E-Detective Spy Tool Used By Police and Governments Has Major Security Holes

DavidGilbert99 writes: A controversial intercept tool called E-Detective from Taiwanese based company Decision Group has a major security hole which could allow a hacker to remotely execute code and read all the data captured by the software. Considering over 100 law enforcement agencies and governments around the world use E-Detective, this could be a big problem. According to the International Business Times story: "E-Detective works by 'sniffing the network' it is monitoring and captures data packets before sending them to be reassembled and decoded. Unlike other products E-Detective promises to 'reconstruct the data to its original format' for the end users so that it will be seen the same way that it was seen on the network. E-Detective also advertises as a network forensic tool for private enterprises to "protect sensitive data from data leakage".

E-Detective can reconstruct net traffic ..

[nickweller]

"E-Detective is capable of decoding, reassembling, and reconstructing various Internet applications and services such as "Email (POP3, IMAP and SMTP), Webmail (Yahoo Mail, Windows Live Hotmail, Gmail etc.), Instant Messaging (Yahoo, MSN, ICQ, QQ, Google Talk, IRC, UT Chat Room, Skype), File Transfer (FTP, P2P), Online Games, Telnet, HTTP (Link, Content, Reconstruct, Upload and Download, Video Streaming), VOIP (optional module) etc." ref

I don't understand, I thought all https traffic was encrypted and secure from eavesdropping?

Re:E-Detective can reconstruct net traffic ..

[gweihir]

Compromised certificates and man-in-the middle attacks based on them. Any second-rate "spy" agency (like the FBI or CIA) has them. (If they were actually good at their jobs, they would not need to break the systems they are targeting. This way, they are basically attacking critical infrastructure, and people that do this are commonly called "terrorists".)

Thank you Republicans

Their kind wants to turn the entire world into a police state.

Re:Thank you Republicans

Well, them and the Democrats.

And almost every other political party (in power) out there. It's good to be the king, er, government.

All products of this type of shit

[Karmashock]

You secure a network by locking down its capabilities to what you need to do and NOTHING else. Hacking then becomes basically impossible... right there.

Re:All products of this type of shit

Not even remotely impossible, but a lot harder. False sense of security is dangerous, you should also remember that.

Re:All products of this type of shit

[Karmashock]

You don't know what I mean.

You have only machines that need to talk to each be able to talk to each other. You have only protocols you need enabled. You have an internal DNS server and you only permit access to domains ... to or from those domains.

I could go on. You get the idea. Tell me how you'd hack that?

Re:All products of this type of shit

I'd probably shit down your throat.

Re:All products of this type of shit

[RY]

You secure a network by locking down its capabilities to what you need to do and NOTHING else. Hacking then becomes basically impossible... right there.

Not when this is your gateway out. It is a clasic MIM device and sniffer.

Re:All products of this type of shit

Mimicking and spoofing are trivial.

Re:All products of this type of shit

Ok, so let's say my only objective was to have a server read data from a third party service over TLS. I only need to fetch this data and do it securely, nothing more.

Oh fuck, a wild heartbleed bug has appeared!

It's super effective!

False sense of security has fainted.

Re:All products of this type of shit

[Karmashock]

And what would that get you? You're saying you could some sort of man in the middle attack?

That's easily defeated by connecting remote offices via VPN.

Look, the security set up that would be hackers always assume is a low one. One where any dipshit user can do pretty much whatever they want with their workstation. Install angry birds? Sure. Connect to face book? Sure.

A high security environment doesn't let you do these things. You try to run unauthorized code or executable... execution denied. You try to connect to something I don't need you to connect to? Access denied.

Your man in the middle attack would have to be between the system and a third party we couldn't run a VPN to...

And lets say you man in the middle attacked that. What does that get you? Access to our systems? Nope. Access to someone else's systems using some users password? MAYBE. It depends on if people are being stupid and not using multifactor authentication. A damn RSA keychain would make any scalped passwords of dubious value.

These things can be locked down so they don't get hacked. Systems like the ones I'm describing are not hacked. Ever. Not by the NSA. Not the Russians. Not by the Chinese.

If they want into these systems they have to send someone to the front door and either ask or demand to be let in... physically.

The hacks we see at Sony, OPM, etc... they have garbage security. You know that.

Can you think of any system that had the level of security I am talking about that ever got busted?

Ever?

Is it impossible? Depends. Computer security CAN be perfect. It just takes humility, disapline, purpose, a clear idea of what you want to do, and no compromising of the system for any reason after its been put in place.

You have issues in security because the systems are too adaptable. A hacker works by exploiting flexibility. If there is none, then there is nothing to exploit.

Re:All products of this type of shit

[Karmashock]

Hey bingo. So after threatening to come to my parents house and... what hurt my parents? You're now just continuing with your empty violent threats?

You want me to take you seriously so badly.

I feel for you bingo... I really do... but you're as likely to intimidate me as your dog is to impregnate that couch he's humping behind you. ;p

It ain't gonna happen. I'll never take you seriously. :)

Re:All products of this type of shit

[Karmashock]

The gateway doesn't need to allow EVERYTHING in and EVERYTHING out.

