Slashdot Mirror
Regin Malware In EU Attack Linked To US and British Intelligence Agencies
Advocatus Diaboli writes The Regin malware, whose existence was first reported by the security firm Symantec on Sunday, is among the most sophisticated ever discovered by researchers. Symantec compared Regin to Stuxnet, a state-sponsored malware program developed by the U.S. and Israel to sabotage computers at an Iranian nuclear facility. Sources familiar with internal investigations at Belgacom and the European Union have confirmed to The Intercept that the Regin malware was found on their systems after they were compromised, linking the spy tool to the secret GCHQ and NSA operations.
I'd welcome our new overlords, but they seem to have already been here for a while.
About all that's left to comment on is Hot Grits, Natalie Portman and griping about there not being a Cowboy Neal choice any more.
I am Slashdot. Are you Slashdot as well?
That seems to be the way everything is pointing. Kind of makes me wonder what happened to that "land of the free" part of the national charactor.
On NSA website, NSA states about their values: " We will protect national security interests by adhering to the highest standards of behavior".
So how NSA would be able to explain to a child that computer virus and malware represent the highest standard of behavior.
It is probably the same as stealing money on the street from slightly overweight person and telling him/her, that you need to lose weight anyway and that the robber cares about you. If questioned, street robber will counter stating that the victim should be thankful, because in other streets (countries) you could be shot for even questioning.
Is vulnerable and weakened by NSA encryption is also "highest standard of behavior", dear beavers from NSA?
Were the anti-virus and anti-malware companies simply unable to detect this, or were they complicit in its distribution (by not reporting its presence to users)?
The real "Libtards" are the Libertarians!
Will this sophisticated malware work on anything other than Microsoft Windows:
"Symantec Security Response has not obtained the Regin dropper at the time of writing. Symantec believes that once the dropper is executed on the target’s computer, it will install and execute Stage 1. It’s likely that Stage 0 is responsible for setting up various extended attributes and/or registry keys and values that hold encoded versions of stages 2, 3, and potentially stages 4 and onwards". link
Operation Socialist
Its very much true, no one in murica likes socialism...
if for no other reason "they know whats good for them".
Regin is a stealthy bastard. It doesn't spread itself, it just sits until called upon to deploy a module. The fact that its state sponsored and we are only seeing details of it six years after the fact show how far this State Sponsored (APT) Advanced Persistent Threat went to go to stay undiscovered.
The question is this, Because this system has VERY advanced features, how much could linux or windows or any system benefit, if the effort to break things were put into fixing them instead? This goes way beyond bug bounties?
Will we ever know how much Regin Cost in taxpayer money? How much talent fell into a DOD, NSA black hole?
I think based off of this that this payload could trivially turn off half of the world's computer connected services and has probably been exfiltrating massive amounts of operational data.
Don't we all already know that it was the EVIL Chinese Communist who was behind all the evil hacking ?
It was those evil Chinese who do all those evil things to us, the gentle, caring and loving Westerners !
Stop blaming the NSA, man. They are the HEROES, the PROTECTOR OF LIBERTY against those evil Chinese Communist !
This thought began as a joke, but this actually does sound how something like Skynet could be born. Malware is infamous for aggressively trying to preserve itself. We all joke about how stupid the idea of programming an AI with a strong sense of self-preservation is because of the obvious dangers, but that is exactly how malware is programmed. Programming it to control industrial systems as well (giving it a "body") seems like a really bad idea, particularly if the aim is not to sabotage the infected industrial system, but to cause as much damage to the target nation as possible (a reasonable wartime goal).
Buy your next Linux PC at eightvirtues.com
... correctly.
It little behooves the best of us to comment on the rest of us.
I skimmed through the linked articles and couldn't find any evidence at all that US or UK agencies were involved.
The only part of any article that even justified the headline (in any way) was this:
Yawn...
The various governments should pass a law forcing IT vendors to install mandatory spyware on your system.
At least we would openly know their intention.
That said, we are electing officials letting/sponsoring this. This should change.
So many ppl come here and post that Windows is not only safe, but that it is targeted because of numbers. Yet, it is obvious that NSA and GCHQ targeted Windows. Why? I doubt that it was numbers, but ease of cracking.
So, in the meantime, how many companies will start switching to *nix?
I prefer the "u" in honour as it seems to be missing these days.
I see an AC that posted pointing fingers, but this still does not have any fingers on it. All that it has is snowden making claims, but with zero proof behind it.
