Spies Jumped from One Network to Another via Wi-Fi in an Unprecedented Hack

96 points by impish9208 3 days ago | 41 comments

brudgers 2 days ago |
If your threat model includes nation states, you are outgunned.
A nation state can probably buy the building across the street if that's the value of hacking your system.
Of course there are almost certainly cheaper options,but that's the level of time and budget you are up against...teams of motivated and well resourced experienced professionals working against you full time.
hulitu 2 days ago |
> If your threat model includes nation states, you are outgunned.
If basic security is not implemented, you have bigger problems. (backdoors in Cisco, Fortinet, Palo Alto Networks, skipping tests - Cloudstrike)
brudgers 2 days ago |
Like I said, there are almost certainly cheaper options. It would be unprofessional for intelligence professionals to do things to hard way.
You are outgunned.
rangestransform 2 days ago |
We should still try our best to secure everything against nation state actors, so that people who really need it (journalists, dissidents, security researchers, etc.) can blend into the crowd with regular consumer grade devices
rapjr9 2 days ago |
But then the source code of the nation states is hacked and anyone can pull off nation state style attacks:
https://en.wikipedia.org/wiki/Vault_7
The nation states still have a money/people/breaking+entering advantage, but the cyberattack code is now something everyone has to protect against. Also some companies are important enough that they have to protect against nation state attacks, like pipeline operators, chemical plant operators, utilities, and telecom companies:
https://www.nytimes.com/2024/11/22/us/politics/chinese-hack-...
And criminals won't hestitate to use your family to blackmail you, so all the families of people with critical jobs need to be protect also, and their friends families, and...basically everybody.
mu53 2 days ago |
You say criminals, but I think you meant intelligence agencies
westmeal 2 days ago |
Pretty much the same thing.
ElevenLathe 2 days ago |
A distinction without a difference.
ajb a day ago |
In this context, the difference is that intelligence agencies have a bigger budget: the cited hack does not show that an ordinary criminal budget would be sufficient.
ElevenLathe 26 minutes ago |
Right, and the point is that organized crime and intelligence are so intertwined that state-level resources are also open to what some would term criminals and others would term the state. Both groups would be strictly correct while still missing the point.
hcfman 21 hours ago |
Truer words were never said.
Toutouxc 2 days ago |
If your threat model includes states. The states being nation states or not is irrelevant.
fulafel 2 days ago |
The nation state as a threat model adversary is kind of a weird abstraction. Does it include intrusive questions eg about social media asked by a border agent on your next trip abroad? Does it include getting your web browsing traffic collected up by the nine eyes spooks? Or does it mean a rich country is marshaling all its resources in a manhattan project grade effort to target you personally?
In any case as in all things defense, you assume your adversary is to some extent rational and making attacks harder (more expensive, risky, opportunity cost, etc) improves the equation for you.
impossiblefork 2 days ago |
If you can't secure computers against state attackers, then you have to stop using computers and to simply talk in places where there are not phones, computers etc.
If you're afraid about directional microphones out in the woods there are countermeasures for that too, but security is very possible even against the very most well-funded attackers.
Furthermore, I don't think even internet-connected secure computers are so hard that they can't be built. Limit what you do, so that you can write the program short enough that you can afford to have theoretical guarantees-- maybe write it to run on a computer with Harvard architecture to avoid buffer overflows, and you can probably build one on an FPGA, even as a hobbyist.
State attackers aren't magic.
chgs 2 days ago |
Until state attackers pick up your developers kids and bring them home from school, and then nicely ask him to put in a back door.
impossiblefork 2 days ago |
But how would they know how the developer is? This is the neat part of not putting things where people can find them out.
Also, if you really keep it short, you can always check that he hasn't by reading it. You could also just never update it, and it let become ancient and well-tested.
Spooky23 2 days ago |
Lots of espionage and surveillance within government and contractors.
Lots of body shop contractors are fake people anyway. Pretty easy to imagine placing a compromised person in a low sensitivity area, then moving laterally.
impossiblefork 2 days ago |
But why you hire consultants to solve core security problems?
Furthermore, surely it would just be one guy who knows OS and FPGA stuff and another guy to check it?
What I'm arguing for is that a sensible solution to security problems is to avoid complexity, so that things can be obviously secure.
Carefully defined interfaces designed to be clear, impossible to misinterpret and which are designed to be parsed and implemented without doing anything requiring some kind of fiddly parsing that can lead difficulties, and small enough that someone can implement them in an afternoon; and then you combine that with a machine inherently robust to things like buffer overflows such as Harvard architecture type things, and it's easy even for a single engineer to program something like that up on an FPGA.
Spooky23 a day ago |
You don’t.
