSA. The NSA does "signals intelligence", so they hack radios and remotely across the Internet. The CIA does "humans intelligence", so they hack locally, with a human. The sort of thing they do is bribe, blackmail, or bedazzle some human "asset" (like a technician in a nuclear plant) to stick a USB drive into a slot. All the various military, law enforcement, and intelligence agencies have hacking groups to help them do their own missions.

  19. #19
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by allegro View Post
    I like this part:
    about two years ago there was something that was in fashion called "social" engineering", which was (touted, as human hacking, so instead of using a computer and an Algorithm, to crack a password, you would talk to a person a find out there dogs name and use that, there were competitions were you would get points, for types of info you got, from talking to a receptionist on the phone for 5 minutes, i found it all very compelling if you find it interesting like me look here http://www.social-engineer.org/
    -louie v.

  20. #20
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    cool stuff if you go to 25 this year let me know i would be happy to buy you a beer
    -louie

  21. #21
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    Rob (the author) has been hammering on the fact that the bulk of the attacks specifically require someone to plug a USB drive into your device.

    He also loves to troll (he does it obviously, and isnt trolling in this case) and generally play the skeptic. It's great. But the reason I am saying all of this is to preface this magically little thing that unfolded yesterday:

    That is in his article, speaks to subjective "worry." Like, just because you aren't paranoid doesn't mean people aren't to get you ... har har har. The conspiracy theorists think the NSA is living in our Amazon Echo all day, so now they will think that a CIA agent is in the baby monitor, Nest thermostat and the remote-read RF water meter and is watching you on your home security system.

    (But I still won't get an Echo. I also have electrical tape on the cams on my laptop and iMac. I'm not a drug dealer or a terrorist but I don't want people seeing me walk around naked. If the CIA or NSA has it, so do bad guys - that's my motto.)

    You can't plug a USB into an iPhone.
    Last edited by allegro; 03-08-2017 at 05:19 PM.

  22. #22
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    two years ago? Man, social engineering has been a thing for decades. I feel like Mitnick going to jail in the mid 90's is what pushed it into the mainstream. It's still one of the more common ways people get access to your stuff, if you are targeted.


    Fun fact about the SE competitions: Women tend to absolutely dominate them, even complete novices. Also, women tend to be the most resistant to social engineering attacks.
    I love throwing this factoid out when doing talks. It encourages people to experiment who may be novices, and it messes with poor that have poor understandings of gender equality :P


    Anyway, I have taken to showing people this as an intro video to what Social Engineering is. It was shot at the 2015 SE competition area at DEFCON.
    And I have absolutely used my own kids even worse shit, especially in person... (im an asshole, i know)
    HOLY SHIT. Why don't they use this in training videos for customer service??

  23. #23
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by allegro View Post
    That is in his article, speaks to subjective "worry." Like, just because you aren't paranoid doesn't mean people aren't to get you ... har har har. The conspiracy theorists think the NSA is living in our Amazon Echo all day, so now they will think that a CIA agent in in the baby monitor, Nest thermostat and the remote-read RF water meter and S watching you on your home security system.

    (But I still won't get an Echo. I also have electrical tape on the cams on my laptop and iMac. I'm not a drug dealer or a terrorist but I don't want people seeing me walk around naked. If the CIA or NSA has it, so do bad guys - that's my motto.)

    You can't plug a USB into an iPhone.
    most "smart" are communicating to the internet in some way the question becomes becomes what does that info look like, when siri first launched it was found that the communication to the severs was in plain text what does that mean? if some one had a packet "sniffer" you could watch the traffic you could read there queries, but there is some common sense involved, no I'm not going to say alexes, were can I score some heroin,I also would not use a phone to unlock my house or start my car car. as with most thing your "smart" fill in the blank is usually smarter than you.
    my .02
    -Louie

  24. #24
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    as with most thing your "smart" fill in the blank is usually smarter than you.
    my .02
    At first, I wondered what somebody would do with the data from a programmable smart thermostat, but then I remembered that it could tell a burglar when you're asleep or not home.

    I know that the Government has already tried to subpoena data from Echo/Alexis but Amazon won't give it up; if the Government figures out how to HACK the data without needing a subpoena, that doesn't mean the evidence is admissible.

    I'm more afraid of nefarious people getting my smart data than the Government.

  25. #25
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    To counter Rob, he may be downplaying it TOO much. It was made clear that more than just the CIA have these tools now. It's also not impossible to take these attacks that require physical access and adapt them for network delivery. In fact, most attacks evolve this way.


    Internet attached bullshit like the Echo and thermostats are security nightmares for multiple reasons. Even the ToS for some of the smart TV's explicitly tell you to be careful of what you say around them. The average person should still be worried about that stuff. It's not the CIA, but all the other miscreants. Those devices are poorly secured and not maintained anywhere near as much as the laptops and mobile phones that have cams/mics on them as well. I'm never going to buy those things for everyday use. There will come a day when I have no option, and I will open the TV and physically remove the microphone, blind the camera, and pull the wifi antenna.