I prefer the "u" in honour as it seems to be missing these days.
Ah, you must be either North Korea, or Chinese, working for your government.
Remember to at least clean your face when you are done taking care of your dicktator.
So how many embarrassing secrets were obtained against those in power, and those wanting to be in power, and how was that leverage applied to undermine the democracy of the EU?
Because we're not little girls who believe in good fairies, we know how it works You spy on people to gain leverage to gain an advantage, and if that advantage was never exercised then it wouldn't be an advantage!
So there were EU politicians who made choices that seems to act in favor of the US, and against the EU interests. Handing the US sensitive financial data on transactions, company dealings, ownership and so on. Those politicians did it on false and misleading 'only US can spot terrorism' claims, and now I wonder how much leverage was gained against those politicians by this surveillance.
Out of fear, we will accept that Symantec will now be so bloated that most Windows PCs will never finish booting up.
were ready to blast China again. But of course it's the American and Western imperialists at work, the CIA/MI6 up to their nefarious ways as usual. But of course, Western hypocrites and Slashdot/Reddit anti-China hate brigade, your team can never commit a foul while everything the other team does is a foul, right?
You don't need to "crack" when you have the code.
You don't need to "crack" when some companies hold the front door open for you so that you can make sure that their encryption is "safe".
So many ppl come here and post that Windows is not only safe, but that it is targeted because of numbers. Yet, it is obvious that NSA and GCHQ targeted Windows. Why? I doubt that it was numbers, but ease of cracking.
If your targets use Windows it would be a real stroke of genius to distribute attacks against Linux, don't you think?
Duh.
So, in the meantime, how many companies will start switching to *nix?
What is the *nix equivalent to secure boot? Signed kernel modules? What is the *nix equivalent to Measured Boot and Network Access Protection? How does an organization automatically and immediately detect and isolate potentially infected hosts?
Every operating system out there will experience exploitable vulnerabilities. Applications running on top of the operating systems will experience exploitable vulnerabilities. The most recent severe vulnerabilities that have been mass exploited are *nix vulnerabilities like Heartbleed and Shellshock. No operating system is immune.
That's why defense in depth is important. Windows starts it's defenses before boot, by using Secure Boot. This ensures that only approved bootloaders run. It prevents bootkits. Some Linux distros support a weak form of secure boot (it doesn't protect all types of resources, notably scripts and config files are not digitally signed). Windows loads all kernel components from signed "cabinet" files - protecting all assets used during boot. If a rootkit tampers with any of the files, the system will refuse to boot.
During boot, before loading *any* kernel module, Windows will compute a hash of the module and record it in the TPM hardware module along with name, size, dates and other metadata. Upon successful boot (but before other hosts will accept traffic from the system) the OS asks the TPM for a signed "health" record. The TPM will issue a signed document with all the recorded info that the host can present to a health certificate server. The health cert server can investigate the list of loaded modules and compare against known whitelists and/or blacklists. If everything checks out, the health cert server issues a certificate the booting host must use when communicating with other hosts. Unless it can present such cert, the other hosts will refuse to communicate with the host.
Does 'Nix support such security in depth?
Such targeted attacks will target whatever operating system is being used by the target. Targets must consider the possibility that any host can be breached through an application or OS vulnerability. With that recognition, they must ensure expedient diagnosis and isolation. In that area, a Windows server infrastructure can be set up to become extremely strong.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Does 'Nix support such security in depth?
It's not security in depth if only some levels are secure, since you're only as secure as your weakest link. Windows isn't secure because of how it's developed and because of how it behaves once it's booted. That the boot process is a bit more secure doesn't make Windows more secure overall.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It's not on its technical merits, it's certainly not due the purity of its design philosophy, and nobody gives a decihoot how long some pakol-clad *buntard's lappie takes to boot.
And yet they're all so keen for us to use systemd...
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Not loading modules at all. It's just one kernel compile away. That's been done for security reasons by some people since about when this site started or before. Some people even had their stuff boot from read-only optical media to avoid such threats back when the possibility of tainted kernel modules was first discussed.
What the fuck?
No. GCHQ/NSA will choose whatever OS their fucking target is using. Ease of exploitation has nothing to do with it. They're not writing malware for shits and giggles or to steal grandmas pension. They're doing it with a specific intelligence gathering goal in mind. If it's Windows malware then it's because their fucking targets were running windows, nothing more, nothing less. It's stupid to try and turn this into a childish OS fanboy battle as the quality of an OS just isn't a factor in choosing what to target here.
