E-Detective Spy Tool Used By Police and Governments Has Major Security Holes 64
DavidGilbert99 writes: A controversial intercept tool called E-Detective from Taiwanese based company Decision Group has a major security hole which could allow a hacker to remotely execute code and read all the data captured by the software. Considering over 100 law enforcement agencies and governments around the world use E-Detective, this could be a big problem. According to the International Business Times story: "E-Detective works by 'sniffing the network' it is monitoring and captures data packets before sending them to be reassembled and decoded. Unlike other products E-Detective promises to 'reconstruct the data to its original format' for the end users so that it will be seen the same way that it was seen on the network. E-Detective also advertises as a network forensic tool for private enterprises to "protect sensitive data from data leakage".
E-Detective can reconstruct net traffic .. (Score:2)
I don't understand, I thought all https traffic was encrypted and se
Re:E-Detective can reconstruct net traffic .. (Score:4, Insightful)
Compromised certificates and man-in-the middle attacks based on them. Any second-rate "spy" agency (like the FBI or CIA) has them. (If they were actually good at their jobs, they would not need to break the systems they are targeting. This way, they are basically attacking critical infrastructure, and people that do this are commonly called "terrorists".)
All products of this type of shit (Score:3)
You secure a network by locking down its capabilities to what you need to do and NOTHING else. Hacking then becomes basically impossible... right there.
Re: (Score:2, Insightful)
Not even remotely impossible, but a lot harder. False sense of security is dangerous, you should also remember that.
Re: (Score:2, Insightful)
You don't know what I mean.
You have only machines that need to talk to each be able to talk to each other. You have only protocols you need enabled. You have an internal DNS server and you only permit access to domains ... to or from those domains.
I could go on. You get the idea. Tell me how you'd hack that?
Re: (Score:1)
I'd probably shit down your throat.
Re: (Score:2, Funny)
Hey bingo. So after threatening to come to my parents house and... what hurt my parents? You're now just continuing with your empty violent threats?
You want me to take you seriously so badly.
I feel for you bingo... I really do... but you're as likely to intimidate me as your dog is to impregnate that couch he's humping behind you. ;p
It ain't gonna happen. I'll never take you seriously. :)
Re: (Score:2)
And what would that get you? You're saying you could some sort of man in the middle attack?
That's easily defeated by connecting remote offices via VPN.
Look, the security set up that would be hackers always assume is a low one. One where any dipshit user can do pretty much whatever they want with their workstation. Install angry birds? Sure. Connect to face book? Sure.
A high security environment doesn't let you do these things. You try to run unauthorized code or executable... execution denied. You try to co
Re: (Score:1)
Spoofing an IP address won't get any return packets.
Re: (Score:1)
Ok, so let's say my only objective was to have a server read data from a third party service over TLS. I only need to fetch this data and do it securely, nothing more.
Oh fuck, a wild heartbleed bug has appeared!
It's super effective!
False sense of security has fainted.
Re: (Score:1)
that doesn't give you access to my systems. That gives you access to someone else's systems... possibly using my authentication... which with an RSA keychain... you won't be able to use. So maybe you'll be able to see what I see on SOMEONE ELSES system.
Even so, you're assuming you were able to infect either system with the heartbleed bug. How would you do that?
I think you're misunderstanding what I mean when I say LOCKED DOWN.
For example, 99 percent of the workstations I administer draw from a general templ
Re: (Score:3, Insightful)
Are you really that clueless about security? You were talking about how it's "impossible to get hacked" if you implement "perfect security".
In that heartbleed example if your server conects to a thrid party server to fetch some data over TLS and that third party server initiates a heartbleed based attack to read your server's RAM, security has been breached. It's totally irrelevant whether that RAM holds any meaningful data (which it usually absolutely does: disk encryption keys, VPN keys etc.), what matter
Re: (Score:1)
Why would my server be connecting that way to anything? And you say "read"... but where are you sending it and how? The fire wall won't let you send it anywhere else.
