Edit: it's been made clear to me that of course this is one of few viable vectors when approaching outbound network with a really restrictive firewall (like Little Snitch). If a browser is already approved on making a given connection, then using a headless instance to do network talking is a smart way to do it. If you roll your own net code, a tool like LS will notify user and/or block. Dumb me!
As for what "injecting into little snitch" means, it could either mean injecting code into little snitch, because little snitch probably doesn't filter itself OR injecting a rule into little snitch.
I guess one could argue that the footprint of adding SSL client behavior to a sneaky hidden tracker might be shitty to do and make it more identifiable. But also SSL libraries are typically linkable on the host system anyway, no compilation past the headers needed.
It's just a weird "workaround" on their part if that's the intention.
Restrictive companies will only allow pre-approved applications, for specific ports, like I.E. doing HTTP/S over ports 80 and 443, and only on approved/trusted networks.
Correct. It is likely users allow their primary browser full access to all hosts on ports 80 and 443, if not all ports.
Additionally, launching the browser gives you easy access to all the tastey session cookies and access to their keychain (I assume a lot of people give their default browser on OSX keychain access).
deletes browsing history
If there is a page stating the CIA can create an unsavory browsing history, let me know, just for future reference.
1. Only a tiny minority of macOS users use Little Snitch, and they're not necessarily the most sensitive/interesting targets.
2. If you're competent and you have enough privileges to inject a DLL into anything, the odds are overwhelming that you also own the kernel. Why would you waste time with a goofy firewall add-on package?
I joked on Twitter but I'm "ha ha only serious" about this: if you had this entire portfolio of tools and exploits 2 years ago, I'm not sure you could have gotten a job at Immunity. The leak is fascinating. The technical details: not so much.
I thought the Shadow Brokers/Equation Group dump demonstrated a not-especially-skillful group of inexperienced-seeming pentesters who happened to have acquired some interesting bugs on the black market. Today's dump shows a team that's way less impressive even than that.
You might say, well, just piggy-back the signal on something else. Indeed, that is better. But that solution is far more complicated because you have to control (cooperatively, or coercively) a legitimate end-point.
Ergo, I don't think it's clownish at all for the CIA to target LS, it addresses a real threat (to them).
What tptacek is saying is that instead of writing some hand-tailored userspace code to specifically fool Little Snitch, they should just be using a kernel module that will hide the network and process activity from all analysis tools. That's what most nation-state malware does (or tries to do).
Clever to just recover all your data using a browser process which has (likely) already been fully authorized to exfiltrate data.
Clearly that's a neater and more complete approach, but there still might be reasons to target a specific app instead of the kernel. It might just be easier and less error prone. (Monkey-patching a running kernel's networking innards has got to pose serious risk to the underlying system's stability, increasing the likelihood that the target will simply reinstall the OS. That's fine for a DoS attack, but not for something like this).
I would consider it negligent if no-one in the CIA was asking these questions.
We detached this subthread from https://news.ycombinator.com/item?id=13814135 and marked it off-topic.
97-99: Secure Networks, Ballista scanner lead, vulnerability research lab
99-01: Doomed multicast startup
01-05: Lead dev, Arbor Networks
05-15: Cofounder, Matasano
15-16: Doomed recruiting startup
17-: Startup dooming startup
Hope that helps.
I like the idea that we squeezed 10 years out of that firewall rule thingy at Matasano. Sick burn!
EDIT: 128 days old, no prior comments or submissions.