
A New Threat Actor Targets UAE Dissidents - subliminalpanda
https://citizenlab.org/2016/05/stealth-falcon/
======
deanclatworthy
This is an absolutely superb write-up. It's highly disconcerting to read the
level of detail that malicious (and supposedly state-sponsored) actors go to
target speciifc individuals.

------
coderdude
This reminds me of a recently declassified document from the CIA that
discusses how to undermine organizations by being poor managers, employees,
etc. It's difficult to search HN for this at this point because A) we always
discuss that agency and B) our best search option gives us the option of the
past month or the past year. Maybe someone has this bookmarked or downloaded.
It came in PDF form.

This is happening to us here. I think they're doing it by using the "No true
Scotsman" informal fallacy and other methods. We'd blame the hundreds of
thousands of new users. I believe they've found a way to unwind this
community. Nothing revolutionary will ever come from here (how could it?). I
think the community has been compromised and that we won't find out until 50
years from now when most of us are dead.

This is how I feel after years of watching the community. I have no stake in
it either way. I'm open to opposing views.

Thanks vermontdevil for finding the link. If in 1944 they had a field manual
for subverting physical organizations, it's foolhardy to believe they don't
have a field manual for subverting "online communities with up and down
arrows."

~~~
feklar
There's also JTRIG [https://theintercept.com/2014/02/24/jtrig-
manipulation/](https://theintercept.com/2014/02/24/jtrig-manipulation/)

OEV [https://www.theguardian.com/technology/2011/mar/17/us-spy-
op...](https://www.theguardian.com/technology/2011/mar/17/us-spy-operation-
social-networks)

And my favorite psyOps which is Military Memetics/Memetic Engineering only
because there's a guy in the US Army in charge of 'Meme Warfare'. As for this
community bikeshedding distractions and somebody coming along with bait to
derail a conversation with illogical fallacies (trolling) isn't anything new
happened on newsgroups since as long as I can remember.

~~~
nekopa
That JTRIG was an interesting read.

But it formed an interesting question in my mind:

As much as I feel these disclosures are great and necessary, are they not
inspiring and informing other (unsavory) nation states on great strategies and
tactics to use?

I just wish they would publish this type of info _and_ include how to defeat
them.

Because the only thing they seem to say in response to these awful things is
_we 're better than this, and it shouldn't be allowed_ whereas certain
dictatorships would just laugh it off and say "Thanks, GREAT ideas!"

------
pjs_
The timing attacks on AV software are interesting. Didn't know that was
possible. Why doesn't the cross-domain policy reject pings to localhost
immediately?

~~~
TazeTSchnitzel
Indeed, why can you contact local network IPs from web pages at all? Browsers
should, at the very least, prompt for permission first.

Intranet and localhost services often have a lot of implicit trust in whoever
can access them. They rarely have strong passwords, if any, for example.

~~~
tobias3
Popuplar apps such as Dropbox and Spotify use it:
[https://bugs.chromium.org/p/chromium/issues/detail?id=378566](https://bugs.chromium.org/p/chromium/issues/detail?id=378566)

------
mouzogu
Would it be fair to say that the Tor browser and Tails OS are being
specifically targeted?

It seems to me using these tools is enough in to provide a suspicion and
thereby having the opposite effect than what they are intended for.

So essentially, using Chrome on Windows, though perhaps less secure makes you
less likely to be targeted than using Tor on Windows or on Tails.

~~~
pdkl95
> using these tools is enough in to provide a suspicion

Philip Zimmermann was talking[1] about encryption in general, but the same
idea also applies to anonymity tools.

    
    
        What if everyone believed that law-abiding citizens should use postcards for
        their mail? If a nonconformist tried to assert his privacy by using an envelope
        for his mail, it would draw suspicion. Perhaps the authorities would open his mail
        to see what he's hiding. Fortunately, we don't live in that kind of world, because
        everyone protects most of their mail with envelopes. So no one draws suspicion by
        asserting their privacy with an envelope. There's safety in numbers. Analogously,
        it would be nice if everyone routinely used encryption for all their email, innocent
        or not, so that no one drew suspicion by asserting their email privacy with encryption.
        Think of it as a form of solidarity.
    

If we use Tor only when we are doing something that _needs_ to be anonymous,
using Tor is suspicious. Instead, if Tor is used regularly, using Tor doesn't
reveal anything. Security and privacy tools and technologies need to be used
by default, if you want them to be available when in the (hopefully) rare
situations where you _do_ need them.

[1]
[https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html](https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html)

~~~
nxzero
This logic is true, yet flawed in the sense that more traffic would make it
more security against network analysis, but the issue is it would also make it
a more attractive target due to the trust based on popularity and volume of
users.

Tor itself says that it is not secure against advanced attackers with the
state-level resources.

Do NOT use Tor if you're a state-level target unless it is on a system that's
not sensitive and used for counter intelligence.

~~~
walrus01
If you're a state level target, expect physical things like bugging, hardware
keystroke loggers, RATs installed in windows bootloaders on your laptop, and
other physically intrusive "sneak and peek" measures taken on any electronics
when you're not present.

~~~
syngrog66
also expect rubber hose cryptanalysis

------
feklar
In the conclusion to this article "The Growing Trend of Impersonating
Journalists" isn't really a new trend, Max Butler(Vision) used that trick to
convince bank employees to click on his malware years ago. It's an old spear
fishing method to pretend to have written a story about somebody or claim
you're writing a book since it guarantees they click your bait.

UAE prisons, are also notorious hell holes devoid of any shred of humanity
according to escort blogs who've been arrested there and forced to serve the
mandatory 3 month sentence for prositution. People dying in the cells from
lack of insulin or other medical treatment is common.

~~~
walrus01
The UAE is also a perfect example of why rubber hose cryptanalysis should be
considered just as much as the "evil maid" or keyloggers attack vector. Don't
want to give up the password to your dm-crypt volume? Okay enjoy your
beatings.

~~~
subliminalpanda
Has there been any research in mitigating these types of attacks? I'm
interested in reading about them.

------
nxzero
Anyone able to estimate the monetary value per person targeted to a state-
level actor? Seems like there's no reason to believe a state-level attacker if
approached would not buy intell from a criminal network of attackers or that a
foreign state-level attacker won't leverage it advantage attack operations to
again and barter intel to other states.

Case in point, attribution based on the skill of these attacks does not dox
the attacker, but the end result of their attacks. Meaning these may not have
been sponsored attacks, but someone farming intel to capitalize on.

------
facepalm
"When a user clicks on a URL shortened by Stealth Falcon operators, the site
profiles the software on a user’s computer, perhaps for future exploitation,
before redirecting the user to a benign website containing bait content."

But how?

~~~
ianpurton
Browsers leave a certain amount of finger print. i.e. Flash version, Java and
the browser versions and type is pretty easy to obtain.

This may be enough information to produce a targeted attack.

They also used timing attacks against various localhost ports using
XMLHttpRequest. This is enough to detect Avast, Avira, ESET, Kaspersky, and
Trend Micro antivirus products

------
brudgers
Powerful interests oft express that power by stifling voices deemed
troublesome. To me, it does not seem a phenomenon uniquely restricted to
particular countries, cultures, or individuals.

------
chinathrow
The table with the arrests is really troublesome.

------
iamsalman
The link is down?

~~~
subliminalpanda
Seems to be working, albeit a bit slow.

