> I wonder if the AVG product they were using was the freeware version > or one of the commercial products...
Actually several of the displayed AV tools seemed somewhat out-of-date. It'd be nice to have them make the actual trojan available for download and real-life testing of your personal AV 'solution'.
> In the case of a trojan payload, properly patched machines > along with restricted user accounts help quite a bit.
So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??
> So E-Mail encryption and signing (incl. attachments) > should be very high on the list of things to do
In fact, since the tibetan community is fairly small and people tend to know each other, the web-of-trust could be likely be implemented in a far better fashion than usual. They could even run their own internal key-server and have a crypto-admin (or team) that actually verifies keys first via independent channels (phone etc.) before making them available to everybody else. Mail-clients should be changed so that an unsigned attachment can not be executed directly from the e-mail program. Policy should be to always sign and have opportunistic encryption enabled. This may require some small changes to the mail client, however. But since this is something not just the Tibetans should have an interest in as really most other points that are made in this discussion. That's why I think, this project is a great chance to improve security overall for everybody.
> The chinese aren't getting most of their information from their 1337 haxxor skilz, > they're getting it from loaded e-mails, moles, "free" thumb drives, interesting > Word documents and pdfs. The user, say, the Dalai Lama's Advisor on Climate Change, > gets a message from a likely-sounding source titled "Climate Change in Tibet: 2012", > he's going to open it. Now he's owned.
Very good point. The original article talked about actual mail-server access by the GhostRat-Snoops and changing real e-mails and/or attachments to suit their purposes before sending them on to the target. So E-Mail encryption and signing (incl. attachments) should be very high on the list of things to do. Not only will it generally protect the contents from the various sniffer-agencies but in this case would also help and great deal in thwarting such 'personalized' attacks.
> But we're not talking about western freedom and democracy loving individuals. > We're talking about the Dalai Lama - the absolutist leader of an obscurantist > anti-intellectual sect.
A move to Linux would make sense, given that the attacks have predominantly used Windows attack vectors. Linux is also sufficiently main-stream to support the various hardware used by various tibetan exiles. After all, they don't need the custom ultra-secure NSA-style box, but a functioning as-normal-as-possible desktop.
But since we all agree that there is no 100% security, the laudable efforts need to be conducted in layers. First I would put stringent security-policies that need to be followed as well as physical access protections. A guest account with low privileges would go far in the usual more than one person using one computer scenario. Second, since the attacks mostly used e-mail and perhaps browser vulnerabilities, those applications need to be sandbox'ed somehow. Perhaps SELinux can help there if properly implemented (meaning protection out-of-the-box without getting too much in the way...don't expect monks to re-write any rules) or virtualization. All systems should have cron-jobs updating/running stuff like RKHunter, chkrootkit (is this still developed, btw.?), Anti-Virus programs (yes, even on Linux!) etc. and the output sent to a technically capable person in the event of them finding something unusual. Ditto for Integrity checking. This alone shows the need for educated SysAdmin's that can handle this stuff, interpret it properly and take action where needed. Hence training willing Tibetans should be a major point. Perhaps various companies and individuals can chip in and sponsor such efforts. Without such people administering various machines, any attempt to make them secure will necessarily fail.
Aside from the main question...on just a local home network with a couple people on it, do you really need a server to connect them via LAN or is there a way to do it directly client to client?
> Use the encryption capabilities in Pidgin.
Well, technically Pidgin does not have built-in encryption capabilities (unfortunately!!). You need a plugin like OTR:
http://www.cypherpunks.ca/otr
> I always buy faster modules than I'm actually using.
So have I for an Asus P2B board I had laying around. Stock bus was 100MHz, overclocked it to 133Mhz to get a faster CPU to run (P3/933). Unfortunately, I never got the RAM stable at that speed. When running, it sometimes ran for days, then it would spontaneously reboot 6 times in 3 hours, sometimes even with a "memory mismatch" beep-code (all sticks are the same). Memtest86 showed weird behavior too...while it came off clean when using stock speed (I am confident the chips themselves are OK), it would sometimes show errors when overclocked and sometimes not. Memory timings seemed to make some difference, at least on where the errors happened. Anyone know, why PC133 memory would have an issue on a bus overclocked from 100MHz to 133? It should be able to handle it just fine, so I'd like to think:-/
> The Mac OS and Linux/BSD are much harder malware targets, for many reasons. > Lack of an easy way to insert and run an executable file being one.