    It's starting to get there... but there needs to be more attention. The attention rarely happens until a big story like this blows up. If all you have is a proof of concept attack, you have to really hype it up to get press coverage. You end up feeling like a tool doing it though :/

    Even Amazon's "2 factor auth" can be circumvented with a call like you saw in the video. It's so frustrating having all these backdoors thanks to poorly trained customer service reps that are given too much admin power.



    Well, a smart thermostat is literally "attaching fire to the internet" if you think about it. Sure, losing heat when you want it is going to be a massive annoyance. If you are old and live in a very cold area, it could kill you though. There was a recent issue with the Nest thermostats that caused a ton of them to fail for a few days. It was just a bug. People were pissed. Maxing out your heat while you are on vacation can bring some really big surprise gas bills, great for revenge. And the heat exchangers are surprisingly delicate, not too hard to crack them if you run them like an idiot. A cracked exchanger pumps carbon monoxide into your house.

    But really, its a computer inside your network that can see everything happening inside your network and can relay it all outside of your network. That opens up tons of possibilities. Some of them hurt you. Some of them hurt everyone (Mirai botnet that we have only just started seeing the beginnings of).



    edit: as for burglars... most aren't smart. But there are so many ways to check for occupancy and/or targets with $$$ thanks to technology. $200 thermal cams to see if the house is warm. Bluetooth scanners to see which houses are filled with valuable electronics. etc.
    same case subpoenaing amazon also had a "smart" water meter, which data they trying to use for time and usage to prove he hosed off his patio of blood tech savvy lawyer's, now we're truly fucked which why I give money to these guy's https://www.eff.org/
    =louie

  26. #26
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    oh, @allegro ... i forgot to mention something. You said that iphones cant have a USB device plugged in. Actually, they totally can with an adapter like this. I use it all the time to connect random shit to my iphone. You also have all those public charging stations in hotels, airports, etc. Never ever use that shit! If you absolutely have to, use a "USB Condom" to cut the data lines and only allow power charging. Better to bring your own charger that plugs into AC. Or use a USB battery pack as the middleman between your phone and the dirty dirty public charge cables/ports.
    Who the fuck doesn't bring their own charger? Morons? It isn't like they WEIGH anything. Wtf.

    I meant USB without an adapter, a straight USB connection. I have Bluetooth headphones, the only thing I connect to my iPhone is my own charger.

  27. #27
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    same case subpoenaing amazon also had a "smart" water meter, which data they trying to use for time and usage to prove he hosed off his patio of blood tech savvy lawyer's, now we're truly fucked which why I give money to these guy's https://www.eff.org/
    =louie
    I'm going to type this in a soft soothing font take a nice deep breath exhale and relax, this same CIA,has killed people, toppled governments, conducted phycological, biological, and chemical experiments, on an unknowing US population, are they putting chemical's in the water to turn me and the frogs gay? (probably not, although Daniel at the gym has been looking pretty sharp lately), case in point it most likely has zero effect on you!It does however shed light on technology privacy, information and these guy's: these guy's https://www.eff.org/, but if you knew how often you were under surveillance, during a day you would not leave your house. could also be a plant by trump to demonize the CIA before they release all the info they have on him. and last time I checked I could still say the president idiot, oompaloompa that somehow escaped the evil clutches of Willie wonka had a rich dad who died left him a fortune, and became president, without being sent, to a re-education camp in Provo UT, my eyes are pinned open and force to watch celebrity apprentice on loop, with my nuts attached to a car battery, at least today
    so again I say relax educate yourself and be kind to others
    -Louie

  28. #28
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by louie_cypher View Post
    could also be a plant by trump to demonize the cia before they release all the info they have on him.

    bingo.

  29. #29
    Join Date
    Dec 2011
    Location
    san fransisco
    Posts
    1,378
    Mentioned
    41 Post(s)
    Quote Originally Posted by DigitalChaos View Post
    oh, @allegro ... i forgot to mention something. You said that iphones cant have a USB device plugged in. Actually, they totally can with an adapter like this. I use it all the time to connect random shit to my iphone. You also have all those public charging stations in hotels, airports, etc. Never ever use that shit! If you absolutely have to, use a "USB Condom" to cut the data lines and only allow power charging. Better to bring your own charger that plugs into AC. Or use a USB battery pack as the middleman between your phone and the dirty dirty public charge cables/ports.
    the also this little guy https://www.wifipineapple.com/pages/nano
    -louie

  30. #30
    Join Date
    Nov 2011
    Location
    Highland Park, IL
    Posts
    14,384
    Mentioned
    994 Post(s)
    Quote Originally Posted by Louie_Cypher View Post
    the also this little guy https://www.wifipineapple.com/pages/nano
    -louie
    Whoa, that thing is COOL!!

Posting Permissions