Hacker News new | comments | show | ask | jobs | submit login
A New Threat Actor Targets UAE Dissidents (citizenlab.org)
204 points by subliminalpanda 512 days ago | hide | past | web | 36 comments | favorite



This is an absolutely superb write-up. It's highly disconcerting to read the level of detail that malicious (and supposedly state-sponsored) actors go to target speciifc individuals.


This reminds me of a recently declassified document from the CIA that discusses how to undermine organizations by being poor managers, employees, etc. It's difficult to search HN for this at this point because A) we always discuss that agency and B) our best search option gives us the option of the past month or the past year. Maybe someone has this bookmarked or downloaded. It came in PDF form.

This is happening to us here. I think they're doing it by using the "No true Scotsman" informal fallacy and other methods. We'd blame the hundreds of thousands of new users. I believe they've found a way to unwind this community. Nothing revolutionary will ever come from here (how could it?). I think the community has been compromised and that we won't find out until 50 years from now when most of us are dead.

This is how I feel after years of watching the community. I have no stake in it either way. I'm open to opposing views.

Thanks vermontdevil for finding the link. If in 1944 they had a field manual for subverting physical organizations, it's foolhardy to believe they don't have a field manual for subverting "online communities with up and down arrows."


Sock puppet armies aren't science fiction:

[1]https://m.reddit.com/r/netsec/comments/38wl43/we_used_sock_p...

And chat bots are now being powered by NLP.

[2]http://www.theverge.com/2016/3/24/11297050/tay-microsoft-cha...

[3]https://www.motion.ai/

Subverting an online community would not be difficult for anyone with some programming knowledge and a desire to learn.

The study in the link[1] notes that detection is exceedingly difficult, and even then, in the case of Reddit, the Mods and Admins have negligible power to mitigate such attacks even if they do detect them.


There's also JTRIG https://theintercept.com/2014/02/24/jtrig-manipulation/

OEV https://www.theguardian.com/technology/2011/mar/17/us-spy-op...

And my favorite psyOps which is Military Memetics/Memetic Engineering only because there's a guy in the US Army in charge of 'Meme Warfare'. As for this community bikeshedding distractions and somebody coming along with bait to derail a conversation with illogical fallacies (trolling) isn't anything new happened on newsgroups since as long as I can remember.


That JTRIG was an interesting read.

But it formed an interesting question in my mind:

As much as I feel these disclosures are great and necessary, are they not inspiring and informing other (unsavory) nation states on great strategies and tactics to use?

I just wish they would publish this type of info and include how to defeat them.

Because the only thing they seem to say in response to these awful things is we're better than this, and it shouldn't be allowed whereas certain dictatorships would just laugh it off and say "Thanks, GREAT ideas!"



Thanks. I had a hard time finding that before my post.


Yeah - I've seen a few times where TV channels show bullshit news while corruption happens.

See also: https://www.reddit.com/r/videos/comments/4lmfmj/ceo_of_reddi...


Just to continue the conversation a bit... I'm wondering what we expect from HN? It sounds like you're saying something revolutionary happened here, or should have happened here, but hasn't and won't ever because of mismanagement and poor quality discussion(I think I'm gathering that part correctly from your post).

Also, perhaps more importantly, why? What motive could "they"(the CIA, I guess?) have for diluting the conversations here? Your post reads as though there's some existing knowledge other readers are assumed to have about the context.


> It sounds like you're saying something revolutionary happened here, or should have happened here, but hasn't and won't ever

I think it won't happen because HN (like many or most communities) seems to be vulnerable to, for lack of a better term, "groupthink." Like when an article about a specific topic pops up and seemingly the entire community has already formed a specific opinion about it. It's nearly impossible to make a dent in it and most of us learn pretty quickly that the opposing view will be attacked, sometimes viciously.

> because of mismanagement and poor quality discussion

Not at all. My reference to the CIA paper (I'm guessing that's where the management aspect comes in) was an illustration of the types of things the intelligence community spends time fleshing out. I don't think HN particularly suffers from poor quality discussion or mismanagement.

> Also, perhaps more importantly, why? What motive could "they"(the CIA, I guess?) have for diluting the conversations here?

There are few large places where the influential tech community gathers to discuss topics of importance. In the same way that control over public opinion (propaganda) is beneficial to motivated parties, it seems reasonable to me that control over our opinions can be used.


The timing attacks on AV software are interesting. Didn't know that was possible. Why doesn't the cross-domain policy reject pings to localhost immediately?


Indeed, why can you contact local network IPs from web pages at all? Browsers should, at the very least, prompt for permission first.

Intranet and localhost services often have a lot of implicit trust in whoever can access them. They rarely have strong passwords, if any, for example.


Popuplar apps such as Dropbox and Spotify use it: https://bugs.chromium.org/p/chromium/issues/detail?id=378566


This jumped out at me too, very clever. I imagine that localhost isn't treated any differently to any other domain which might have CORS enabled. Unclear what the correct solution is, though.

EDIT: Gaming this out a little bit, another interesting application of this technique could be to create a fairly accurate map of a Windows-centric private network. Example: Start with a bunch of known private network IP spaces, scan through as many IPs as possible, report back addresses that have open/closed/filtered ports.


Would it be fair to say that the Tor browser and Tails OS are being specifically targeted?

It seems to me using these tools is enough in to provide a suspicion and thereby having the opposite effect than what they are intended for.

So essentially, using Chrome on Windows, though perhaps less secure makes you less likely to be targeted than using Tor on Windows or on Tails.


> using these tools is enough in to provide a suspicion

Philip Zimmermann was talking[1] about encryption in general, but the same idea also applies to anonymity tools.