Actually running something on a Linux system is easy, just perhaps not as root. But if you browse the poisoned site from your account and got your 'secret' stuff in ~/documents I'd imagine, that it can be gotten to from just the normal user context. So the question the researchers bring up on how to defend against such attacks is a very valid one, and while Mac and Linux may make it a bit harder for now, it doesn't make the attacks impossible. I can only imagine, that a severely SELinux'ed environment and/or actual sandboxing of Internet-exposed apps (browser, e-mail etc.) in virtual machines will be part of any solution (even though a virtual machine with just your e-mail is probably still vulnerable to having *all* your mail exposed therein). Suggestions anyone?
> I'd love it if Pidgin, for example, came with the Off The Record plugin by default. > Then my IMs could be encrypted with all Pidgin users, and not just the ones > who bothered to install OTR.
I agree. Unfortunately the Pidgin developers do not:
Not sure, what exact "usability issues" they have in mind that precludes them from including it (I never had a problem with OTR). Perhaps a more code-willing and -minded person can help Ian Goldberg in improving OTR, if needed: http://www.cypherpunks.ca/otr
> I'd also love it if Ubuntu offered TrueCrypt's functionality in its installation partitioner.
Well, not TrueCrypt but dm-crypt/LUKS is already offered in the "alternative" installer. AFAIK it's supposed to move into the mainstream installer as well (with the next Ubuntu version already)?
Yes, it works transparently. You can, however, manually choose to always force encryption via a per-user setting. I guess, if the other person then does not currently have OTR installed (due to recent OS reinstall or whatever) then it might fail. Easily rectified though and also not OTR's default setting. Default is: If other side has OTR installed too, then go secure. If not, step aside and go plain-text.
> Out of the box OTR is pointless, > because I personally know of no one who actually uses it.
Your argument is severely flawed. Precisely *because* currently no big installed user-base exists, would it make a lot of sense to activate it by default. Once done, there's your large(r) user-base. Besides, the nice thing about OTR is, that it doesn't matter if the other side has it or not. If not available, then the IM goes out plain-text, which it would have done without the plugin anyway. So no loss at all.
> Wouldn't that NSA Linux distro have this kinda stuff enabled out of the box?
No, it doesn't (nor do I think they'd be interested:-)):
"Security-enhanced Linux (SELinux) is a reference implementation of the Flask security architecture for flexible mandatory access control. It was created to demonstrate the value of flexible mandatory access controls and how such controls could be added to an operating system." [...] "The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated."
With other words, while certainly a good thing overall, it does nothing to address any communication-related security or even physical medium security (like disk encryption). It's basically traditional UNIX/Linux permissions on steroids. It is of some benefit in a running system/server, but won't even guard against your Knoppix CD:-)
> This would be a great marketing scheme - > the "Paranoid PC" with all kinds of anti-snooping and security software good to go.
I agree. But there doesn't have to be a dedicated "Paranoid PC" if, as I mentioned, simply the distros would enable this stuff and thus every PC they get installed on becomes automatically a pretty secure box.
I commend the EFF's good efforts and their attempts to protect 'We the people' from, well, other men in the middle. However, as valuable as the information is, it will have little to none tangible benefit. The users reading those pages in the first place are already the one's interested in such technologies, probably already use some of them and are generally not the target group. The big mass of people will never read these pages, nevermind implement the solutions laid out there. Thus they force even the privacy-conscious to remain unsecured in their communications with them, as both sides need certain setup's (encryption etc.).
So the real question is this: How do we not just get a nice write-up about what we *could* do, but how do we get these features activated by default? For example, AFAIK none of the popular Linux distributions enables IM (OTR) encryption out-of-the-box. Why not? Why have we still not come up with a way to enable opportunistic encryption for e-mail (think GPG in the background without user intervention), as well enabled by default? etc.pp..
It is the experience of every geek, that most 'normal' people leave things fairly alone and just try to use them as they come. Since most OS' and program's defaults are insecure, it is, IMHO, one of the primary reasons that everything is so easily monitored, stored and...eventually used against you. Here the Linux distributions could make a dramatic impact overall and I would welcome something like an official "privacy-year", where the distros focus less on cramming the latest.0.0.0.1beta version on the disks, but make a true effort to secure their shipped communication-related programs. If usability-issues exist, they should also be addressed. That, and only that, would make any kind of real-life difference: Make security and privacy the default!
> Netscape NEEDED to be put in the slaughterhouse, because their browser sucked.