You set it up so that it just can't do anything besides what the company does. How are you going to trick internal systems into talking to you? Those systems could be entirely proprietary. Have fun even figuring out how to handshake with them.

And there are about a million places where your fooling around COULD trigger a security alarm if they've implemented those.

The best way to secure a system is to make it so ridged in the way that it operates that nothing can happen on it like that. No flexibility.

Re:All products of this type of shit

Spoofing an IP address won't get any return packets.

Re:All products of this type of shit

[gweihir]

That would require a somewhat sane application and network services design to be effective. If you have several hundred services that must be able to reach every computer in your organization, you will never get security. And yes, that is "what you need and nothing else" if your IT infrastructure was built by people that do not understand security.

So, no, that does not help in practice.

Re:All products of this type of shit

[xeno]

Bullshit. Arrogance is always the undoing. Even in the most hardcore, wired-only, mac-whitelist, tightass-vlan, zone-enforced user minimum-privilege network, people have to get work done. That means if you have internet access, people will exchange data or even documents with uncontrolled sources. If you don’t, they will find some way to move or bring data in. If you have commodity operating systems or compatible office software, you have compromisable endpoints that need continuous maintenance. If you have shared resources like file servers, printers, and email, then you have nodes to emulate which facilitate lateral movement. If you have user accounts in the same directory as administrators, you have a venue for elevation of privilege. If humans administer the network, there exists a method for changing its configuration.

While you are positive that your environment is “basically impossible” to hack, someone will send your staff a slow trickle of emails every week or leave a few 32GB thumbdrives in the lobby that have a file “Confidential-Proposed2015Q4Layoffs.PPTX” and one of your std-priv staff will invariably open it. You might miss powerpoint.exe spawning flash.exe and a call to NativeProcess(); or something more subtle. You might not catch a call to twitter.com or ello.co from their machine that’s missing an http referrer, and a plaintext C2 reply. Soon a regular user makes a few novel but authorized connections, then some hash files get read, then a few more users do the same. Someone with more than usual user privs makes an authorized filesystem write to a host in IT. Soon one of the service admins’ laptops ends up with a virtual USB HID device, and Windows helpfully mirrors all keyboard input to it. One or two more hops, and some patience, and the credentials for your core switch are lifted. Your own infrastructure is then mildly tweaked without disturbing anything you care about – an fspan modified here, some data staged on a low-priv endpoint there, with a path that appears for less than a minute each week to do something else before disappearing from affected tables. An adversary takes residence on one of the cards in your core cisco gear, resistant to even a chassis IOS wipe and reload. And when that’s stable, all the previous steps will be eradicated if not already done, though a diligent adversary might adopt a ‘rule-of-three’ method to ensure each re-entry stage has two fallbacks in case you get wise. But you’ll probably never see it, and you’ll likely insist that it’s not happening even when your adversary makes a mistake and drops a hint. And that’s just what bad guys can do without the advantage of walking in with a warrant and a 1U box.

Now, do the junior-birdman purveyors of “E-Detective” make the claim their sniffer owns up your network simply by being plugged in? They do? That doesn’t even pass the giggle test. But don’t be too smug about what could happen with an adversary that isn’t a fool, or about the efficacy of bone-simple tooling accurately matched to vulnerabilities. And don’t use words like “impossible.”

Re:All products of this type of shit

The gateway doesn't need to allow in anything more than the network traffic of a service that is used. But you totally ignore the fact that even if you only let the traffic of one service throug, that particular service might have bugs that let an attacker gain access to the backend. Or that your router, firewall etc. might have bugs that lets malformed packets go through. Just a few examples.

Even fully internal networks without any connection to the Internet can be breached by sophisticated methods, similar to what we've seen with Duqu and Stuxnet. You totally fail to acknowledge these real world issues. Currently your argument relies fully on the assumption that "If we use software without any vulnerabilities, there will be no exposed attack vectors". Good luck selling that argument to anyone with half a brain.

Re:All products of this type of shit

[Karmashock]

that doesn't give you access to my systems. That gives you access to someone else's systems... possibly using my authentication... which with an RSA keychain... you won't be able to use. So maybe you'll be able to see what I see on SOMEONE ELSES system.

Even so, you're assuming you were able to infect either system with the heartbleed bug. How would you do that?

I think you're misunderstanding what I mean when I say LOCKED DOWN.

For example, 99 percent of the workstations I administer draw from a general template that is effectively write locked. Even if you could install or put something on one of those workstations, it would be back to the default template on next logon. And how are you introducing this to our systems if our systems are INCAPABLE of going to anything besides our target systems.

How are you perpetrating this man in the middle attack?

Nearly all casual breaches come from people going to places they don't need to go or installing things that don't need to be installed. And then badda bing badda boom they get virus or a worm. Then the network is often left entirely unsecured from within, which means worms etc run rampant infecting everything, and eventually the whole situation becomes so toxic that the malware/virus/worm authors/operators take a peak into the nextwork... their software holding the door open for them... also most people don't set up fire walls so this whole thing becomes possible. Etc etc.

