69 comments

[ 3.1 ms ] story [ 69.1 ms ] thread
Is your computer waking up in the middle of the night a sign that it's being accessed? I've seen this with my laptop often, I have Windows 7, and I didn't think twice about it. Now I'm thinking twice...
Windows Update is, I believe, scheduled for 3am by default. If connected to AC, it can wake up your computer to install updates. You can look into this more with the powercfg command (from an Admin console).

    powercfg -lastwake
"Computer waking up" is meaningless without controlling for updates and other factors, including dog/cat/mouse bumping into a mouse cable.
If your desk isn't level or if you have a fan on, the mice could move enough to wake the computer. :)
It depends. Usually, on any Windows box, random sleep wakeups and unverified internet use is usually a sign of malware or a trojan horse. Running AVG twice can be enough to fix it, but sometimes, they've already penetrated the boot process to execute malicious code without you even knowing it. It's hit me 4 times so far, and this is WITHOUT accessing black hat websites, and WITH protection and startup utilities disabled. It could be TDSS.
The dumbest script-bound teenagers will appear "sophisticated" to the Washington Post. How you know this attacker wasn't sophisticated: the Washington Post "detected" them.

Note: as was pointed out downthread, I'm being sloppy; CBS "detected" them.

"forensic analysis revealed an intruder had executed commands that appeared to involve search and [removal] of data. This party also used sophisticated methods to remove all possible indications of unauthorized activity, and alter system times to cause further confusion."

Doesn't sound so dumb to me. Specifically removing data and then covering up traces of being there - sounds a little more than a 'script-bound teenager'.

And now, in light of NSA/PRISM - we have a good suspect is in a case like this. At the very least, there is grounds here to issue a suponea to the NSA since they should have plenty of data about her internet connection that could help in determining the responsible party.

You think the forensics capabilities of the Washington Post have a chance of detecting NSA? You think if NSA breaks into a laptop, it would be apparent to a forensics person that they'd "covered up traces of being there"?

Teenagers had rootkits that swapped out system libraries to hide processes and binaries back in 1996. The very, very lame teenagers had utmp and wtmp editors to "cover up their traces".

It's worth taking a moment to examine your thought processes here. "Now, in light of NSA/PRISM, we have a good suspect"? We clearly do not.

Ummm, this is as reported by CBS as reported by whomever they hired to do the forensic analysis.

And yes, if "the NSA" were to break in it's possible they might not be able to do it tracelessly. E.g. no one as of yet is suspecting a black bag job.

We are thus far discussing technical details of an attack that would be easy for a teenager to have carried out in 1999, let alone 2013, and are attributing them to the world's most experienced computer security organization. I think that's happening because it's much more fun to think about NSA breaking into media laptops than it is to think about random Eastern European hackers doing the same, and HN has a profound bias towards whichever narrative is more fun to talk about.
Maybe its 'fun' to talk about or maybe it's just the first logical assumption given the circumstances.

Have you read the news man? Everybody should have a bias to blaming the NSA for breaking into journalist laptops! Geez, they have motives and the means.

Yep. It seems logical that an high profile reporter might be a target for other potential attackers who are not the NSA. Even if it's just some smart teenager somewhere, doing it "for the lulz" to say they got someone of that level.

I can also imagine that an investigative journalist, whose livelihood is made in part based upon tips received from people external to the newsroom, might easily become a target for a spear phishing attack from any of those potential actors.

But to immediately attribute this to the NSA strictly based on the facts laid down in this article, that seems like making a heavy use of a Jump to Conclusions Mat.

You maybe positing that this could be the NSA; me, I hope they're not quite that corrupt as of yet.

I'm assuming other state actors (the DoJ currently is saying "Not to our knowledge"), or someone attacking for political motives but not a formal state actor.

I'm the opposite of believing someone working for the USG hacked into a reporter's laptop.

I believe "someone attacking for political motives but not a formal state actor" is the second most likely scenario, after "laptop was randomly popped by a drive-by Java or Flash vulnerability and WaPo wants it to be more newsworthy than it is".

I sound cynical about news organizations here, but I'm not. I just think they suck at reporting on computer security stories.

Why do you keep harping on the WaPo?

