WikiLeaks Reveals A CIA LAN-Attacking Tool From 'Vault 7'

An anonymous reader quotes BetaNews: WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.

The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."

Re:

[Anonymous Coward]

What makes you think that Trump would want to stop this?

That shit about people projecting their own values onto Trump is the real deal, all right.

Re: Now Trump can stop this!

[PopeRatzo]

Trump said he was going to stop this.

He also said Trumpcare was going to cover everyone.

Re:

[mab]

Sure did

https://www.washingtonpost.com/politics/trump-vows-insurance-for-everybody-in-obamacare-replacement-plan/2017/01/15/5f2b1e18-db5d-11e6-ad42-f3375f271c9c_story.html?hpid=hp_hp-top-table-main_trump-interview-822pm%3Ahomepage%2Fstory&utm_term=.947feeb07e26

Re:

[coofercat]

I'm not an American, but I'm not really sure 'Trumpcare' is what I'd like covering me under any circumstances.

Ettercap

[Anonymous Coward]

W00h00, they reinvented ettercap:
# ettercap -i eth0 -T -M arp /192.168.111.1/ /192.168.111.2/

What About HTTPS?

[Anonymous Coward]

If this tool cannot support forging a response such that it appears to have come from the requested server then it would seem to have limited use. One of the reasons why X.509 certificates, which are the sort commonly used for SSL and HTTPS, are signed is to prevent a MITM from successfully impersonating the response by introducing a third party co-signer of the original certificate, namely the certificate authority. The situation could be complicated still further by the use of an encrypted point-to-point

Re:What About HTTPS?

[scdeimos]

You put far too much faith in HTTPS.

The default settings of SSL/TLS libraries on most operating systems make man-in-the-middle attacks trivial. When an SSL/TLS session is negotiated only the following things are validated:

1. The origin server certificate trust chain is ultimately signed by a Trusted Root certificate - any trusted root certificate.
2. The valid-from and valid-to dates on the certificate are current.
3. The desried host name is in the Subject or SubjectAlt fields, which is a useless check with 0% value.

So, why would I say that the host name check is a useless check with 0% value? Because TLS has been neutered since SNI was introduced (RFC 3546 Transport Layer Security Extensions # Server Name Indication). Before then SSL/TLS was "reasonably secure" but since then it is virtually worthless. Under SNI the connecting client tells the origin server which host name it is connecting to and, thanks to that gaping hole, the origin server (or any man-in-the-middle appliance) has enough information to either generate a fake certificate or pull one out of its cache.

Re:

[Anonymous Coward]

SNI is not the problem.

If you have the ability to generate valid certificates that chain properly to a trusted root certificate, then with or without SNI doesn't matter. Without SNI the every server name would have to have a unique IP, so the MITM would know who you're connecting too. With SNI you have to tell the server which identity you're trying to connect to, so the MITM would know who you're connecting to.

SNI doesn't change the security of SSL/TLS.

Re:What About HTTPS?

[scdeimos]

I think maybe your head is in the sand if you can't see how SNI weakened TLS as a security protocol. SNI was created because Web Hosters and businesses didn't want to keep paying for additional IPv4 address space - prior to that you could only host a single SSL/TLS-enabled web site on any given IPv4's tcp/443. Instead of migrating everybody to IPv6 where every host could have a unique address they pushed for SNI to add HTTP Host-like header capabilities to TLS.

Your premise that SNI is not a huge problem is only valid if, and only if, you can guarantee that every single trusted root certificate (and every single Server Identity capable intermediate certificate signed by them) has never been compromised by an attacker. Show me any US-based Certificate Authorities issuing NSL canaries and the like. Some CAs don't even specify a maximum chain length on their root/intermediate certificates.

If you'd like to see a practical HTTPS man-in-the-middle demonstration on your favorite Windows desktop just install Telerik's Fiddler tool and enable the HTTPS Intercept option. This installs its own certificate into your Trusted Root Certificate store and then re-encrypts all of your HTTPS connections so you can inspect the traffic.

Re:

[scdeimos]

I never said there were not easier ways to infiltrate computers. If you actually read what I replied to I was pointing out that the parent put far too much faith in the ability of X.509 certificates and SSL and HTTPS, apparently assuming that they are the cure-all for MITM attacks when, in fact, they most definitely are not. (At least not as currently implemented.)

Re:

[BronsCon]

prior to that you could only host a single SSL/TLS-enabled web site on any given IPv4's tcp/443.

Which, of course, meant that knowing which IP address someone was communicating with using SSL also meant knowing which site they were visiting. Now, with SNI, you need more than the packet headers to determine which site someone is talking to.