What I see again and again is people using the example of SHIT security being used as an example for why security is imperfect.

That's a bullshit argument. Security CAN be perfect. It requires specificity. Rigidity.

Re:All products of this type of shit

[Karmashock]

As to your users needing to exchange information with unknown third parties... depends on the security environment. High security environment? No. You cannot do that.

The corporate headquarters for Denny's? Probably.

You can establish protocols for file transfers. Host a file server and grant access to whomever to upload or download a specific file at time X.

As to compromised endpoints, I sort that by denying unauthorized code to run and the systems are refreshed from a template on login. You can't infect the workstations. And even if you could, they'd purge the infection simply by logging off and on again. Beyond that, the workstations can't communicate with each other. At the appliance level they can communicate with whatever servers they're supposed to be able to talk to and the firewall. Communication between the work stations or to unauthorized servers on the network is not allowed... again, at the appliance level. You'd have to hack the router and firewall to do more.

As to emails, you make a good point that this is a serious vulnerability. However, do you need to accept emails from any server on earth? What is more, who needs to receive outside email and who does not? And what about attachments? Do we need to permit them or not? These are questions you're not asking here.

I prefer to route files through a special file server. People can give other people the ability to upload files to it or give other people the ability to download specific files from it. I generally don't like the concept of attachments on emails in a secure environment.

That said, even if you downloaded BestTrojanEVER.exe and tried to run it on one of those machines. It literally would not run. I make this impossible through about four different changes to the way the computers work. But the result is that only specific Exes in specific places can even run. And those Exes cannot be modified or deleted or renamed. So BestTrojanEver.exe won't even run.

I do other things to unknown scripts from running. Mostly by controlling the programs that ultimately process the scripts so that they can't be accessed arbitrarily or in some cases at all.

I could go on. The system I've set up is the firmest security I've heard of short of building a secret air gapped network run by mole people under the earth with no door in or out.

Is there a way into my system? I can't think of one and nor have I even heard of one that didn't involve getting bit of hardware into my server rooms. At which point that isn't the system's fault... that is whomever let that person or bit of gear into the server room.

An attack with no physical component though? Correct me... I just don't see how you could do it.

And I'll point out again, the sort of system I'm talking about... Doesn't get hacked. Its never happened. Ever.

Am I daring fate? I'm not superstitious.

Re:All products of this type of shit

Are you really that clueless about security? You were talking about how it's "impossible to get hacked" if you implement "perfect security".

In that heartbleed example if your server conects to a thrid party server to fetch some data over TLS and that third party server initiates a heartbleed based attack to read your server's RAM, security has been breached. It's totally irrelevant whether that RAM holds any meaningful data (which it usually absolutely does: disk encryption keys, VPN keys etc.), what matters is that an attacker breached your "perfect security".

Security CAN be perfect

I sincerely hope you don't work in that area. I would never do business with someone who posesses that arrogant attitude towards computer security.

Re:All products of this type of shit

At which point that isn't the system's fault... that is whomever let that person or bit of gear into the server room.

Security also covers phsyical aspects. What you're assuming is that you implement some absurd security measures on a server that's located in the middle of an open market square, and when that server and its data get stolen, it's not your fault because physical security doesn't fit your idea of security. I'd *really* like to see you explain that to your boss, haha.

I bet you don't even keep your server room doors locked. And that you audit the manufacturing of your SoC's, processors, GPUs and also audit all software code you run before you build it to your systems.

Stop being so naive.

Re:All products of this type of shit

[Karmashock]

Hierarchical organization helps with that kind of stuff.

Also... I can't think of any organization that actually needs several hundred services piped to each workstation... I'm trying really hard to think of what those would all even be...

Okay... lets say the company has 10 databases because they're too lazy to integrate them.

That's ten databases.

Then lets say they need email? In my experience they tend to actually need a way of passing information around the organization rather than accepting and sending information out of it. Email is like 99 percent memos and reports and stuff from inside the organization. To conflate that with the 1 percent of stuff going in and out... Ideally I wouldn't do that.

Then what else... a web browser with access to a finite and specific number of domains. Is this where you're getting hundreds of services? I don't know. Anyway, I don't know why you'd need users to be able to access that many sites. At least not in a high security environment.

In a low security environment... I don't know. I'm a little lost in that situation. Its out of my wheel house. I'm pathological about controlling EVERYTHING. And I do. Some of the security is bought but a lot of it is proprietary. The likelihood of something people don't have any experience with falling to hackers is "less"... Known bugs of other systems are not applicable to mine. Does mine have bugs? Possibly. More likely something else has a bug in it that will betray my system. But there are so many fucking fail safes.

it seems like most of your premise is that low security is the only way to go in unskilled environments where even the IT department doesn't understand their jobs. I suppose but if your security department doesn't understand security then you don't have a security department. :D

Re:All products of this type of shit

[Karmashock]

Yeah but you'd have to intercept the service in question. Can you detail how you would do that specifically? Because I know of several ways that is done and I believe I have accounted for all of them.