She's a CBS reporter, CBS is reporting this analysis, and they're the ones who hired whomever did the forensic analysis. Here it is from the horse's mouth:

http://www.cbsnews.com/8301-201_162-57589367/cbs-news-confir...

We're commenting on a WaPo story, is why. But sure; in case it matters, s/WaPo/CBS/g and I stand by the same set of arguments.
Just because it doesn't look like the job of the most likely agency of the USG to do doesn't mean that it wasn't some other part of the USG that did it. The oversight and internal motivations of the USG (indeed, any government) aren't uniform. Not by a long shot.

Case in point: JSOC developed their own intelligence capability that was a rival to that of the CIA and used it for their own purposes. That was one of the things that the DoD did that seems to replicate a capability available elsewhere in the USG and almost entirely for the purpose of escaping oversight.

BTW, Jeremy Scahill (author of Blackwater and Dirty Wars) reported that HIS laptop was hacked. When you combine this with the surveillance of AP reporters and it does seem that certain parts of the USG seem to feel that journalists are worthy and legitimate intelligence targets.

Jeremy Scahill says his laptop was hacked. Therefore, the USG is hacking reporter laptops?

If these were claims about the relative performance of programming language runtimes, we'd be 1000 comments deep into a massive debate thread.

What I'm saying is that we have two reported cases of reporters getting hacked.

We have the AP having their phone records pulled.

You don't think there is a little there to be worried about? Do you think the Chinese have anything to gain from hacking a reporter's laptop?

Occam's razor man. Learn it.

Yes, among the people who have something to gain from hacking a reporter's laptops I would include the Chinese.
Exactly! And to compliment your second point; in light of the biggest intelligence leak in history just last week - at the hands of just one frustrated sysadmin; it illustrates just how inept these agencies can be.
NSA's attack/penetration teams are not inept.
Who profits from this breach?

I have a hard time believing any sort of script kiddy would risk major jail time and a high profile arrest for hacking into a journalists laptop for no profit.

The NSA/Gubberment however, does have quite a bit to gain from this information/deletion

I have a hard time believing any sort of script kiddy would risk major jail time and a high profile arrest for hacking into a journalists laptop for no profit.

Then you don't pay attention to script kiddies.

The thing with script kiddies is that they are not necessarily mature enough to realize and properly weigh the risks associated with their illicit hacking. It's fun and it gets them "cyber cred". Gangsters are often the same way. They risk jail time for flashy stunts that earn them respect from their peers.
A script kiddie would do as much damage / steal and leak as much information in as dramatic and public fashion as possible. That indeed doesn't seem to be the case here.
No, also not true of "script kids". They do that when it suits them. You're naive if you think the only systems they break into are the ones that land on Pastebin.
Might not be a script kiddie. I know that the Washington Post calling something like this "sophisticated" is kind of ridiculous, and the reporter's reaction is only more absurd, but there could be some real motives here. Business, government, whatever-- I do think that the government wouldn't risk something like this, but there could always be rogues, and you can never distrust government too much as we saw with PRISM.
This is innuendo, not analysis.
Sounds about par for the course for a government ran operation.
Not par for the course for NSA attack/pen.
Depends. Maybe if they did it themselves, but not if they subbed it out.
Exactly what makes you think NSA "subcontracts" attacks?
How can you detect what commands were run on a laptop by someone months ago?

If you assume the OS is Windows, is it normal to even log those?

Well, if you're on any arbitrary Unix system with bash installed, just open up a terminal emulator and keep hitting the up arrow key. It should give you a full history of all commands entered. Unfortunately, there's no date tagging to my knowledge, so you'll just have to remember when you entered a command and if you see any anomalies.
>It should give you a full history of all commands entered.

Commands entered by that user, in a shell, assuming the shell's history file wasn't cleared. So maybe you'd get a history of what someone did if they sat down at your computer and typed things while you were away refilling your coffee.

Your shell history isn't going to show a trace if someone actually remotely roots your computer and starts executing commands.

If it was done through a root account, then

  sudo su
and accessing a shell history should do the trick, right? Please correct me if I'm wrong.
It would IF they obtained a root shell and started typing commands into it like they were at the console, and that they didn't just go ahead and delete the history file right afterwards.

But if someone's used a privilege escalation method on some vulnerable software and injects code that makes system() calls as the root user, that's not going to show up in root's shell history.