Re: (Score:1)
I'm interested as to how you you're using the heatbleed bug in this scenario to get anything. I'm well aware of how the bug works and I was passively immune to the issue in like five different ways. I'm just not getting how you're doing this...
You're not talking to my server unless you're contacting me from an approved IP address. And if you spoof the IP... you're not getting a return.
There are many other reasons why this wouldn't work in my case but I think I'll just stop there. That seems pretty solid. Ho
Re: (Score:2)
You're also assuming the attack comes from outside the organization. Any infosec worker worth their copy of Wireshark knows that the biggest threat comes from inside, not from outside.
Re: (Score:1)
You secure a network by locking down its capabilities to what you need to do and NOTHING else. Hacking then becomes basically impossible... right there.
Not when this is your gateway out. It is a clasic MIM device and sniffer.
Re: (Score:1)
The gateway doesn't need to allow EVERYTHING in and EVERYTHING out.
You set it up so that it just can't do anything besides what the company does. How are you going to trick internal systems into talking to you? Those systems could be entirely proprietary. Have fun even figuring out how to handshake with them.
And there are about a million places where your fooling around COULD trigger a security alarm if they've implemented those.
The best way to secure a system is to make it so ridged in the way that it oper
Re: (Score:1)
The gateway doesn't need to allow in anything more than the network traffic of a service that is used. But you totally ignore the fact that even if you only let the traffic of one service throug, that particular service might have bugs that let an attacker gain access to the backend. Or that your router, firewall etc. might have bugs that lets malformed packets go through. Just a few examples.
Even fully internal networks without any connection to the Internet can be breached by sophisticated methods, simila
Re: (Score:1)
Yeah but you'd have to intercept the service in question. Can you detail how you would do that specifically? Because I know of several ways that is done and I believe I have accounted for all of them.
Why is the firewall or router even letting your communication through? And even if you were able to send data and it were allowed through... you'd never hear anything back from my system unless you're residing at an approved IP address... which is unlikely. I don't just open port 222222 or whatever and route it
Re: (Score:1)
Yeah but you'd have to intercept the service in question. Can you detail how you would do that specifically? Because I know of several ways that is done and I believe I have accounted for all of them.
By compromising the transmitting end, for example. I could do that using various means, maybe even by phsyically entering their premises.
Why is the firewall or router even letting your communication through? And even if you were able to send data and it were allowed through... you'd never hear anything back from my system unless you're residing at an approved IP address... which is unlikely. I don't just open port 222222 or whatever and route it all to some internal IP address. The IP address on both ends is specified. So best case I'd be replying to your communication... to a completely different IP address. You wouldn't see it.
I'm not seeing how you would establish two way communications with my systems.
The same what I said above.
As to the Iranian stuxnet thing, from what I understand some dope took a USB key from a low security area that was infected and plugged it into the airgapped systems.
that was just an exploit of sloppy USB drive policy.
If your security measures assume everyone plays by the rules *you* lay out, your security is imperfect. If you have not accounted for this, your security is even more imperfect.
Please correct me if I'm wrong. Honestly. If I've made an error, then enlighten me.
Read above.
As to software with no vulnerabilities... I find this argument to be a bit mystical. We could go over every vulnerability you think my network has and I think you'll find that it doesn't exist in my case.
So you've audited the microcode running on your computers' processors? You've audited all the firmware in every single component in use in your systems and comp
Re: (Score:1)
Okay so you're saying you're going to hack my system by first hacking someone I talk to...
Okay, but the information sent back and forth is highly specific... and contains no executable code. You can't send commands over those channels. There's nothing "listening".
A few databases are accessed... I'm not sure how you're compromising my system yet?
I mean if you get their codes and access from their systems... then you can access me using their codes and get access to what they have access to. But that's about
Re: (Score:1)
What I don't understand is why you get 2 mod points for every comment you make the very second you post them. Are you multi accounting?
