macOS Zero-Day Used Against Hong-Kong Activists(schneier.com)
schneier.com
macOS Zero-Day Used Against Hong-Kong Activists
https://www.schneier.com/blog/archives/2021/11/macos-zero-day-used-against-hong-kong-activists.html
57 comments
Yeah, I remember with DNC hacking stuff as well, the evidence was very uncompelling... like a state actor doesn't have the resources to figure out such basic stuff if they want to cover their tracks. Or the Sony one too.
The more compelling case for me was William Binney's point (former Technical Director of NSA) that the timestamps in the Gucifer leak showed that the data was transferred at about the same rate as a usb stick, which was quite a bit faster than the physical connection the email server had (at that time). Basically concluding it was locally copied rather than hacked due to physically being impossible to transfer over the internet connection the server was physically connected to at that time at that speed shown in the timestamps.
Just to make sure I understand correctly... the most compelling piece of evidence for you is the timestamps on the files? Something that's not only trivial to fake, but also would have been overwritten if the files were copied between systems between being stolen and being leaked.
I would say that attribution is just extremely difficult to do at all, but there's not much money in giving that answer to your clients.
> Just to make sure I understand correctly... the most compelling piece of evidence for you is the timestamps on the files?
If I understood it correctly, the most compelling evidence was the real data transfer rate of those emails, deduced from the file timestamps, which ruled out their provenance from the server.
> Something that's not only trivial to fake (...)
Well, in this case that would go against the original accusation, therefore it would either be pointless or the explanation would require a conspiracy with double agents planting fake compromising evidence.
If I understood it correctly, the most compelling evidence was the real data transfer rate of those emails, deduced from the file timestamps, which ruled out their provenance from the server.
> Something that's not only trivial to fake (...)
Well, in this case that would go against the original accusation, therefore it would either be pointless or the explanation would require a conspiracy with double agents planting fake compromising evidence.
more compelling != most compelling
Context matters. If there are two cases, and one is more compelling than the other, then that one is also most compelling.
Yes, I agree. But the question has become too political for dispassionate consideration, I guess.
Unfortunately looking in, politics blur things and we’re likely never to know.
Political tendencies will allow people to make attributions they agree with and then simultaneously question attributions they disagree with politically.
USB sticks seem to be weird about transfer speeds and they look like they are size dependent. Bunch of small files take longer than one monolithic large file given a total size.
Political tendencies will allow people to make attributions they agree with and then simultaneously question attributions they disagree with politically.
USB sticks seem to be weird about transfer speeds and they look like they are size dependent. Bunch of small files take longer than one monolithic large file given a total size.
> which was quite a bit faster than the physical connection the email server had (at that time)
What was the connection speed? I've never seen it stated anywhere, and in case the server was hosted in a data center the argument would collapse fairly quickly.
What was the connection speed? I've never seen it stated anywhere, and in case the server was hosted in a data center the argument would collapse fairly quickly.
As well as non-state actors.
I thought it was hilarious back in 2016-2017 how people took partisans sides on BOTH wrong answers!
"It was Russia! The President is ignoring intelligence agencies! Disagreeing with me makes you a far right extremist!"
Meanwhile kid in basement in rural Ohio: "top kek"
I thought it was hilarious back in 2016-2017 how people took partisans sides on BOTH wrong answers!
"It was Russia! The President is ignoring intelligence agencies! Disagreeing with me makes you a far right extremist!"
Meanwhile kid in basement in rural Ohio: "top kek"
>> In its release, WikiLeaks described the primary purpose of "Marble" as to insert foreign language text into the malware to mask viruses
This reminds me of Sasser (iirc), which was initially attributed to Russia, as it contained Cyrillic. Turned out it was a German teen and he and his friends put it in there for shits ans giggles and laughed their asses off when "security experts" actually took the bait.
This reminds me of Sasser (iirc), which was initially attributed to Russia, as it contained Cyrillic. Turned out it was a German teen and he and his friends put it in there for shits ans giggles and laughed their asses off when "security experts" actually took the bait.