Why is the firewall or router even letting your communication through? And even if you were able to send data and it were allowed through... you'd never hear anything back from my system unless you're residing at an approved IP address... which is unlikely. I don't just open port 222222 or whatever and route it all to some internal IP address. The IP address on both ends is specified. So best case I'd be replying to your communication... to a completely different IP address. You wouldn't see it.

I'm not seeing how you would establish two way communications with my systems.

As to the Iranian stuxnet thing, from what I understand some dope took a USB key from a low security area that was infected and plugged it into the airgapped systems.

that was just an exploit of sloppy USB drive policy.

Please correct me if I'm wrong. Honestly. If I've made an error, then enlighten me.

As to software with no vulnerabilities... I find this argument to be a bit mystical. We could go over every vulnerability you think my network has and I think you'll find that it doesn't exist in my case.

My security is brutal, simplistic, ridged, and I don't see how you're going to get anything through it that I don't let through it.

Re:All products of this type of shit

[xeno]

Whooosh.

"users needing to exchange information.. [no]" and "protocols for file transfers...upload or download a specific file at time X."
No ad-hoc messaging in business? The environment you describe does not exist.

"Communication between the work stations or to unauthorized servers on the network is not allowed... again, at the appliance level"
Soooo.... you replaced the hub with a switch?

"refreshed from a template on login. You can't infect the workstations."
Check out Angler malware. Oh, and for two scoops of irony, use the browser in your liveCD Kali distro to read up on in-mem exploits for debian.

"unauthorized code" or "BestTrojanEVER.exe"?
Not required, nor is code persistence. The default OS contains more than enough helpful code you had to whitelist. But *is* terribly helpful of you to eradicate the host OS after user creds are compromised, so there's no pesky log data.

"about four different changes to the way the computers work"
You don't know much about Windows or *nix, do ya? Or computers?

"The system I've set up is the firmest security I've heard of short of building a secret air gapped network run by mole people under the earth with no door in or out."
Mole people? Who... who told you about the mole people?

"the sort of system I'm talking about... Doesn't get hacked. Its never happened. Ever."
Oh sure it does. Go read up on Buckshot Yankee and SIPRNet. Took three years for the US feds to clean up that shit, all because some lonely intel guy stationed in the sandbox wanted to look at boobies on a goddamn thumbdrive.

"attack with no physical component...just don't see how you could do it"
If you use anyone else's code.... Oh shit... are you forking TempleOS?

*blink*

Re:All products of this type of shit

[Karmashock]

I'm interested as to how you you're using the heatbleed bug in this scenario to get anything. I'm well aware of how the bug works and I was passively immune to the issue in like five different ways. I'm just not getting how you're doing this...

You're not talking to my server unless you're contacting me from an approved IP address. And if you spoof the IP... you're not getting a return.

There are many other reasons why this wouldn't work in my case but I think I'll just stop there. That seems pretty solid. How are you talking to the server at all when the server won't talk to you?

Re:All products of this type of shit

Yeah but you'd have to intercept the service in question. Can you detail how you would do that specifically? Because I know of several ways that is done and I believe I have accounted for all of them.

By compromising the transmitting end, for example. I could do that using various means, maybe even by phsyically entering their premises.

Why is the firewall or router even letting your communication through? And even if you were able to send data and it were allowed through... you'd never hear anything back from my system unless you're residing at an approved IP address... which is unlikely. I don't just open port 222222 or whatever and route it all to some internal IP address. The IP address on both ends is specified. So best case I'd be replying to your communication... to a completely different IP address. You wouldn't see it.

I'm not seeing how you would establish two way communications with my systems.

The same what I said above.

As to the Iranian stuxnet thing, from what I understand some dope took a USB key from a low security area that was infected and plugged it into the airgapped systems.

that was just an exploit of sloppy USB drive policy.

If your security measures assume everyone plays by the rules *you* lay out, your security is imperfect. If you have not accounted for this, your security is even more imperfect.

Please correct me if I'm wrong. Honestly. If I've made an error, then enlighten me.

Read above.

As to software with no vulnerabilities... I find this argument to be a bit mystical. We could go over every vulnerability you think my network has and I think you'll find that it doesn't exist in my case.

So you've audited the microcode running on your computers' processors? You've audited all the firmware in every single component in use in your systems and compiled the binaries yourself on a trusted machine that has also been audited in and out?

If not, you can not be certain that there are no bugs or backdoors in the hardware (hardwired) or software. This alone counters your assumption perfect security.

For anyone interested, here's a few clues why there is no such thing as perfect computer security.

My security is brutal, simplistic, ridged, and I don't see how you're going to get anything through it that I don't let through it.

Just because you personally think your security is perfect does not make it so. Let alone make the idea of perfect security a universal fact. The moment you trust something to someone else, be it hardware or sofwtaer or even people, you lose security to a certain degree.

Re:All products of this type of shit

[Karmashock]

My server doors have fancy locks on them, thanks.

