Slashdot Mirror
Researchers Catch Microsoft Zero-Day Used To Install Government Spyware (vice.com)
An anonymous reader quotes a report from Motherboard: Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye. The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world. The hackers sent a malicious Word RTF document to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.
yep. yours, too, and to all the places you'll go.
Who has caused the most damage for American citizens?
NORTH KOREA or THE NSA?
The guy still had to download and open the Word doc.
And I hope FireEye isn't trying to claim to be some kind of hero in this. The timing of their "revelation" is highly suspicious.
“He’s not deformed, he’s just drunk!”
Questions: Are you surprised by this?
a) No
b) Yes
c) I'm a clueless asshat, can I read a story now?
FUCK YOU REDMOND
This is pretty much why I can't help but snicker every time someone says "But the Russians...". The harm "the Russians" can do to you are minimal compared to what your very own government can.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Who has caused the most damage for American citizens?
NORTH KOREA or THE NSA?
Or state-sponsored hackers, fighting an undeclared cyber-war? 99% of the American citizenry were enjoying their usual lives, un-molested, prior to said hackers, oh, and of course, "patriotic" leakers, sharing our state secrets and many of our own cyber-war weapons with our "friends" at Wiki-Leaks. Dear Julian, having absolutely no compunctions, if it increases his importance and fluffs his, umm, ego has done quite a bit of damage. Did was really need him to out the basis for the recent ransom-ware attacks or could he have published enough to let everyone know it was legit without releasing the actual code to the NSA malware?
Interesting, is it a zero-day or a backdoor?
Everything I write is lies, read between the lines.
Also, if MS put out a patch today then it wasn't a zero day until today.
Zero day = the manufacturer doesn't know about it at all. Not how many days has a patch been available.
If it's a backdoor then it was never a zero day as the manufacturer always knew it was there.
Those guys are playing with evil forces.
FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.
RTF -> VBScript -> PowerShell -> Chtulhu awakens
lucm, indeed.
The NSA doesn't care about elections. They will get funded no matter who is elected.
There was, however, a concerted effort by the media to skew election polling results so they could keep saying the other guys are losing. They were wrong BTW. The media is always full of shit. Especially how badly they're covering EquiFUCKED, trying to do everything they can to not blame Equifuckers...
This is pretty much why I can't help but snicker every time someone says "But the Russians...". The harm "the Russians" can do to you are minimal compared to what your very own government can.
I wonder if we might be able to concentrate on more than one issue at a time.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Brian Malacchia was one of the authors of .NET. I had the pleasant experience of hearing him speak at MIT about the upcoming "Trusted Computing" software. What made it fun was that Richard Stallman was in the room, which Brian was *not* expecting, and proceeded to call into question the entire "Microsoft holds the private keys, and revolcation keys for all your hardware and software" security model. Brian pointed out that if Microsoft ever did the pernicious tricks Richard Stallman was worried about, that he and ethical engineers like him would resign.
I managed to rivet the room by pointing out "just like you resigned from the .NET project for their violations of basic security"? The fact that he hopped from security from .NET to Trusted Computing, and .NET *had government backdoors built in*, is precisely why we should trust neither project. He *knew* it was flawed, and instead of resigning he just went to the next security project that has nothing to do with actual user security. It's about digital rights management, at every single level, and about giving Microsoft access to user's private keys in their own private and uncontrolled escrow storage.
Microsoft knew about it for far further back than today. To patch an exploit, it first has to be reported. Then it has to be reported by a reputable source, with information on how to recreate it, in order to prove there is a flaw that can be exploited. Then the developers have to come up with a solution to the exploit, and then spend man hours coding the remedy into a patch. The patch must then be tested to make sure it doesn't break existing functionality. If it breaks anything then a judgement call regarding the patchability of the flaw, or a rewrite of the patch will be required. Once the patch passes internal QA testing, it must then be rolled into the patch distribution system, and vendors notified of the patch's release and availability. The time it takes depends on the severity of the exploit, the complexity of the code affected, and the experience and creativity of the programmers resolving the issue. I'd expect the time Microsoft knew about this flaw to be "days" at minimum, especially given a standard release schedule of once month.
without us army you would be writing how fresh and pink vladimir putin's nipples are
Software proprietors, regardless of nationality, current employment, or current residence. Brad Kuhn said it well in his blog post, "Software Freedom Doesn't Kill People, Your Security Through Obscurity Kills People".