Glad you reminded me that allegations of "state-actor" are not reliable, or I might think you're implying that the CIA is responsible. Also, framing someone else is an ancient part of espionage, not something the CIA recently invented. They're far from the only people who use that tactic.
I'm not going to hold my breath about any party coming clean about who's actually responsible. Until then we can just make guesses about it based on the evidence we have, the targets, the code itself, and the location of the server. It certainly points to a state-actor.
I'm not going to hold my breath about any party coming clean about who's actually responsible. Until then we can just make guesses about it based on the evidence we have, the targets, the code itself, and the location of the server. It certainly points to a state-actor.
Still, would the CIA burn such valuable exploits for HK activists?
HK activists don't appear to be of much strategic interest to the USA. And where they are I imagine they would just reach out to them directly.
HK activists don't appear to be of much strategic interest to the USA. And where they are I imagine they would just reach out to them directly.
What makes you think the CIA is the only one developing such tools? I would see it as any group's goal to avoid attribution.
In fact, it’s the opposite. Their success is strategic interest.
Then why covertly hack them? Why not supply anti-hacking tools and expertise?
> HK activists don't appear to be of much strategic interest to the USA. And where they are I imagine they would just reach out to them directly.
What? The USG has put a ton of resources into backing HK protestors, through the NED, BRL, and satellite orgs like Amnesty (look at the saga of Kong Tsung-gan/Brian Kern).
As for why the CIA might burn a 0day only to generate articles like this: NatSec threat inflation is a trillion-dollar industry in Washington.
But it just as well might have been a local crime syndicate trying to scrape personal information for financial fraud.
Point is, the article provides virtually zero evidence to determine who is at fault.
What? The USG has put a ton of resources into backing HK protestors, through the NED, BRL, and satellite orgs like Amnesty (look at the saga of Kong Tsung-gan/Brian Kern).
As for why the CIA might burn a 0day only to generate articles like this: NatSec threat inflation is a trillion-dollar industry in Washington.
But it just as well might have been a local crime syndicate trying to scrape personal information for financial fraud.
Point is, the article provides virtually zero evidence to determine who is at fault.
[deleted]
> In addition, the zero-day exploit used in this hacking campaign is “identical” to an exploit previously found by cybersecurity research group Pangu Lab, Huntley said. Pangu Lab’s researchers presented the exploit at a security conference in China in April of this year, a few months before hackers used it against Hong Kong users.
So it was "identical" to an exploit previously disclosed? So it wasn't new? How was it that this exploit was made public in April, re-discovered in August, and patched in September?
So it was "identical" to an exploit previously disclosed? So it wasn't new? How was it that this exploit was made public in April, re-discovered in August, and patched in September?
Yeah doesn't sound much like a zero-day then.
[deleted]
A great way to spread and enforce those ideals of American democracy and freedoms would be to harden the security of our hardware and software around the world rather than exploit, ignore or weaken it.
Information security is more and more becoming an essential part of human economy.
I wonder when will a giant rival today's google msft apple appears whose main business is information security.
I wonder when will a giant rival today's google msft apple appears whose main business is information security.
Just in time after Tianfu cup. But I don't remember macOS was part of the competition this year.
Poor Hong Kong :-(
smoldesu(10)
From the article:
> Wardle found that the software contained code strings in Chinese, such as 安装成功 (Successful installation), and that the command and control server it connected to was located in Hong Kong.
From the CIA:
> In its release, WikiLeaks described the primary purpose of "Marble" as to insert foreign language text into the malware to mask viruses, trojans and hacking attacks, making it more difficult for them to be tracked to the CIA and to cause forensic investigators to falsely attribute code to the wrong nation. The source code revealed that Marble had examples in Chinese, Russian, Korean, Arabic and Persian. These were the languages of the US's main cyber-adversaries – China, Russia, North Korea, and Iran.
https://en.wikipedia.org/wiki/Vault_7#Marble_framework