Shell history is just a convenience for the user typing things in the shell; it doesn't log everything that goes on in the box as that given user, and isn't an audit trail.

For this to work, your adversary would have to be the worst hacker possible, but maybe.

Other possibilities:

1) A script file containing a list of commands was recovered during forensics, which did something obvious like search for something and delete. This is common for automated attacks, and seems unlikely for a targeted attack.

2) "Commands" is being interpreted too literally. They could have observed that files were deleted, and consider the act of deletion to be a "command". You can't really take technical reporting from mainstream media to be that accurate.

Yes, sometimes. Google, "user assist key"
A couple months ago I turned VNC on quickly, without a password, just to test out an app that turns my iPad into a trackpad for my computer. Of course, forgot to turn off VNC after learning the iPad trackpad wasn't a great solution for me.

A couple days later as I was working, my cursor kept getting pulled away from me and I figured there must be some tracking issue with the mouse, not giving it a second thought.

I started reading something at my desk and looked up - a tab had been opened in Chrome to some .ru domain name and someone was clicking a 'Pay with PayPal' link on the page.

With my PayPal password auto-filled, they would have had easy work of getting into my account to pay a large, arbitrary amount to themselves.

Luckily, I caught it just in time. They were so good at keeping control of the mouse that I had to run to unplug my router.

Point is, VNC is a really easy vector to gain access to a computer and there are apparently people or bot constantly port scanning everything to find what's unsecured.

Was definitely a wake up call for me and I wouldn't be surprised if this is a similar case.

If someone was able to initiate a connection to your desktop behind a router, and you did not manually set up port forwarding, it sounds like you have UPnP enabled. I strongly suggest turning that off.

This would not happen behind any home router I know of with UPnP disabled, unless you have malware on the machine.

I am curious why this information appears now. Is this in reference to Microsoft given exploits to the government?

If that is the case, could this problem be solve by installing linux? I am not a linux fan, but the point of the source code being open and review by millions of people starts making me feeling more secure.

Microsoft doesn't give "exploits" to the government. Microsoft doesn't have the in-house expertise to write many of those exploits. It provides information about verified security vulnerabilities (different from exploits) before they're patched, because their patch schedules are elaborate and necessarily create a window of unpatched vulnerability. Microsoft also gives the same information to many commercial vendors, so they can write antivirus and IPS signatures.

NSA does not need Microsoft's help to break into computers.

It seems disingenuous to compare it to the disclosure to commercial vendors when the government is not listed as a MAPP partner. I have no clue what they actually disclose, but I disagree that the issue is so cut and dried.
Which specific statement did I make that you disagree with? I'm happy to go into more depth.
Do you know more than I do about Microsoft's disclosures to the US Government (effectively nothing) or is it an educated guess that what they receive is comparable with MAPP?
Did I say something above that you disagree with?
This is going to sound dickish, but technically it's "the NSA," not just "NSA".

"National Security Administration doesn't need Microsoft to break into computers." vs "The National Security Administration doesn't need Microsoft to break into computers."

Too much of a tangent, perhaps?

Doesn't sound dickish. You're probably right. Force of habit.
National Security Agency, not Administration ;)
Tangent or not I'm interested. I think its less settled than you think. In fact I was always on the opposite team; its "NSA/DoD/DoE did x" just like it is "IBM did x" and not "the IBM did x."

I did enough research to conclude that it was not a settled issue. Its clear that if the initials were lower case and referred to a generic agency that deals with national security it would be "the national security agency" similar to the "the fishing tackle section of a sporting goods store." On the other hand a gander at DoD's style guide[1] makes it clear that they do not like the "the."

I'd love to see why you think its opposite. That's not dickish, that's a desire to answer a question that's been nagging me for a long time.

[1] http://www.dtic.mil/whs/directives/corres/writing/Writing_St...

From the english.SX:

"Is it proper to use “the” before the name of a government organization?" http://english.stackexchange.com/questions/76976/is-it-prope...

"Using the definite article with acronyms and initialisms" http://english.stackexchange.com/questions/30596/using-the-d...

"Definite article with proper nouns, titles followed by a common noun" http://english.stackexchange.com/questions/2327/definite-art...

"The definite article usage with objects that have names" http://english.stackexchange.com/questions/16988/the-definit...