Okay so you're saying you're going to hack my system by first hacking someone I talk to...
Okay, but the information sent back and forth is highly specific... and contains no executable code. You can't send commands over those channels. There's nothing "listening".
A few databases are accessed... I'm not sure how you're compromising my system yet?
I mean if you get their codes and access from their systems... then you can access me using their codes and get access to what they have access to. But that's about it. You can't upload anything that doesn't squeeze into a database variable at our systems.
That said, I do grant you that if you totally compromised a trusted system... you might be able to introduce something. There is a high probability it wouldn't work for a lot of reasons and the mere attempt would be very likely to set off alarms. But assuming you were really lucky... Maybe.
Ideally the security I'm talking about would be uniformly employed at any trusted system which would make doing this harder.
There is no defense against a full breach of physical security. I can't stop you from doing whatever it you get that deep into my systems. I'm not seeing how your hack of the rival would give you much. You couldn't just access whatever you wanted.
Here you acknowledge that there is no such thing as perfect security and that hacking just about any system is not "basically impossible". It can be easy or it can be difficult, but not impossible. That was your original argument and that argument has now been shown to be false.
Re: (Score:2)
That would require a somewhat sane application and network services design to be effective. If you have several hundred services that must be able to reach every computer in your organization, you will never get security. And yes, that is "what you need and nothing else" if your IT infrastructure was built by people that do not understand security.
So, no, that does not help in practice.
Re: (Score:2)
Hierarchical organization helps with that kind of stuff.
Also... I can't think of any organization that actually needs several hundred services piped to each workstation... I'm trying really hard to think of what those would all even be...
Okay... lets say the company has 10 databases because they're too lazy to integrate them.
That's ten databases.
Then lets say they need email? In my experience they tend to actually need a way of passing information around the organization rather than accepting and sending in
Re: (Score:2)
Your lack of imagination does not negate the possibility.
Why would they integrate them? What's the business advantage of doing so? Do you really think the suits are going to allow you to spend the time doing this when there's virtually no
Re: (Score:2)
Hierarchical organization helps with that kind of stuff.
Also... I can't think of any organization that actually needs several hundred services piped to each workstation... I'm trying really hard to think of what those would all even be...
I cannot tell you where I have seen that because I am under NDA. But believe me, these organizations exist, they are large, and you more likely than not would recognize the names. I have to admit that I do know about these several hundred services only for servers. It may or may not be less for laptops and workstations. As some of the servers can push software to each laptop and workstation, this is a moot point though.
Re: (Score:2)
Bullshit. Arrogance is always the undoing. Even in the most hardcore, wired-only, mac-whitelist, tightass-vlan, zone-enforced user minimum-privilege network, people have to get work done. That means if you have internet access, people will exchange data or even documents with uncontrolled sources. If you don’t, they will find some way to move or bring data in. If you have commodity operating systems or compatible office software, you have compromisable endpoints that need continuous maintenance. If
Re: (Score:2)
As to your users needing to exchange information with unknown third parties... depends on the security environment. High security environment? No. You cannot do that.
The corporate headquarters for Denny's? Probably.
You can establish protocols for file transfers. Host a file server and grant access to whomever to upload or download a specific file at time X.
As to compromised endpoints, I sort that by denying unauthorized code to run and the systems are refreshed from a template on login. You can't infect the
Re: (Score:2)
My server doors have fancy locks on them, thanks.
As to physical security... they're not getting into the server room without compromising someone with access or coming in with a command squad... maybe tom cruise could come in on wires from the ceiling?... I don't know.
One thing I'm noticing from around here is that people don't have a lot of experience with high security. Buildings that you can't get into the lobby without being buzzed in... where you can't go the right floor without a key card.
That is the
Re: (Score:1)
My server doors have fancy locks on them, thanks.