I suppose you think Stuxnet targetted Windows and Siemens control systems too because they were just easier to hack too right? Ignoring the fact it was developed specifically to target Iran's nuclear program which used Windows PCs and Siemens control systems.
As far as I know, it's a Windows-only malware. There's some technical details in F-Secure's blog. Of course a Linux or FreeBSD version could also be created, as there is plenty of vulnerabilities in those operating systems too.
Assuming that NSA/GCHQ are behind this, then they will be targeting what they can and what ppl run. More than 1/3 of the servers in the world are Linux alone. Heck, Russian AND Chinese gov. has moved pretty hard to Linux. The fact that NSA/GCHQ has NOT written to that, indicates that they are going after the easy thing.
Sienmans was using windows for that. Of course, NSA/Israel targetted it. BUT, that is a SITE SPECIFIC set-up. When you have a foreign nation that makes heavy use of Linux, then you should be targeting it. Instead, NSA/GCHQ targeted windows because it is easy.
I prefer the "u" in honour as it seems to be missing these days.
The main problem about breaking ethics for a "good reason" is it paves the way for Evil.
That said, "imperialism" is a human fact: people love Greatness, no matter you are American, British, French, Russian, Spanish or Chinese.
Nations remember only the times when they reached the peak of their glory. The French remember Napoleon (despite the fact he was bitterly defeated), and I bet many Chinese think of themselves as the heirs of Genghis Khan. USA tries to follow the path of other big empires of the past... All look at the ancient Roman Empire with envy, even taking its symbols (I can see many eagles).
Greatness means power, which in turn means freedom to act as you wish. I'm afraid our brain is wired to think this way.
Why do these places get hacked like this?
Secure work done on a non-networked system.
The networked system is routed through a firewall (running on a different OS, so no Windows everywhere) where only traffic to specific locations is permitted.
If you want to visit a "suspect" site then start up a disposable VM running a different OS containing a browser, connect over a VPN to a less tightly controlled exit point, and use it then dispose of the VM when you're done.
Do everything possible to block admin/network shares, and remember - not everything needs to be connected to the internet.
End users want easy everything then complain when their easy systems are compromised.
The main problem about breaking ethics for a "good reason" is it paves the way for Evil.
It doesn't pave way for evil, it is evil. Hitler didn't wake up in the morning thinking that it would be a good day to do evil, and neither did Stalin or any other real world villain you can think of.
People usually think of themselves a good people, it's when they start to do things "because it is necessary" that things become scary.
The mindset of someone who "does what is necessary" isn't different form that of the most evil you can find, in a best case scenario they just have different means to meet their end.
"Assuming that NSA/GCHQ are behind this, then they will be targeting what they can and what ppl run."
Why?
"Instead, NSA/GCHQ targeted windows because it is easy."
Again, why?
Why would you target something because it's easy even though it's of absolutely no intelligence value?
Wouldn't it sound plausible that Stuxnet and Regin are two infestations of the same disease?
Same microbes (really trying to avoid the word virus here), slightly different symptoms.
While they did infect some Windows machines, it's worth noting that a lot of the malware does target Unix based operating systems running in telecom equipment. Some of it goes after the BIOS or the firmware in various bits of hardware (e.g. hard drives) too, which is pretty much impossible for any OS to defend against.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Also, Microsoft is from USA, just like NSA ...
People love greatness, and measure it in a variety of ways, including artistic and scientific achievements. Military might took a disproportionate importance simply because it used to be absolute necessity in the violent chaos of international relations. However, the age of war is ending, simply because they're too expensive and risky to wage, so we're seeing a shift in thinking - or do you think the Roman Empire would had advertised itself as "Land of the Free"?
He was a foreign warlord who conquered China, so that seems unlikely.
Right, so when people say Leonardo da Vinci was a great painter, they really mean he could kill you in 60 ways with a paintbrush?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Bootup from your read-only install media for Windows, using Recovery Console to do these commands (for the listed rootkit drivers) 1st:
LISTSVC (shows all loadable drivers & services)
DISABLE (to blow out this list of them):
serial.sys
cdaudio.sys
atdisk.sys
parclass.sys
usbclass.sys
DEL (to blow them off your disk)
Then, *IF* they have usermode portions (unlike those kernelmode drivers), & they most likely DO? ProcessExplorer is your buddy!