"Capitalising the definite article in names" http://english.stackexchange.com/questions/84288/capitalisin...

Maybe it is clearer if we note this as proper usage: "the IBM corporation."

Similarly, "the Department of Defense", "the National Security Agency".

Frankly that does not make it any clearer to me. Which could be because I am bad at the nitty gritty of english syntax. But most importantly, with all due respect you are not Strunk and White. I am looking to a clear definitive reference and in the future I cant say "I know it is written this way because hga said so."
Well, you can start here for a well referenced treatment of these nouns: http://en.wikipedia.org/wiki/Proper_noun
The reason your comment did little to clear things up is because it relied on spelling the agencies/organizations names out. It is clear that the rules change for acronyms and abbreviations.
DoD vs. DOD is a big enough debate :)
I believe NSA refers to themselves without the article when the organization's name is abbreviated.
Not true. It's a proper noun, like "McDonald's". It just happens to also sound like a descriptive phrase. You'll find that, inside the agency, it is just "NSA" and not "the NSA". This is true for most "three letter agencies".

Don't believe it? See what the agency calls itself on its website: http://www.nsa.gov/

MAPP customers do get proof-of-concept code to trigger the vulnerability, sometimes months in advance. That is a huge head start towards a functional exploit, and has been converted to a fully functional remote code-exec exploit prior to disclosure in at least one case that was fairly public.

Though I do not think this story has anything to do with MAPP.

Depending on the vulnerability, a crash POC might be a day's work away from an exploit, or it might be months of work.

MAPP or no MAPP, Microsoft does not have the technical capability to produce reliable exploits for all of the vulnerabilities it's made aware of.

Also, we both know NSA has a (less-well-known) charter for coordinating vulnerability response and computer security across the agencies; NSA has a public huge defensive interest in this stuff as well.

NSA doesn't need Microsoft to enable it to break into arbitrary Windows machines. But it might need their help to keep up with every attack vector on Microsoft code, which is what you need to do if you're doing defensive work.

Only the official confirmation is new, word that she thought her computer(s) were compromised has been out for a while.

I'm not at all sure Linux is the solution; the only plausible culprit for whom that would be a barrier is a non-state actor doing a modern variety of "Will no one rid me of this turbulent priest" (http://en.wikipedia.org/wiki/Thomas_Becket). But the reported sophistication of the attack makes that less likely that previously speculated, and I assume that "Linux" is not a high enough barrier to a state actor.

Assuming that the NSA doesn't possess quantum computers, perhaps 4096-bit PGP email hosted on a local mail server, along with SELinux, full disk encryption and a strong firewall that blocks all incoming connections, should do the trick. Am I correct?

It's the setup I'm using now.

Do you have 24/7 control over the access to your computer? Or at least something that cannot be bypassed that would make tampering evident?

If not, you're subject to a "black bag" job that could easily bypass all your protections, e.g. a physical key logger that would pick up your password/pass phrase that unlocks your disk encryption so you can use it.

Otherwise, do you surf the net from it? I don't take all your precautions, but I do run my browsers in a dedicated VM that has limited access to the rest of my infrastructure.

> Do you have 24/7 control

Pretty much. It's a single user MacBook Air, and I carry it with me at all times, never leaving it out or in the open, or even at home. For suspicious individuals, the CIA can obtain a warrant without notifying the individual, and search his/her apartment/home at convenient times when away, so I never leave it at home, either.

It's pretty much the only computing device I have that has highly sensitive data on it. I don't really care if they take my Kindle Fire; the only stuff on that is books and personal email.

I think 99.8% of us have seen this, but perhaps you haven't.

http://xkcd.com/538/

I've seen it.

It doesn't really matter, because I've also set up a randomizing encryption passcode generator that only works with a synthetic amino acid solution that corresponds to my genome that I carry in a vial around my neck. If under duress, all I have to do is break the vial, and the system will be impenetrable. I also have another sample of the synthesis in my home, but government people can only access it with a warrant -- which they probably won't have.

This was right around the time when there were numerous other attacks on press and US industry networks by Chinese IP addresses. There's not enough info here to draw any conclusions, but I certainly wouldn't jump on the NSA bandwagon just because they're up in our netz (they probably wouldn't need to compromise her specific computer anyway).