I take it these locks are not impenetrable. Nor are the walls. Someone might penetrate these and hack fromt he inside, similar to the way Tom Cruise did in your example. Security: not perfect.
One thing I'm noticing from around here is that people don't have a lot of experience with high security. Buildings that you can't get into the lobby without being buzzed in... where you can't go the right floor without a key card.
That is the sort of security you'd go through to get the headquarters of Dennys... that isn't even high security. That's just standard corporate security theater.
I've walked in to many corporate buildings without any credentials whatsoever. I've even accessed regional police HQ switch room without anybody asking anything the moment I entered the building. I had reason to access that room, but I had never visited the premises nor did I had any work credentials on me.
This is the
Re: (Score:2)
I have to go into the server room to "change the air filters" "do the electrical inspection" "To check the pipes"
Check your logs/permissions for "visiting maintenance" people. There may be hundreds, depending on how big it is.
Re: (Score:2)
Whooosh.
"users needing to exchange information.. [no]" and "protocols for file transfers...upload or download a specific file at time X."
No ad-hoc messaging in business? The environment you describe does not exist.
"Communication between the work stations or to unauthorized servers on the network is not allowed... again, at the appliance level"
Soooo.... you replaced the hub with a switch?
"refreshed from a template on login. You can't infect the workstations."
Check out Angler malware. Oh, and for two scoop
Re: (Score:2)
No adhoc file transfer is standard in high security environments.
Otherwise you get someone that says "I'm mad so I'm going to send organization files to location X".
You know those wikileaks cable leaks? They were leaked by a fellow that went to an isolated room with a rewritable CD. They let him bring the rewritable CD into the room because they thought it could only be music. He then proceeded to put the disc into one of these secure systems and copy the data off of the secure system onto the rewritable di
Re: (Score:2)
Not sure why I keep taking the bait on this, but... two things:
1. Just to pick an example: I proposed that one of your users receives *content* (not an exe) that first subverts the function of existing whitelisted exes, then inserts a logical payload; a mildly good version of this will never hit disk or appear as anything more than a new thread of an existing process. Impossible? You are /sure/ that configuring "about four different changes to the way the computers work" contains all risk of misuse or ab
Piggyback (Score:2)
So who is piggybacking on whom ?
Cops on crooks ?
Crooks on Cops ?
Will there be a difference ?
Both will leave us broke with a bad reputation on file.
Who will watch the watchers? (Score:1)
buy it or be labeled a racist (Score:2)
No surprise (Score:5, Insightful)
This just demonstrates that states attacking computers and placing backdoors does massively more damage than could ever be compensated by any possible benefits. Hence it is one of the most stupid things to do and only desired and done bu people that really have no clue or do not care how much damage they do. Usually the latter type of person is called "evil", and with good justification.
Brilliant! (Score:2)
The Chinese have this outsourcing thing down from multiple angles.
I just checked the program (Score:1)
You can't even filter a specific port/protocol, the only thing it does is reading yahoo chat
SSL decryption is non-existent
Anything you think should be there is not
I have no idea why anyone would use/hack it, tcpdump is like 20 times stronger, It's not even comparable with wireshark.
Hmmm ... (Score:2)
So, basically a badly written tool, used clueless police who don't understand the technology, so they can spy on us, but which can be accessed by people who figure out it's easier to spy on the clueless idiots who use a badly written tool because they've already captured everything.
Go police, first you insist we have weak security so you incompetent morons can spy on us, and then you buy crap software with huge security holes so everybody else can spy on us.
This is why we can't have nice things.
And this is
Shodan? (Score:2)
Does anyone have any banner or other information for this product that could be searched in Shodan? :)
By the way, if you haven't looked at the exploit on GitHub, it's ridiculously simple. The script on the server is there for file retrieval; pass it the path and filename to the file you want, encoded in base64, and it sends you the file.
Makes me want to ask the vendor, "Hi...I'm the idea of using service accounts with minimized rights for listening network services, Have we met?"