As to physical security... they're not getting into the server room without compromising someone with access or coming in with a command squad... maybe tom cruise could come in on wires from the ceiling?... I don't know.

One thing I'm noticing from around here is that people don't have a lot of experience with high security. Buildings that you can't get into the lobby without being buzzed in... where you can't go the right floor without a key card.

That is the sort of security you'd go through to get the headquarters of Dennys... that isn't even high security. That's just standard corporate security theater.

And you think my server doors aren't locked? They have locks.

As to issues of physical security, this is actually my biggest worry at this point. I've set up a lot of things to make that harder. Everything is really in the server rooms. The workstations are thin clients. If you unplugged one and went digging for its storage... you'd find a little SD card with some config information. Nothing sensitive.

As to people plugging stuff into our network. There are a lot of ways to make it so people can't do that. Again, mostly from the server room. Most cisco routers can stop it if you configure them properly.

But is the security vulnerable to someone physically inside the network? Here I'm a little more iffy. I'm not a 100 percent. From outside attack? They're not getting in. Internally... I've done everything I can think of to make it quickly detected and very difficult. That's all I think that is possible without... owning a network company and designing some enterprise switches that are more sophisticated.

Re:All products of this type of shit

And if you compromised the approved IP on ISP level and redirected it to a computer used with malicious intent. Improbable? Yes. Impossible? No. What does it take? One disgruntled ISP worker with required privileges or someone high-skilled with phsyical access to their facilities.

Another attack vector would be compromising the third party server outside your network that your server is talking to. Or cosmic rays flipping the bits in your equipments' RAM in a way that makes your network vulnerable.

This means there are attack vectors you can't do or haven't done anything about and this voids the idea of your perfect security. No matter how improbable, they are still possible.

Re:All products of this type of shit

[Karmashock]

Okay so you're saying you're going to hack my system by first hacking someone I talk to...

Okay, but the information sent back and forth is highly specific... and contains no executable code. You can't send commands over those channels. There's nothing "listening".

A few databases are accessed... I'm not sure how you're compromising my system yet?

I mean if you get their codes and access from their systems... then you can access me using their codes and get access to what they have access to. But that's about it. You can't upload anything that doesn't squeeze into a database variable at our systems.

That said, I do grant you that if you totally compromised a trusted system... you might be able to introduce something. There is a high probability it wouldn't work for a lot of reasons and the mere attempt would be very likely to set off alarms. But assuming you were really lucky... Maybe.

Ideally the security I'm talking about would be uniformly employed at any trusted system which would make doing this harder.

There is no defense against a full breach of physical security. I can't stop you from doing whatever it you get that deep into my systems. I'm not seeing how your hack of the rival would give you much. You couldn't just access whatever you wanted.

Re:All products of this type of shit

[Karmashock]

No adhoc file transfer is standard in high security environments.

Otherwise you get someone that says "I'm mad so I'm going to send organization files to location X".

You know those wikileaks cable leaks? They were leaked by a fellow that went to an isolated room with a rewritable CD. They let him bring the rewritable CD into the room because they thought it could only be music. He then proceeded to put the disc into one of these secure systems and copy the data off of the secure system onto the rewritable disc. he'd then put the disc back into his music player and walk out the front door. Did you notice the total lack of email inside that room?

And that was still shitty security. Why did the computers have cd burners in them? Why could the user access the file system when clearly he was just going to use some internal database? A cheap ass kiosk system would have stopped that guy.

As to switches and hubs... I'm saying workstations can't talk to each other. So worms etc can only go between the servers and the workstations. Not workstation to workstation. For a given workstation to infect another machine it would first have to infect a server. Which isn't going to happen.

As to log data, why would I store that on the workstations? That's silly. Log information if piped to a specific sever that rules a lot of scripts to flag patterns or suspicious behavior.

I'm still not seeing how you ran your malicious code though. Your example is an attachment in an email. So we're talking about a file. How are you executing it? None of the scripting programs are arbitarily executable by the user and most of them are simply disabled entirely.

So there is this attachment... what type of file would it be? exes won't run... script files won't run... Suppose you're thinking about a script embedded in a pdf or something?

In any case, I don't permit email attachments in that way. They go through a different process. They are subjected to a virus scan at that point... yes... vulnerable to zero days. But all the programs that allow embedded scripts all have limited permissions themselves.

Your buckshot yankee example was another case of bad thumb drive policy. In a high security environment, why would you be able to stick a thumb drive into anything short of a server or a machine specifically for that purpose and physically under observation? We're talking about defense secrets in this case. You don't let any jack ass download whatever on to a thumb drive and then walk off. Or insert a thumb drive into the system from god knows where.

The NSA for example don't allow you to bring any such thing into their high security rooms. You can't bring your phone, a thumb drive... nada.

As to your mystical notion that its possible because you believe that. I'd like to hear how they could do it? Because your buckshot yankee example wasn't very good. They got a thumb drive into an area where apparently people could plug thumb drives in. Same thing the Iranians fell for. You can't use thumb drives in my network. The drivers are tweaked. :)

USB is wonderful for consumers but is a fucking nightmare for security because it is so adaptable. You can do anything through USB. I'd much prefer the old PS/2 and parallel ports. But getting hardware for them is too painful.