It's no more or less secure, the same number of attack vectors exist, and with the same difficulty of attack; the attack surface just looks different now. That you can see the new attack vector but completely missed the old one does not change that.

So I see you're

Re:

[BronsCon]

You connect to the IP address on port 443 and, well, wouldn't ya know it, you're presented with the site's public certificate which, in turn, identifies the site. Aside from that, do you really thing the NSA (as in my example) doesn't know the IP address of every public-facing server hosting somesitethensacaresabout.net?

I see why you posted anonymously.

Re:

[phantomfive]

Is there a proof-of-concept or anything for this vuln? I can't find anything.....I did find this, which clearly shows that HTTPS is vulnerable to hostile governments [schneier.com], but that's not the exploit you're talking about.

Re:

[AHuxley]

Might save a user on a wider global network. A Project Bullrun or Edgehill seemed to show some thinking about the HTTPS issue https://en.wikipedia.org/wiki/... [wikipedia.org].
Back in the plain text part at the safe end of the LAN network?

ARP poisoning?

[schweini]

This sounds like a simple ARP poisoning attack? No big deal?

Re:

[BlueStrat]

This sounds like a simple ARP poisoning attack? No big deal?

Pretty much what it appears. LAN attacks are pretty standard stuff, the nasty (and interesting) stuff would be the binaries and other bits they drop into the machine(s) after a successful penetration. There might actually be more relevant/usable/informative bits in the documentation than in the tools themselves.

Good to see Assange isn't backing down from the US-led "Five-Eyes" international surveillance state that turned their resources inwards on their own domestic populations after the Cold War's end.

Stra

Re:

[StormReaver]

...the nasty (and interesting) stuff would be the binaries and other bits they drop into the machine(s) after a successful penetration.

I disagree. Windows compromises are about as newsworthy as, "man flushes toilet. News at 11." If you're running Windows on a network, you're probably compromised. End of story.

The only interesting part of all of this is: how are the systems being compromised? If it's Windows-only, then big frigging deal. If you're running Windows, you MUST always behave as if you have been comprised. Because you probably have been. Mac OS to a lesser extent, but Apple likes to disable or bypass the effective parts

Re:

[BlueStrat]

I disagree. Windows compromises are about as newsworthy as, "man flushes toilet. News at 11."

It's not the Windows compromises themselves that are the "interesting" part, it's all the information and clues that can be gleaned from them about things like precisely what data is being collected, by whom, where it's sent, how often, where/what servers are sending it instructions, etc etc. There's a possible treasure-trove of useful data that can be gleaned, or at least hints and clues to further investigations and possible paths towards mitigation strategies.

Strat

Um... this is common?

[Anonymous Coward]

Almost every corporation in America uses the exact same technique to snoop and log employees' browsing habits. SSL MITM injection is nothing new at all.

New or not, important to know and document

[jbn-o]

Perhaps not new to IT admins but quite new to the vast majority of computer users who were likely unaware such things were possible, being done by the US government, and possibly affecting their non-work Internet access. Documentation like this and the Snowden revelations also help put a quick stop to anyone trying to minimize the importance of the news, particularly by making fun of the critique along the 'tin-foil hat' line. It's critically important that people know what's being done in their name. As ot

So what's it used for really?

[Anonymous Coward]

Is this the sort of thing that allows them to turn anyone into a terrorist or pedophile, by sending whatever they want no matter what the actual request had been?

Archimedes...

[trabby]

So if the tool is called Archimedes, does it use a bath-overflow exploit?

For those claiming this isn't much...

[zedaroca]

Yes, ettercap, ARP poisoning, etc... technically this is something that has been done before with other tools.
The importance of the publication is for detection/protection and for attribution. A lot of people will know who is/was after them, messing with their systems, etc.
Since we are talking about murderers, it is very good to know.

Why leak this?

[sabbede]

I thought Wikileaks was for blowing the whistle on wrongdoing. Is the CIA using these tools to spy on innocent civilians? Are they using them in domestically in the US in violation of Federal law? Was there some pressing public need to have the tools spies use to spy on each other revealed?

Where is the public benefit to this leak? If these tools were not being misused, isn't this just harming public security?

Re:

[Anonymous Coward]

Wikileaks has proven they are not some benevoland organization dedicated to transparency. They cherry pick what they have to target who and what they want, e.g. Hilary Clinton's campaign while leaving Trump's campaign unscathed.

Re: Why leak this?

[Rujiel]

You're claiming WL had something on trump that wasn't released. What's your proof? You realize WL didn't acquire the clinton emails to begin with? So "y u no hack trump wikileaks!! " is pretty silly.