Using it, you can expose even hidden portions in usermode (say, if it is a .DLL pseudo shell extender lib riding under say, Explorer.exe) by using the LOWER PANE VIEW of ProcessExplorer. This shows you those.
Then, you can send HALT instructions to *ANY* suspect portions, which allows you IN USERMODE no less, to delete them from disk (since the offending usermode portions, even IF "hidden" under another process, which taskmgr.exe won't show you, can be deleted IN USERMODE even, from disk).
* Pretty simple... only 2 tools required.
APK
P.S.=> Recovery Console's on the Windows 2000/XP/Server 2003 install media - Windows 7 and above have analogous commandline tools that can do pretty much the same also iirc (however, iirc - you CAN use a RC from an earlier windows to do this as well if need be, for the specific LISTSVC, ENABLE, & DEL commands noted)... apk
"pciclass.sys" from http://it.slashdot.org/story/1... so you can do the same for that one.
* FAIRLY IMPORTANT NOTE: The other drivers I listed here http://it.slashdot.org/comment... WILL probably need replacement with OEM current models (from service packs or hotfixes most likely) to replace the bogus "dopplegangers" list I put up in my original post.
* Either way - this is a PRETTY EASY FIX, using the tools I noted.
APK
P.S.=> I'm not impressed by this crap @ all personally - it's too easy to get rid of for 1 thing, & secondly? The "quantum insertion" that Bruce Schneir explains is NULLIFIED by not using the "main delivery mechanism" - javascript (most likely) & stupidity (clicking on just *ANY* email & links it has, minus checking them out, first)... apk
-5
605413? Yes, it's a prime.
the age of war is ending, simply because they're too expensive and risky to wage
Profiting from sending other people's children (or, put another way, excess population) to die in other countries which can't meaningfully fight back doesn't sound all that risky to me.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Some of it goes after the BIOS or the firmware in various bits of hardware (e.g. hard drives) too, which is pretty much impossible for any OS to defend against.
Why should that be impossible? On most hardware it may be, but if you're lucky enough to have a system with an IOMMU, the OS should absolutely be able to defend against such attacks simply by not permitting just any jerkoff application to access the disk controller directly. Applications then have to ask the driver to mediate all transactions, and the OS is definitely in a position to then prevent firmware tampering.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
There is nothing to see here. Governments have been spying on each other since ancient times. Find something actually important to write about, eh?
Neither Saddam nor Taliban could really fight back, yet those wars ended costing the US about a trillion dollars it could ill afford to lose. Furthermore, sending "excess population" to die risks revolution or at least demonstrations, like those during Vietnam war; and speaking of Vietnam, you also risk misjudging your enemy. Finally, in a capitalist economy everyone is a potential consumer helping drive up demand (and, more cynically, a potential worker helping drive down wages), and thus corporate profits - and this includes the enemy - so while some profit from the reconstruction, most are worse off.
Wars will end because both tree-hugging hippies and Mr. Burns want them to end. Even the Military-Industrial complex is better off fighting imaginary threats, which can be scaled and steered to pocket a maximum amount of money with minimum amount of expenses.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
All OSs have major intelligence value. The vast majority of laptops in the west run Windows or Apple.
OTOH, around the world, Windows represents less than 33% of all servers, which makes them a minority. Why would anybody target this 33%, but leave the other 66% which runs on larger sites? Because Windows is EASY to crack. Simple as that.
I prefer the "u" in honour as it seems to be missing these days.
Safe-cracking is the process of opening a safe without either the combination or key. It may also refer to a computer hacker's attempts to break into a secured computer system, in which case it may be shortened to "cracking".
You write of reading comprehension, yet somehow managed to miss the following in a three sentence post:
"Some people even had their stuff boot from read-only optical media"
I deliberately addressed the issue to avoid it coming up and deliberately used very simple and informal language so that it would be easy to comprehend - yet it's been missed an now there's some bleating about reading comprehension from the person that missed it. I can only assume that things have degenerated to mindless cheering for the team with your "why doesn't everyone else solve problems the same way as MS even though they did it a decade+ earlier" non-issue.
Why is it OK for you to point out that root can do anything on a *nix system yet it's somehow not OK for me to mention malware?
You know you make absolutely no sense right?
Why exactly is grandma's laptop of intelligence value. What possible benefit does having access to grandma's emails about her chess club offer the intelligence services?
I think you need to stop smoking crack and accept that you don't understand anything about intelligence gathering.