Re:All products of this type of shit

What I don't understand is why you get 2 mod points for every comment you make the very second you post them. Are you multi accounting?

Okay so you're saying you're going to hack my system by first hacking someone I talk to...

Okay, but the information sent back and forth is highly specific... and contains no executable code. You can't send commands over those channels. There's nothing "listening".

A few databases are accessed... I'm not sure how you're compromising my system yet?

I mean if you get their codes and access from their systems... then you can access me using their codes and get access to what they have access to. But that's about it. You can't upload anything that doesn't squeeze into a database variable at our systems.

That said, I do grant you that if you totally compromised a trusted system... you might be able to introduce something. There is a high probability it wouldn't work for a lot of reasons and the mere attempt would be very likely to set off alarms. But assuming you were really lucky... Maybe.

Ideally the security I'm talking about would be uniformly employed at any trusted system which would make doing this harder.

There is no defense against a full breach of physical security. I can't stop you from doing whatever it you get that deep into my systems. I'm not seeing how your hack of the rival would give you much. You couldn't just access whatever you wanted.

Here you acknowledge that there is no such thing as perfect security and that hacking just about any system is not "basically impossible". It can be easy or it can be difficult, but not impossible. That was your original argument and that argument has now been shown to be false.

Re:All products of this type of shit

[Karmashock]

Why would my server be connecting that way to anything? And you say "read"... but where are you sending it and how? The fire wall won't let you send it anywhere else.

Re: All products of this type of shit

Everything you mention is defeated on a daily basis. If it was that easy we would have had perfect security since the 80's.
You like that word, "perfect," don't you? It's a nice idea but surely you realise computers themselves are not perfect. So any security can only be as perfect as the machines it's made on.

Re:All products of this type of shit

My server doors have fancy locks on them, thanks.

I take it these locks are not impenetrable. Nor are the walls. Someone might penetrate these and hack fromt he inside, similar to the way Tom Cruise did in your example. Security: not perfect.

One thing I'm noticing from around here is that people don't have a lot of experience with high security. Buildings that you can't get into the lobby without being buzzed in... where you can't go the right floor without a key card.

That is the sort of security you'd go through to get the headquarters of Dennys... that isn't even high security. That's just standard corporate security theater.

I've walked in to many corporate buildings without any credentials whatsoever. I've even accessed regional police HQ switch room without anybody asking anything the moment I entered the building. I had reason to access that room, but I had never visited the premises nor did I had any work credentials on me.

This is the way the world actually works outside absurd theoretical security models. Just because you may have your security tightened up, if you are doing any kind of business you are still dependant of third parties, who are dependant on other parties etc. Unless the whole chain is flawless, your security is as good as the weakes tlink in that chain. And even if it is "flawless", it really isn't because nobody knows all the possible bugs and exploits that may exist.

As to people plugging stuff into our network. There are a lot of ways to make it so people can't do that. Again, mostly from the server room. Most cisco routers can stop it if you configure them properly.

Cisco? Lol.

From outside attack? They're not getting in.

Yeah. Sure.

You just don't seem to get it.

Re:All products of this type of shit

[BVis]

You're also assuming the attack comes from outside the organization. Any infosec worker worth their copy of Wireshark knows that the biggest threat comes from inside, not from outside.

Re:All products of this type of shit

[BVis]

Also... I can't think of any organization that actually needs several hundred services piped to each workstation... I'm trying really hard to think of what those would all even be...

Your lack of imagination does not negate the possibility.

Okay... lets say the company has 10 databases because they're too lazy to integrate them.

Why would they integrate them? What's the business advantage of doing so? Do you really think the suits are going to allow you to spend the time doing this when there's virtually no benefit, and it's much more important to fix the shade of red on the landing page?

Then lets say they need email? In my experience they tend to actually need a way of passing information around the organization rather than accepting and sending information out of it.

This is pure bullshit. Companies need to communicate just as much with the outside world as they need to with each other. Have you ever actually worked in a corporate network environment? Your 99% number is invented from whole cloth.

Then what else... a web browser with access to a finite and specific number of domains.

Who's going to manage that? What's keeping the end users from using another browser?

Anyway, I don't know why you'd need users to be able to access that many sites. At least not in a high security environment.

You're delusional. The suits are never going to stand for having to ask permission every time they need to go to a site not on the whitelist. You're better off using one of the filtering services that's out there (blacklist).

I'm pathological about controlling EVERYTHING. And I do.

And when someone with "Chief" at the start of their job title tells you that they control something, not you, what are you going to do? You can quit or be fired. No, you make the exception. I've worked at multiple Fortune 500 companies that allowed the C levels to do pretty much whatever the fuck they wanted.. and one of them let the users do whatever the fuck they wanted, including porn. You can try to control everything, and you might succeed, but sooner or later someone with hire/fire over you will make you make an exception.