Digital Citizen
The harm "the Russians" can do to you are minimal compared to what your very own government can
Direct harm, yes. But if the Russians can skew the results of an election by a couple percentage points in a few key states, then they can help to install a government that can do direct harm.
The concept of transparency and accountability must be new to you.
The NSA was checking everyone's front door, so they could gain access "if" they ever needed to, but claiming they have your interest at heart.
Area51 - We are watching...
Keep on snickering while your democracy is eroded by Russian active measures. You're so very clever.
It's not a backdoor nor a vulnerability. It's a government feature that was discovered and MS locked the feature. Now the 3 letters agencies will have to revert to their other features to get into people's computers.
One crime doesn't cancel out another.
I think that's a bit disingenuous. Both things are threats to our liberty, in different ways and to different degrees. Just because I am concerned about Russia interfering in our elections doesn't mean that I am not concerned about the rise of the surveillance state.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
If you are so blind that you cannot grasp the simple fact that the US IS under attack every day. Russia, China, NK, and any other countries have state sponsored cyber security agencies dedicated to finding and exploiting US weaknesses. And do you know why people compare the US against "the Russians"? Because it is a valid argument. I suggest you make a trip to Russia or NK for some prospective.
Behind every blade of grass, there is a gun. - it's been attributed to Tojo, though the true originator is unknown.
The United States cannot be invaded. If the entire US army vanished tomorrow, that would still be true. American civilians probably own more AK-47s than the Russian government does, and they own more AR-15s by far than they do AKs. There are more ARs in the US than Russia has citizens.
I wonder if we might be able to concentrate on more than one issue at a time.
Given that the whole point of the "Russia hacked the elections" thing is to distract people from more important things, it seems that the answer is "No."
p>How do we begin to fix it? Vote in the Democratic primary (The Rethuglicans are lost) and vote for the candidate most likely to actually work toward cutting down the surveillance state. And NEVER vote for a Rethuglican. Vote a straight Democratic ticket in EVERY general election, not just the Presidential ones.
A better way to fix it is to break the chains binding you to a particular party. The "us versus them" mentality is a distraction. It has been carefully cultivated by both parties in varying degrees, blinding people to the fact that neither the Democrat nor Republican parties represent the average person, regardless whether you believe they did at some point in the past.
We are mice voting for white versus black cats.
Who has caused the most damage for American citizens?
NORTH KOREA or THE NSA?
NSA... and not just american citizens.. citizens around the world too...
Its one thing that they keep exploits secret
Another thing that they force manufacturers to make backdoors most likely
A third thing that they inject hardware and software backdoors in to existing products
But the worst part isn't even that they have unrestricted access to everyone and everything around the planet...
the worst part is that they can't even keep their cyberweapons secret, so they leak and have leaked to everyone now... including terrorists, hackers, dictators, foreign countries, criminals, script kiddies, etc...
its even become to bad that ransomware (RAAS) as a service has become mainstream and every fucker no matter HOW retarded or HOW ignorant about IT, can use that god damn service to screw everyone over
On top of all this bullshit... the NSA STILL haven't learned a god damn thing..
You can all BYTE my SHINE digital ASS!
Show us where anything the Russians purportedly did had any effect whatsoever.
Y'all ran a sociopathic, self-shitting side of beef. There existed zero possibility of winning against anyone with a pulse.
Good PR schtick but the reality is the whole world is concerned about the US hacking their elections, from extortion, to colour revolutions, coups against democracies to turn them into autocracies who will ruthlessly exploit their citizens at the behest of US corporations, to out and out invasion and mass murder of the population. Now all of these are proven facts and histories and not some bullshit about Russia spending $100,000 buying advertisements or foreign citizens reporting the crimes of the US government against foreign countries somehow being a crime against the US government or email detailing corruption being Russia's fault even when they were locally exposed and a whole host of crimes were exposed and nothing done about it, nothing what so ever except the global exposure of the US as a blatantly corrupt state.