OK, maybe. But:
> NEITHER of the competing browsers were standards compliant at that time, > and MS simply had the better product, whether offered free or not
Opinions differ(ed). I've seen it first hand, how MS went into a large company and bundled everything they had for a special price (freebies thrown in), as long as the company would dedicate themselves to their products. That finished the contract with Novell, that finished off the roll-out of Netscape etc.. In the end it was a MS-only shop for several thousand workstations and servers. Only the legal department fought tooth and nail to keep their beloved WordPerfect.
> were you even BORN in the 90's or do you just repeat verbatim everything you read on Slashdot ?
Was born even before so I don't need to repeat after anyone.
> What is the point of this? What is there to gain by this?
Agreed. If it was the 90's where Netscape was indeed put in the slaughterhouse by Microsoft's bundling of IE with Windows, I could have said, OK. But it isn't anymore...times have changed. Options are there and most people are aware of them (at least among geeks who tend to install programs for their less-technically inclined brethren).
If a difference was to be made, it should be to force Microsoft to include a complete and truly standards-compliant OpenDocument "Save As" option in MS-Office, perhaps even where possible as add-on for older MSO versions. The bundled IE browser, if also truly standards-compliant, is irrelevant...the *.doc format isn't and has forced more people into MS' fangs than one would like to imagine.
Likewise for per-processor contracts with OEMS, if that's still done.
> most if not all non-profit agencies would be more then happy to accept them as donations > and be more then happy to also pay for the shipping of the items. You get a tax write off
On the danger of stating the obvious....you only get a write-off if you are in a position to itemize your taxes/claim deductions other than yourself. If you are a single geek with no kids, no mortgage etc. you will not be able to claim such a write-off, even if the non-profit sends you a receipt for that purpose. Found that out the hard way after donating my car (was still alright though).
Slashdot Mirror
So somebody please explain to me, how the initial infection actually happens (from TFA):
"victims are infected when visiting legitimate Websites containing a Trojan"
How does this even run, nevermind take over the whole system??
> The big papers detailing botnets never provide enough details to know
> if *I* screwed up the internet.
You did and we'll never forgive you! :-)
> I wonder if the AVG product they were using was the freeware version
> or one of the commercial products...
Actually several of the displayed AV tools seemed somewhat out-of-date. It'd be nice to have them make the actual trojan available for download and real-life testing of your personal AV 'solution'.
> In the case of a trojan payload, properly patched machines
> along with restricted user accounts help quite a bit.
So why does the XP installer first create an Administrator account and then prompts you to create a "user" account, which ALSO has (to have) administrative access??
There's a few million infections right there...
Out of interest: did any anti-virus/anti-spyware programs detect this stuff?
> So E-Mail encryption and signing (incl. attachments)
> should be very high on the list of things to do
In fact, since the tibetan community is fairly small and people tend to know each other, the web-of-trust could be likely be implemented in a far better fashion than usual. They could even run their own internal key-server and have a crypto-admin (or team) that actually verifies keys first via independent channels (phone etc.) before making them available to everybody else. Mail-clients should be changed so that an unsigned attachment can not be executed directly from the e-mail program. Policy should be to always sign and have opportunistic encryption enabled. This may require some small changes to the mail client, however. But since this is something not just the Tibetans should have an interest in as really most other points that are made in this discussion. That's why I think, this project is a great chance to improve security overall for everybody.
> The chinese aren't getting most of their information from their 1337 haxxor skilz,
> they're getting it from loaded e-mails, moles, "free" thumb drives, interesting
> Word documents and pdfs. The user, say, the Dalai Lama's Advisor on Climate Change,
> gets a message from a likely-sounding source titled "Climate Change in Tibet: 2012",
> he's going to open it. Now he's owned.
Very good point. The original article talked about actual mail-server access by the GhostRat-Snoops and changing real e-mails and/or attachments to suit their purposes before sending them on to the target. So E-Mail encryption and signing (incl. attachments) should be very high on the list of things to do. Not only will it generally protect the contents from the various sniffer-agencies but in this case would also help and great deal in thwarting such 'personalized' attacks.
> But we're not talking about western freedom and democracy loving individuals.
> We're talking about the Dalai Lama - the absolutist leader of an obscurantist
> anti-intellectual sect.
Dude, take your chill pills! You're foaming... :-)
A move to Linux would make sense, given that the attacks have predominantly used Windows attack vectors. Linux is also sufficiently main-stream to support the various hardware used by various tibetan exiles. After all, they don't need the custom ultra-secure NSA-style box, but a functioning as-normal-as-possible desktop.
But since we all agree that there is no 100% security, the laudable efforts need to be conducted in layers.