The likelihood of something people don't have any experience with falling to hackers is "less"...

Have you ever heard of a zero-day vulnerability?

it seems like most of your premise is that low security is the only way to go in unskilled environments where even the IT department doesn't understand their jobs. I suppose but if your security department doesn't understand security then you don't have a security department. :D

IT incompetence is a thing to be sure. But, it's more likely that IT is only about 50% staffed for the workload they have, and also that they will not be allowed to implement security measures if the suits don't like it. Very often their hands are tied. Without executive buy-in, they're bullied into doing whatever the fuck the users want, security be damned.

I'd like to live in your world where you never run into idiots that have power over your policies and basically make it impossible to do your job sanely. "Do it or you're fired" is a thing.

Re:All products of this type of shit

[gweihir]

Hierarchical organization helps with that kind of stuff.

Also... I can't think of any organization that actually needs several hundred services piped to each workstation... I'm trying really hard to think of what those would all even be...

I cannot tell you where I have seen that because I am under NDA. But believe me, these organizations exist, they are large, and you more likely than not would recognize the names. I have to admit that I do know about these several hundred services only for servers. It may or may not be less for laptops and workstations. As some of the servers can push software to each laptop and workstation, this is a moot point though.

Re:All products of this type of shit

What I don't understand is why you get 2 mod points for every comment you make the very second you post them.

He gets a karma bonus. Usually crapflooding isn't rewarded this way on slashdot, but he posts lots of comments that nobody reads, to counter his downmodded comments. Then add in the occasional karma-whoring comments he posts to get upmodded and you get sufficiently positive karma that he can post at +2 instead of +1.
 
 

Are you multi accounting?

That would certainly help him to keep the karma up on this account.
 
 

Here you acknowledge that there is no such thing as perfect security and that hacking just about any system is not "basically impossible". It can be easy or it can be difficult, but not impossible. That was your original argument and that argument has now been shown to be false.

Careful, he does not understand that term to mean what the rest of the world understands it to mean.

Re:All products of this type of shit

Well, sure. And if you air gap the system you marked decrease the opportunity of anyone hacking it. The problem is in the real world systems just don't work the way you propose. If people are doing real work on the system they are connecting to external systems. Sometimes they need to connect to external systems that you don't know about beforehand. Buyers connect to vendors to buy new products, that's a new unlisted IP address. Vendors talk to buyers, what are you going to do? Whitelist every new client your company gets? What happens when they change ISPs? You system no longer connects to them? The CEO want's to use his desk PC to check on his vacation reservations. You're going to tell him he can't?
You might be able to have such a system if all you do is accounting, for example, for a large corporation, and have draconian rules about users only connecting to other company servers, and use some kind of old school UNIX accounting program. Except modern business don't work like that. All companies I've dealt with, even government agencies use commercial operating systems, with commercial applications. They have Internet connections because that's how you communicate with your customers. You send email to other geographic locations.

Re:All products of this type of shit

In the case of stuxnet the USB contained patches from the vendor. The vendors supposed high security system was compromised and the attack software placed in the patches so that they were introduced when the system was patched. The attacks used zero day exploits to get onto the "secured" vendor site.

Re:All products of this type of shit

Depends what you mean by hack. Exfiltrating (and possiby injecting) data from those systems is certainly possible -- since I didn't see you mention anything about Tempest shielding, physically blocking USB ports (remember Stuxnet?), etc, etc.

Security isn't just about the software, it's about physical access (just has to be "close enough", not hands-on), social engineering, and so on. You can nail down your protocols all you want but it doesn't help if your upstream hardware supplier has been hacked to include a circuit that exfiltrates data by, say, power line modulation.

Re:All products of this type of shit

A hacker works by exploiting flexibility. If there is none, then there is nothing to exploit.

If humans interact with the system in any way, then there is always something to exploit. If they don't, the system will fall over and die on its own as things start to wear out.

Re:All products of this type of shit

High security environment? No. You cannot do that.

Right, because Edward Snowden totally didn't get any data from NSA's environment.

And in the 1970s the US Navy totally didn't tap into the Soviet Union's undersea military communications cables.

Oh, wait, he did and they did.

Re:All products of this type of shit

[bobstreo]

I have to go into the server room to "change the air filters" "do the electrical inspection" "To check the pipes"

Check your logs/permissions for "visiting maintenance" people. There may be hundreds, depending on how big it is.

Re:All products of this type of shit

I still have customers who claim to NEED telnet and FTP. The term NEED is subjective.

Re:All products of this type of shit

[xeno]

Not sure why I keep taking the bait on this, but... two things:

1. Just to pick an example: I proposed that one of your users receives *content* (not an exe) that first subverts the function of existing whitelisted exes, then inserts a logical payload; a mildly good version of this will never hit disk or appear as anything more than a new thread of an existing process. Impossible? You are /sure/ that configuring "about four different changes to the way the computers work" contains all risk of misuse or abuse of a particular function type, and all potential vulnerabilities that would unintentionally allow such, in an open system comprising 40 million lines of code in its default configuration? You are the very definition of an optimist.

