Slashdot Mirror

← Back to Stories (view on slashdot.org)

WikiLeaks Reveals A CIA LAN-Attacking Tool From 'Vault 7' (betanews.com)

Posted by EditorDavid on from the men-in-black-in-the-middle dept.

An anonymous reader quotes BetaNews: WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."

24 of 52 comments (clear)

  1. Ettercap by Anonymous Coward · · Score: 5, Informative

    W00h00, they reinvented ettercap:
    # ettercap -i eth0 -T -M arp /192.168.111.1/ /192.168.111.2/

  2. Re:Now Trump can stop this! by Anonymous Coward · · Score: 1

    What makes you think that Trump would want to stop this?

    That shit about people projecting their own values onto Trump is the real deal, all right.

  3. What About HTTPS? by Anonymous Coward · · Score: 1

    If this tool cannot support forging a response such that it appears to have come from the requested server then it would seem to have limited use. One of the reasons why X.509 certificates, which are the sort commonly used for SSL and HTTPS, are signed is to prevent a MITM from successfully impersonating the response by introducing a third party co-signer of the original certificate, namely the certificate authority. The situation could be complicated still further by the use of an encrypted point-to-point or site-to-site connection through SSH or VPN. This is the sort of tool that might work on a naive or unsophisticated target, but against an well informed and equipped adversary it would probably not suffice, unless it has the capability to punch through the security measures described above too, which would be impressive to say the least.

    1. Re:What About HTTPS? by scdeimos · · Score: 5, Informative

      You put far too much faith in HTTPS.

      The default settings of SSL/TLS libraries on most operating systems make man-in-the-middle attacks trivial. When an SSL/TLS session is negotiated only the following things are validated:

      1. The origin server certificate trust chain is ultimately signed by a Trusted Root certificate - any trusted root certificate.
      2. The valid-from and valid-to dates on the certificate are current.
      3. The desried host name is in the Subject or SubjectAlt fields, which is a useless check with 0% value.

      So, why would I say that the host name check is a useless check with 0% value? Because TLS has been neutered since SNI was introduced (RFC 3546 Transport Layer Security Extensions # Server Name Indication). Before then SSL/TLS was "reasonably secure" but since then it is virtually worthless. Under SNI the connecting client tells the origin server which host name it is connecting to and, thanks to that gaping hole, the origin server (or any man-in-the-middle appliance) has enough information to either generate a fake certificate or pull one out of its cache.

    2. Re:What About HTTPS? by Anonymous Coward · · Score: 1

      SNI is not the problem.

      If you have the ability to generate valid certificates that chain properly to a trusted root certificate, then with or without SNI doesn't matter. Without SNI the every server name would have to have a unique IP, so the MITM would know who you're connecting too. With SNI you have to tell the server which identity you're trying to connect to, so the MITM would know who you're connecting to.

      SNI doesn't change the security of SSL/TLS.

    3. Re:What About HTTPS? by AHuxley · · Score: 1

      Might save a user on a wider global network. A Project Bullrun or Edgehill seemed to show some thinking about the HTTPS issue https://en.wikipedia.org/wiki/....
      Back in the plain text part at the safe end of the LAN network?

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:What About HTTPS? by scdeimos · · Score: 4, Informative

      I think maybe your head is in the sand if you can't see how SNI weakened TLS as a security protocol. SNI was created because Web Hosters and businesses didn't want to keep paying for additional IPv4 address space - prior to that you could only host a single SSL/TLS-enabled web site on any given IPv4's tcp/443. Instead of migrating everybody to IPv6 where every host could have a unique address they pushed for SNI to add HTTP Host-like header capabilities to TLS.

      Your premise that SNI is not a huge problem is only valid if, and only if, you can guarantee that every single trusted root certificate (and every single Server Identity capable intermediate certificate signed by them) has never been compromised by an attacker. Show me any US-based Certificate Authorities issuing NSL canaries and the like. Some CAs don't even specify a maximum chain length on their root/intermediate certificates.

      If you'd like to see a practical HTTPS man-in-the-middle demonstration on your favorite Windows desktop just install Telerik's Fiddler tool and enable the HTTPS Intercept option. This installs its own certificate into your Trusted Root Certificate store and then re-encrypts all of your HTTPS connections so you can inspect the traffic.

    5. Re:What About HTTPS? by scdeimos · · Score: 1

      I never said there were not easier ways to infiltrate computers. If you actually read what I replied to I was pointing out that the parent put far too much faith in the ability of X.509 certificates and SSL and HTTPS, apparently assuming that they are the cure-all for MITM attacks when, in fact, they most definitely are not. (At least not as currently implemented.)

    6. Re:What About HTTPS? by phantomfive · · Score: 1

      Is there a proof-of-concept or anything for this vuln? I can't find anything.....I did find this, which clearly shows that HTTPS is vulnerable to hostile governments, but that's not the exploit you're talking about.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:What About HTTPS? by BronsCon · · Score: 1

      prior to that you could only host a single SSL/TLS-enabled web site on any given IPv4's tcp/443.

      Which, of course, meant that knowing which IP address someone was communicating with using SSL also meant knowing which site they were visiting. Now, with SNI, you need more than the packet headers to determine which site someone is talking to.