First I would put stringent security-policies that need to be followed as well as physical access protections. A guest account with low privileges would go far in the usual more than one person using one computer scenario.
Second, since the attacks mostly used e-mail and perhaps browser vulnerabilities, those applications need to be sandbox'ed somehow. Perhaps SELinux can help there if properly implemented (meaning protection out-of-the-box without getting too much in the way...don't expect monks to re-write any rules) or virtualization.
All systems should have cron-jobs updating/running stuff like RKHunter, chkrootkit (is this still developed, btw.?), Anti-Virus programs (yes, even on Linux!) etc. and the output sent to a technically capable person in the event of them finding something unusual. Ditto for Integrity checking. This alone shows the need for educated SysAdmin's that can handle this stuff, interpret it properly and take action where needed. Hence training willing Tibetans should be a major point. Perhaps various companies and individuals can chip in and sponsor such efforts. Without such people administering various machines, any attempt to make them secure will necessarily fail.
> You're looking for a jabber server and client.
Aside from the main question...on just a local home network with a couple people on it, do you really need a server to connect them via LAN or is there a way to do it directly client to client?
> Use the encryption capabilities in Pidgin. Well, technically Pidgin does not have built-in encryption capabilities (unfortunately!!). You need a plugin like OTR: http://www.cypherpunks.ca/otr
> I always buy faster modules than I'm actually using.
So have I for an Asus P2B board I had laying around. Stock bus was 100MHz, overclocked it to 133Mhz to get a faster CPU to run (P3/933). Unfortunately, I never got the RAM stable at that speed. When running, it sometimes ran for days, then it would spontaneously reboot 6 times in 3 hours, sometimes even with a "memory mismatch" beep-code (all sticks are the same). Memtest86 showed weird behavior too...while it came off clean when using stock speed (I am confident the chips themselves are OK), it would sometimes show errors when overclocked and sometimes not. Memory timings seemed to make some difference, at least on where the errors happened. :-/
Anyone know, why PC133 memory would have an issue on a bus overclocked from 100MHz to 133? It should be able to handle it just fine, so I'd like to think
The write-up is here: http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network Apparently only 11 out of 34 Anti-Virus programs on virustotal detected the initial dropper from the e-mail attachments.
Another thing I am wondering about: will the discovered malware and rootkits now be included in popular anti-virus/-spyware programs?
> The Mac OS and Linux/BSD are much harder malware targets, for many reasons.
> Lack of an easy way to insert and run an executable file being one.
Actually running something on a Linux system is easy, just perhaps not as root. But if you browse the poisoned site from your account and got your 'secret' stuff in ~/documents I'd imagine, that it can be gotten to from just the normal user context.
So the question the researchers bring up on how to defend against such attacks is a very valid one, and while Mac and Linux may make it a bit harder for now, it doesn't make the attacks impossible. I can only imagine, that a severely SELinux'ed environment and/or actual sandboxing of Internet-exposed apps (browser, e-mail etc.) in virtual machines will be part of any solution (even though a virtual machine with just your e-mail is probably still vulnerable to having *all* your mail exposed therein). Suggestions anyone?
> I'd love it if Pidgin, for example, came with the Off The Record plugin by default.
> Then my IMs could be encrypted with all Pidgin users, and not just the ones
> who bothered to install OTR.
I agree. Unfortunately the Pidgin developers do not:
http://blog.caseyho.com/2009/01/encryption-and-otr-in-pidgin.html
Not sure, what exact "usability issues" they have in mind that precludes them from including it (I never had a problem with OTR). Perhaps a more code-willing and -minded person can help Ian Goldberg in improving OTR, if needed: http://www.cypherpunks.ca/otr
> I'd also love it if Ubuntu offered TrueCrypt's functionality in its installation partitioner.
Well, not TrueCrypt but dm-crypt/LUKS is already offered in the "alternative" installer. AFAIK it's supposed to move into the mainstream installer as well (with the next Ubuntu version already)?
Yes, it works transparently. You can, however, manually choose to always force encryption via a per-user setting. I guess, if the other person then does not currently have OTR installed (due to recent OS reinstall or whatever) then it might fail. Easily rectified though and also not OTR's default setting.
Default is: If other side has OTR installed too, then go secure. If not, step aside and go plain-text.
> Out of the box OTR is pointless,
> because I personally know of no one who actually uses it.
Your argument is severely flawed. Precisely *because* currently no big installed user-base exists, would it make a lot of sense to activate it by default. Once done, there's your large(r) user-base.