2. Where the rubber meets the road: The systemic error you've made is assuming you are the smartest guy in the room. You might well be smarter them me, but you are assuredly not smarter than all of your adversaries... where "smarter" may be measured by totality of information about a complex and dynamic system (in which case, there is no condition in which it is possible to have total knowledge or control), or the ability to logically use and creatively combine the resources local to you (not humanly possible to disposition all possible permutations of a mesh graph with a nontrivial number of nodes). If you think you have accounted for all possibilities and logically made errors impossible, then you lack sufficiently deep understanding of the game.

It should be very easy to find you, either from the Hindenburg-size ego, or by following the immense target you painted on your own network. Wrong? Would you post your gateway's public IP ? (I say this to make a point. Please don't be so stupid as to actually connect your personal arrogant bluster with any professional responsibility to protect assets.) In a way I am grateful for opinions like yours, because I'll be fully employed at top dollar well into my old age, doing rescue jobs when your unsinkable ship does the impossible.

'Nother day, 'nother dolla, Dolla dolla dolla bill y'all...

Re:All products of this type of shit

Systems like the ones I'm describing are not hacked. Ever. Not by the NSA. Not the Russians. Not by the Chinese.

Very funny! You really believe VPN is secure? LOL! You poor dear!

Re:All products of this type of shit

I can't be sure that the GP AC really meant this, but...

You're thinking about it wrong. If YOU are the one who has secured this network, then the attack vector becomes YOU, not your network. The AC is saying (I think) that when he shits down your throat and tortures you in various ways, you will comply. If a reasonably strong network of criminals gives you more money than you know what to do with, you would comply. If a three letter asshat agency comes along and threatens you and breaks you down financially, you will comply. It takes someone with a hell of a lot of balls (I'm thinking a Ladar Levison type of person) to stand up to that. You may be that type of person, but many of us aren't. Good luck to you.

Piggyback

[randalware]

So who is piggybacking on whom ?

Cops on crooks ?
Crooks on Cops ?

Will there be a difference ?
Both will leave us broke with a bad reputation on file.

Who will watch the watchers?

[ghee22]

Hackers.

buy it or be labeled a racist

[frovingslosh]

Of course, I couldn't want to be labeled a racist, so I would never prohibit an organization from buying a security tool built by the Chinese. Lets all run our secure data through E-Defective!

Re:buy it or be labeled a racist

If you don't buy it simply because it was made in China, then you're a racist. Only a Republican would believe otherwise.

Re:buy it or be labeled a racist

If you're a Chinese-American republican and you don't buy it because it's made in the Peoples Republic of China are you still a racist?

Re:buy it or be labeled a racist

Yes, because you're a Republican. They're all ignorant racists that believe in weapons to be used to subjugate women and minorities. That is the way of their kind.

free ethical hacking and linux course online

Visit haktuts.com!

No surprise

[gweihir]

This just demonstrates that states attacking computers and placing backdoors does massively more damage than could ever be compensated by any possible benefits. Hence it is one of the most stupid things to do and only desired and done bu people that really have no clue or do not care how much damage they do. Usually the latter type of person is called "evil", and with good justification.

dem haxx0rz r in de law enforcement softs nao

But only them, because for anybody else exploiting holes is just too hard. Obviously.

plz visit

[nishanbd]

Hello, Thanks for your valuable post. Hope you will give us the same valuable post in the future. I have found another good website. you can visit this website to know more. I have got a lot of knowledge from this website. Click Hare to go website. Thank you.

Brilliant!

[doas777]

Whoever considered outsourcing your espionage work to the very people you are spying on? Genius!

The Chinese have this outsourcing thing down from multiple angles.

I just checked the program

[behrooz0az]

It's UTTER SHIT. no features, no details. no statistics.no advanced filtering.
You can't even filter a specific port/protocol, the only thing it does is reading yahoo chat
SSL decryption is non-existent
Anything you think should be there is not
I have no idea why anyone would use/hack it, tcpdump is like 20 times stronger, It's not even comparable with wireshark.

Hmmm ...

[gstoddart]

So, basically a badly written tool, used clueless police who don't understand the technology, so they can spy on us, but which can be accessed by people who figure out it's easier to spy on the clueless idiots who use a badly written tool because they've already captured everything.

Go police, first you insist we have weak security so you incompetent morons can spy on us, and then you buy crap software with huge security holes so everybody else can spy on us.

This is why we can't have nice things.

And this is exactly why back doors in crypto and security to allow the fucking police to spy on us will never work.

Because the spying tools are additional security risks.

Shodan?

[Shoten]

Does anyone have any banner or other information for this product that could be searched in Shodan? :)

By the way, if you haven't looked at the exploit on GitHub, it's ridiculously simple. The script on the server is there for file retrieval; pass it the path and filename to the file you want, encoded in base64, and it sends you the file.

Makes me want to ask the vendor, "Hi...I'm the idea of using service accounts with minimized rights for listening network services, Have we met?"