Reality is the US government lies nearly all of the time at every level about nearly everything, the only people with a worse reputation for lying than the US government is US main stream media, not only repeating the lies of the US government but spreading even more on behalf of US corporations. If you think screaming Russia will improve the reputation of the US government, than you are nucking futs, seriously, the US has become a joke. I know people just like the US government, inveterate liars, can't help themselves, the lie so much you stop bothering to correct them, the idiots than believe you believe them, rather than the reality of you have simply stopped listening. Each US government press announcement has become a joke, so what lies will they spread today and who bothers to listen any more. Yeah, yeah, WMDs wolf boy, sure we believe you.
Chaos - everything, everywhere, everywhen
Like it would be any different for the average person if the other branch of The Party ruled.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Unlikely. He doesn't like faggy fawning of people over him.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So? Nothing a few nukes can't fix.
And the fun part about the US' nukes is that the average person has no control over them. That's what you still need your army for.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Again, you live in the delusion that the other side of The Party does anything different. Care to show me the difference between 2000-2008 and 2008-2016 in US politics?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Holy shit, someone gets it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Who has caused the most damage for American citizens?
NORTH KOREA or THE NSA?
Microsoft.
Anons need not reply. Questions end with a question mark.
"Oh, them? It never changes," she said. "It's always: location, location, location."
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
The question was, “Who has caused the most damage for American citizens?” The NSA’s activities are certainly objectionable but how much real damage have they done to American citizens?
Neither of them. The American citizens themselves, by electing Donald Trump as a president - and previously Bush Jr. and his regime, who probably caused the biggest damage to the US so far that any government has ever caused.
So far Kim has done Jack all, but thrown a few insults and made threats. The NSA in its irresponsible handling of sensitive data and munitions has cost the Americans much more indirectly.
Area51 - We are watching...
Come on Courteau! Yourself and I know that In Canada, they are called; 4 letter agencies. Thanks for adapting to the American way still...
Everything I write is lies, read between the lines.
....the same way you do with Java. It's only fair.
And probably about 5% of those people would actually resist an invasion. The rest would simply fall into line and do what they were told. Just as they do now. Having lots of guns is no gurantee that they would actually get used. The Roshschilds et al took over America, the UK, Europe etc. without firing so much as a shot. You all work fro the banking cartel becuase you believe in their idea of money.
Are companies such as Microsoft and Google "western only companies" . I presume they only open up their stack to five eyes. So where does this leave Russia, Brazil, India, and China? Not to mention France, Germany - second world powers?
Thank you for pointing out the obvious that so many people have been missing for the past (shoot, I lost count) years. Divide and conquer has always been a tried and true method in ANY type of conflict.
Yes and no: Republicans promise welfare to rich people and work their arses off, to deliver. Democrats promise more egalitarian service then offer the same back-room deals and exemptions to the rich that Republicans do: They're slowing the shrinking of the middle-class and growth in welfare-bashing, not undoing it. There is a difference in Democrat versus Republican government but as Shooter (2007) explains, there is no "us versus them".
Alas, one cannot put 50 governors in a room and get agreement: The co-operative portion of US federalism is broken so the federal government is making the rules and kicking state butts. This creates a nice point of failure for a political system that wasn't designed to be attacked by the rich: Lobbyists offering bribes and lawyers writing bills that are almost incomprehensible. There are many symptoms in a corrupt government but these need to be fixed first: These faults can only be fixed by US politicians taking responsibility for the political system and changing it. Until then, corruption remains.
PR schtick? Fuck you.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
The patch must then be tested to make sure it doesn't break existing functionality. If it breaks anything then a judgement call regarding the patchability of the flaw, or a rewrite of the patch will be required.
I'm not sure about this step... MS tends to skip it though... You know, often times, their patch usually breaks something if you follow news...
You’re certainly correct that Kim hasn’t done anything overt as yet. But I guarantee you North Korea has had indirect impact on Americans, increased defense expenditures in the region come to mind. It is certainly true the NSA‘s activities have impacted Americans, and others worldwide, with the release of their hacking tools leading directly to ransomware attacks.