Besides, the nice thing about OTR is, that it doesn't matter if the other side has it or not. If not available, then the IM goes out plain-text, which it would have done without the plugin anyway. So no loss at all.
> I'm running: XP Pro, Raw without any Service Packs, No firewall, No antivirus
> for 3 years now and haven't had any problems at all . . .
Neither have I. Thanx... :-)
> Wouldn't that NSA Linux distro have this kinda stuff enabled out of the box?
No, it doesn't (nor do I think they'd be interested :-)):
"Security-enhanced Linux (SELinux) is a reference implementation of the Flask security architecture for flexible mandatory access control. It was created to demonstrate the value of flexible mandatory access controls and how such controls could be added to an operating system."
[...]
"The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated."
With other words, while certainly a good thing overall, it does nothing to address any communication-related security or even physical medium security (like disk encryption). It's basically traditional UNIX/Linux permissions on steroids. It is of some benefit in a running system/server, but won't even guard against your Knoppix CD :-)
> This would be a great marketing scheme -
> the "Paranoid PC" with all kinds of anti-snooping and security software good to go.
I agree. But there doesn't have to be a dedicated "Paranoid PC" if, as I mentioned, simply the distros would enable this stuff and thus every PC they get installed on becomes automatically a pretty secure box.
I commend the EFF's good efforts and their attempts to protect 'We the people' from, well, other men in the middle. However, as valuable as the information is, it will have little to none tangible benefit. The users reading those pages in the first place are already the one's interested in such technologies, probably already use some of them and are generally not the target group. The big mass of people will never read these pages, nevermind implement the solutions laid out there. Thus they force even the privacy-conscious to remain unsecured in their communications with them, as both sides need certain setup's (encryption etc.).
So the real question is this: How do we not just get a nice write-up about what we *could* do, but how do we get these features activated by default?
For example, AFAIK none of the popular Linux distributions enables IM (OTR) encryption out-of-the-box. Why not?
Why have we still not come up with a way to enable opportunistic encryption for e-mail (think GPG in the background without user intervention), as well enabled by default?
etc.pp..
It is the experience of every geek, that most 'normal' people leave things fairly alone and just try to use them as they come. Since most OS' and program's defaults are insecure, it is, IMHO, one of the primary reasons that everything is so easily monitored, stored and...eventually used against you. .0.0.0.1beta version on the disks, but make a true effort to secure their shipped communication-related programs. If usability-issues exist, they should also be addressed. That, and only that, would make any kind of real-life difference: Make security and privacy the default!
Here the Linux distributions could make a dramatic impact overall and I would welcome something like an official "privacy-year", where the distros focus less on cramming the latest
> Netscape NEEDED to be put in the slaughterhouse, because their browser sucked.
OK, maybe. But:
> NEITHER of the competing browsers were standards compliant at that time,
> and MS simply had the better product, whether offered free or not
Opinions differ(ed). I've seen it first hand, how MS went into a large company and bundled everything they had for a special price (freebies thrown in), as long as the company would dedicate themselves to their products. That finished the contract with Novell, that finished off the roll-out of Netscape etc.. In the end it was a MS-only shop for several thousand workstations and servers. Only the legal department fought tooth and nail to keep their beloved WordPerfect.
> were you even BORN in the 90's or do you just repeat verbatim everything you read on Slashdot ?
Was born even before so I don't need to repeat after anyone.
> What is the point of this? What is there to gain by this?
Agreed. If it was the 90's where Netscape was indeed put in the slaughterhouse by Microsoft's bundling of IE with Windows, I could have said, OK. But it isn't anymore...times have changed. Options are there and most people are aware of them (at least among geeks who tend to install programs for their less-technically inclined brethren).
If a difference was to be made, it should be to force Microsoft to include a complete and truly standards-compliant OpenDocument "Save As" option in MS-Office, perhaps even where possible as add-on for older MSO versions. The bundled IE browser, if also truly standards-compliant, is irrelevant...the *.doc format isn't and has forced more people into MS' fangs than one would like to imagine.
Likewise for per-processor contracts with OEMS, if that's still done.
> most if not all non-profit agencies would be more then happy to accept them as donations
> and be more then happy to also pay for the shipping of the items. You get a tax write off
On the danger of stating the obvious....you only get a write-off if you are in a position to itemize your taxes/claim deductions other than yourself. If you are a single geek with no kids, no mortgage etc. you will not be able to claim such a write-off, even if the non-profit sends you a receipt for that purpose. Found that out the hard way after donating my car (was still alright though).