      It's no more or less secure, the same number of attack vectors exist, and with the same difficulty of attack; the attack surface just looks different now. That you can see the new attack vector but completely missed the old one does not change that.

      So I see you're talking to an IP address that is known to only host somesitethensacaresabout.net, I then know you're talking to somesitethensacaresabout.net and can go ahead and forge a certificate for that site, poison your DNS, and inject myself in the middle. That's before SNI, and still today for sites not utilizing SNI.

      Today? I see you're talking to an IP address that is known to host somesitethensacaresabout.net, anothersitethensadoesntcareabout.com, yetanothersitethensadoesntcareabout.com, onemoresitethensadoesntcareabout.com, additionalsitethensadoesntcareabout.com, someothersitethensadoesntcareabout.com, and stillanothersitethensadoesntcareabout.com, along with dozens of others. I can't guess which site you're trying to reach, so I either have to obtain certificates for all of them and *severely* poison your DNS (with dozens of falsified entries) and hope you're talking to the site I actually care about, or skip the certificates initially and just severely poison your DNS to see which site you're talking to (at which point you'll know something is up because your connections will fail due to lack of a proper certificate) before bothering to get a certificate.

      One of those is a fair bit more work and much easier to detect.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    8. Re:What About HTTPS? by BronsCon · · Score: 1

      You connect to the IP address on port 443 and, well, wouldn't ya know it, you're presented with the site's public certificate which, in turn, identifies the site. Aside from that, do you really thing the NSA (as in my example) doesn't know the IP address of every public-facing server hosting somesitethensacaresabout.net?

      I see why you posted anonymously.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  4. ARP poisoning? by schweini · · Score: 2

    This sounds like a simple ARP poisoning attack? No big deal?

    1. Re:ARP poisoning? by BlueStrat · · Score: 1

      I disagree. Windows compromises are about as newsworthy as, "man flushes toilet. News at 11."

      It's not the Windows compromises themselves that are the "interesting" part, it's all the information and clues that can be gleaned from them about things like precisely what data is being collected, by whom, where it's sent, how often, where/what servers are sending it instructions, etc etc. There's a possible treasure-trove of useful data that can be gleaned, or at least hints and clues to further investigations and possible paths towards mitigation strategies.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  5. Um... this is common? by Anonymous Coward · · Score: 1

    Almost every corporation in America uses the exact same technique to snoop and log employees' browsing habits. SSL MITM injection is nothing new at all.

  6. Re: Now Trump can stop this! by PopeRatzo · · Score: 3, Insightful

    Trump said he was going to stop this.

    He also said Trumpcare was going to cover everyone.

    --
    You are welcome on my lawn.
  7. So what's it used for really? by Anonymous Coward · · Score: 1

    Is this the sort of thing that allows them to turn anyone into a terrorist or pedophile, by sending whatever they want no matter what the actual request had been?

  8. New or not, important to know and document by jbn-o · · Score: 1, Insightful

    Perhaps not new to IT admins but quite new to the vast majority of computer users who were likely unaware such things were possible, being done by the US government, and possibly affecting their non-work Internet access. Documentation like this and the Snowden revelations also help put a quick stop to anyone trying to minimize the importance of the news, particularly by making fun of the critique along the 'tin-foil hat' line. It's critically important that people know what's being done in their name. As other WikiLeaks documents show governments do pernicious things (including mass surveillance and extrajudicial murder).

    --
    Digital Citizen
  9. Archimedes... by trabby · · Score: 1

    So if the tool is called Archimedes, does it use a bath-overflow exploit?

  10. For those claiming this isn't much... by zedaroca · · Score: 1

    Yes, ettercap, ARP poisoning, etc... technically this is something that has been done before with other tools.
    The importance of the publication is for detection/protection and for attribution. A lot of people will know who is/was after them, messing with their systems, etc.
    Since we are talking about murderers, it is very good to know.

  11. Why leak this? by sabbede · · Score: 2
    I thought Wikileaks was for blowing the whistle on wrongdoing. Is the CIA using these tools to spy on innocent civilians? Are they using them in domestically in the US in violation of Federal law? Was there some pressing public need to have the tools spies use to spy on each other revealed?

    Where is the public benefit to this leak? If these tools were not being misused, isn't this just harming public security?

    1. Re:Why leak this? by Anonymous Coward · · Score: 1

      Wikileaks has proven they are not some benevoland organization dedicated to transparency. They cherry pick what they have to target who and what they want, e.g. Hilary Clinton's campaign while leaving Trump's campaign unscathed.

    2. Re: Why leak this? by Rujiel · · Score: 1

      You're claiming WL had something on trump that wasn't released. What's your proof? You realize WL didn't acquire the clinton emails to begin with? So "y u no hack trump wikileaks!! " is pretty silly.

  12. Re: Now Trump can stop this! by coofercat · · Score: 1

    I'm not an American, but I'm not really sure 'Trumpcare' is what I'd like covering me under any circumstances.

  13. Re: Now Trump can stop this! by mab · · Score: 1

    Sure did

    https://www.washingtonpost.com/politics/trump-vows-insurance-for-everybody-in-obamacare-replacement-plan/2017/01/15/5f2b1e18-db5d-11e6-ad42-f3375f271c9c_story.html?hpid=hp_hp-top-table-main_trump-interview-822pm%3Ahomepage%2Fstory&utm_term=.947feeb07e26