The point in my original post was that those ransomware attacks were less the fault of the NSA, and more the fault of the hackers and leakers that gave the NSA’s hacking tools to WikiLeaks, who promptly published them, without regard to the potential for damage to all of us, American or not. Scratch that, I think that Julian Assange published the NSA hacking tools and exploits specifically because of the damage they would do to us.
What the fuck are you talking about? What does that word soup you posted have to do with anything? You really should seek out help with basic reading and comprehension as you seem to be lacking.
You don't understand the difference between true exes and runtime driven code? That's his point that's beyond you!
Donald Trump
That is just APK spamming pretending to be a security expert
He feels the need to spam his hosts file any chance he gets
Afterwards he will go rub one out to his overly complex bloated hosts file engine
Then he will come back and complain if someone modded him down and will state that he dusted you
It is just how APK rolls
Hobbyist Russian defender Opportunist can't even let this one slide.
fucking rusophobia)
google
It used to be that when a Linux developer found a security hole its presence, proof of concept script and patch would be announced and posted the same day the hole was discovered. I.E., "Zero Days" between discovery, announcement and patch. The Linux user could confirm their installation weakness, or not, by running the proof of concept script.
Microsoft destroyed that meaning in its ecosystem by threatening whitehats with lawsuits of they revealed the holes they discovered in Microsoft software to anyone but Microsoft, which sat on the revelations until such time as it suited their political and economic fortunes, if ever. Whitehats routinely "time" their announcements with Microsoft, thus colluding in the coverup. Microsoft does NOT, however, hide such holes from Fortune 500 companies and other organizations with armies of lawyers who could make Microsoft pay for damage done to their systems by Microsoft deliberately concealing security vulnerabilities from them. Joe and Sally Sixpack can't afford such armies so they just hang, twisting in the winds of blackhat adversity till such time as MS throws them a bone.
Running with Linux for over 20 years!
Actually, the origin of the term "zero day" was just that - how many days a particular piece of software had been available. It came from the days when "warez" could be found for download. Obviously, the zero days were most prized since they were new releases. How the term has been appropriated, misused and confused since is another thing. It would be far more accurate and informative to refer to something as an "unpatched vulnerability" rather than jargon that is either poorly understood or spawns debate. Similarly, it is not an "unknown vulnerability" (maybe it was an unpatched one, but obviously someone knew about it for there to be both an exploit written for it and a patch). Then, we have the leap that because the malware was found in a document with a Russian name (translated to English as "Project.doc" that it must be "Government hackers" (What government? And can we please start calling spies, thieves, vandals, perverts by their rightful nouns and not "hackers?") targeting the Russians.
I wonder if we might be able to concentrate on more than one issue at a time.
Given that the whole point of the "Russia hacked the elections" thing is to distract people from more important things, it seems that the answer is "No."
Well, I can't be certain of course, but I'd wait a few months her for further news before the conspiracies are closed.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
See subject: I write TRUE "stand-alone" .exes statically compiled code vs. runtime driven for APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Twofold - BETTER PERFORMANCE & LESS SECURITY ISSUES (as well as less complexity & dependence on others' possibly shoddy/defective work)!
* Depending on others' code = bad idea (libs OR runtimes).
APK
P.S.=> E.g. - This http://www.majorgeeks.com/file... is .NET interpreted SLOWER code (& has the potential for problems like this article shows) - test its initial loadtime ALONE w/ a large hosts file vs. mine & see (& like hostsman which uses SQLite (C buffer overflow issues + a 17++ yr. long exploit in it recently), it too doesn't do hardcoded favorites @ TOP of hosts for more speed, security, reliability & anonymity vs. DNS security issues)... apk
Trump is obamas true legacy. Now have a nice day.
If you are going to build such munitions and store them, it's your responsibility to secure them.
Attributing blame on Assange isnt logical. Unknown hackers breached US security and had these tools. The responsible thing was to make the world know they're in the wild.
Area51 - We are watching...
Hey, if you put a ball on the penalty point, don't be surprised if someone kicks it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Thanks, but no thanks. Freedom-wise they're even worse than the US, and that's already a place I try to avoid.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.