You hire them for other lower priority roles, but they are inside the firewall. Most large organizations have an immature zero trust environment.
Look at the Microsoft PKI breach. The adversary was able to compromise certificate services in a corporate dev environment and parlay that in accessing US government mailboxes in a supposedly isolated cloud tenant. Microsoft has a world class security practice. The average Fortune 1000 is toast.
stackskipton a day ago |
Microsoft PKI was because they were not doing world class security practice. For some reason, consumer environment could sign corporate environment logins. Also, they acquired some company and instead of issuing them new hardware to ensure it wasn't compromised, they just let them onto their network.
When you read the report, it was very clear that Microsoft wasn't doing "World Class Security Practice", they were taking shortcuts like everyone else does.
Spooky23 a day ago |
Yup. They fucked up pretty bad. How many places do you think are worse than them?
stackskipton a day ago |
Probably all of them because no one loses money for bad InfoSec practices.
impossiblefork 10 hours ago |
But Microsoft doesn't take this approach at all.
Their software is huge, with all sorts of things integrated into it and no focus at all on keeping the software small enough that one person can read it through with such care that it can be assured to be secure.
They probably run their cloud stuff on processors that can reorder instructions and all sorts of things, whereas what I'm arguing for is simple computers, things that can run a text-only search engine and where the text editor is substantially simpler than nano.
Where you decide exactly what your requirements are and make a system which solves that problem and nothing else.
Yeul 2 days ago |
I read once that when America refurbishes an embassy somewhere in the world they bring in their own construction company. Otherwise you end up with mics in the walls.
Used to think the Chinese were paranoid with their bans on iPhones and Tesla's...
impossiblefork 2 days ago |
Yeah, that seems completely unavoidable otherwise.
I've always seen it as pretty strange to carry around other people's computers or using external services-- so I've always seen things like phones, Google Maps, etc. as things that it is strange that any country that isn't the US allows people to use.
I don't think one absolutely needs to make everything oneself, but I can't imagine that it's sensible that everybody use external services, so that so much information ends up in one place.
Nab443 2 days ago |
iPhones and Teslas would be overkill anyway: https://www.cryptomuseum.com/covert/bugs/thing/
sgarland 2 days ago |
Kind of. They’re required (or agree to?) to use local labor at least in part, but there American companies that manage the construction. My grandfather (a U.S. citizen) does security inspections for embassy construction, verifying that it’s built to plan, that all materials are traceable to point of origin, etc.
hammock a day ago |
Why not pay a local labor team to sit idle while you do the work yourself? Would be worth it
ris a day ago |
> A nation state can probably buy the building across the street if that's the value of hacking your system.
So make them spend that money.
Or, more likely, convince them to refocus on a cheaper target.
transpute 2 days ago |
WiFi security can be improved by per-device passwords, https://github.com/spr-networks/super
telgareith 2 days ago |
Or just enable "WPA-enterprise" and have it rotate keys. Then you not only have device certificates, you also have per user authentication. And if somebody missed it- rotating keys. They can change faster than they can be cracked. Then you can also layer VPNs ontop of that...
All of which are standard, well known, and proven solutions.
What does that repo offer? With 400 stars, I doubt anybody has given it serious attention.
sigmoid10 2 days ago |
You make it sound like you just have to flip a switch in your router's settings to enable it, but that is very far from the truth. For that to work you need a RADIUS server to handle credentials, a certificate authority if you want any useful kind of authenticity checks, a process for distributing said certificates and finally you need to configure all your access points. This is something that companies can (and should) have, but for home users it is overkill. Since this repo specifically targets home users, I suspect there is a place for this among enthusiasts who can't or don't want to go all the way on their home network.
rurban 2 days ago |
No radius server needed, the builtin kernel module for wifi access points can do that easily.
BenjiWiebe 2 days ago |
Do you mean hostapd? I'm not aware of any builtin kernel/modules doing AP stuff.
rurban 2 days ago |
Right, hostapd. It has the radius functionality builtin you'd need for proper wifi enterprise functionality
ewuhic 2 days ago |
Getting hostapd to work is ass in itself.
rurban a day ago |
Yes, but much easier than with a full radius server
LinuxBender a day ago |
FWIW one can front-end OpenLDAP or AD with Radius. Once the translation layer is in place then it's more about teaching IT how to manage particular fields in LDAP/AD.
transpute a day ago |
From repo at start of thread: screenshots for adding router users and managing network segments, https://apps.apple.com/us/app/secure-programmable-router/id6.... Router image runs Linux and hostapd.
LorenDB 2 days ago |
https://archive.ph/cKrq8
sharpshadow 2 days ago |
“Microsoft warned of a vulnerability in Windows' print spooler”
How much I hated just seeing this process. Print related tasks should never run when not needed.