    What if everyone believed that law-abiding citizens should use postcards for
    their mail? If a nonconformist tried to assert his privacy by using an envelope
    for his mail, it would draw suspicion. Perhaps the authorities would open his mail
    to see what he's hiding. Fortunately, we don't live in that kind of world, because
    everyone protects most of their mail with envelopes. So no one draws suspicion by
    asserting their privacy with an envelope. There's safety in numbers. Analogously,
    it would be nice if everyone routinely used encryption for all their email, innocent
    or not, so that no one drew suspicion by asserting their email privacy with encryption.
    Think of it as a form of solidarity.
If we use Tor only when we are doing something that needs to be anonymous, using Tor is suspicious. Instead, if Tor is used regularly, using Tor doesn't reveal anything. Security and privacy tools and technologies need to be used by default, if you want them to be available when in the (hopefully) rare situations where you do need them.

[1] https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html


Thanks. I hope encryption can be better integrated into mass market tools. For example the https://adnauseam.io/ browser extension which can be added to Chrome and used to dilute all the data collected by making it contradictory and meaningless.

I considered using Tor as my default browser but it felt like I was putting a big red target mark on myself even though I am not doing anything illegal. I would like encryption and obfuscation to be the status quo as mentioned in your quote - so it would be more of a passive protection and therefore less suspicious.


This logic is true, yet flawed in the sense that more traffic would make it more security against network analysis, but the issue is it would also make it a more attractive target due to the trust based on popularity and volume of users.

Tor itself says that it is not secure against advanced attackers with the state-level resources.

Do NOT use Tor if you're a state-level target unless it is on a system that's not sensitive and used for counter intelligence.


If you're a state level target, expect physical things like bugging, hardware keystroke loggers, RATs installed in windows bootloaders on your laptop, and other physically intrusive "sneak and peek" measures taken on any electronics when you're not present.


also expect rubber hose cryptanalysis


Tor is just too slow to be the default, and asking thousands of people to treat it as the default will only make it worse.


Absolutely. For starters, LEA are aware that if you're using tails/TBB there is an increased chance you're doing something they'd like to be aware of, over say a standard windows/chrome combination.

Secondly, the tails/TBB setup has a very unfortunate side-effect: it gives LEA a specific target they can aim for in terms of hunting for vulnerabilities and writing exploits. The situation is made significantly worse by the fact that firefox hasn't yet fully implemented a sandbox - hence why FF is rarely seen in pwn2own style hacking challenges; it's just not a difficult target.


That's why Tor should be integrated into "private modes" of browsers, and why end-to-end encryption should be defacto in all messengers. We need to make it common.


In the conclusion to this article "The Growing Trend of Impersonating Journalists" isn't really a new trend, Max Butler(Vision) used that trick to convince bank employees to click on his malware years ago. It's an old spear fishing method to pretend to have written a story about somebody or claim you're writing a book since it guarantees they click your bait.

UAE prisons, are also notorious hell holes devoid of any shred of humanity according to escort blogs who've been arrested there and forced to serve the mandatory 3 month sentence for prositution. People dying in the cells from lack of insulin or other medical treatment is common.


The UAE is also a perfect example of why rubber hose cryptanalysis should be considered just as much as the "evil maid" or keyloggers attack vector. Don't want to give up the password to your dm-crypt volume? Okay enjoy your beatings.


Has there been any research in mitigating these types of attacks? I'm interested in reading about them.


Anyone able to estimate the monetary value per person targeted to a state-level actor? Seems like there's no reason to believe a state-level attacker if approached would not buy intell from a criminal network of attackers or that a foreign state-level attacker won't leverage it advantage attack operations to again and barter intel to other states.

Case in point, attribution based on the skill of these attacks does not dox the attacker, but the end result of their attacks. Meaning these may not have been sponsored attacks, but someone farming intel to capitalize on.


"When a user clicks on a URL shortened by Stealth Falcon operators, the site profiles the software on a user’s computer, perhaps for future exploitation, before redirecting the user to a benign website containing bait content."

But how?


Section 3.4:

    For Internet Explorer, it attempts to create several
    instances of ActiveXObject to get the versions of
    Flash, Shockwave, Java, RealPlayer, Windows Media
    Player, and Microsoft Office (classified as either
    2003, 2007, or 2010).

    For non-Internet Explorer browsers, it attempts to get
    a list of enabled plugins from navigator.mimeTypes.

    For all browsers, it captures the user agent, whether
    cookies are enabled, the OS, the size of the browser
    window, and the timezone.  It classifies browsers into
    different versions, denoted by letters, based on the
    existence and behavior of certain JavaScript methods.

    The script attempts to exploit an information leak in
    older versions of Tor Browser.  We explore the
    technique used in Section 3.5.

    For Windows browsers (except Opera, and versions of
    Internet Explorer before IE9), it sends a series of
    XMLHttpRequests to 127.0.0.1, which we believe are
    designed to deduce if the computer is running any one
    of several specific antivirus programs.  The code for
    this appears to be borrowed from the JS-Recon port
    scanning tool.21  The creator of JS-Recon presented the
    tool at BlackHat Abu Dhabi in 2010.22  We explore such  
    techniques in more detail in Section 3.6.


Browsers leave a certain amount of finger print. i.e. Flash version, Java and the browser versions and type is pretty easy to obtain.

This may be enough information to produce a targeted attack.

They also used timing attacks against various localhost ports using XMLHttpRequest. This is enough to detect Avast, Avira, ESET, Kaspersky, and Trend Micro antivirus products



This was posted here a few (weeks)? ago:

http://webkay.robinlinus.com/


Powerful interests oft express that power by stifling voices deemed troublesome. To me, it does not seem a phenomenon uniquely restricted to particular countries, cultures, or individuals.


The table with the arrests is really troublesome.


The link is down?


Seems to be working, albeit a bit slow.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: