CIA Hacking Notepad++

For everything that's not in any way related to PureBasic. General chat etc...
purenet
User
User
Posts: 30
Joined: Wed Oct 21, 2009 10:11 am

CIA Hacking Notepad++

Post by purenet »

Hello,

This is not good.

https://wikileaks.org/ciav7p1/cms/page_26968090.html
https://notepad-plus-plus.org/news/note ... issue.html

How about ScintillaGadget in PB, same scilexer.dll problem?
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: CIA Hacking Notepad++

Post by Lunasole »

purenet wrote:Hello,

This is not good.

https://wikileaks.org/ciav7p1/cms/page_26968090.html
https://notepad-plus-plus.org/news/note ... issue.html

How about ScintillaGadget in PB, same scilexer.dll problem?
This is no more dangerous than if CIA replace your whole notepad.exe. Ie. if they can do that, then you're already totally pwned :)
Also npp is just one of thousands apps usable for that.

What about PB, it's no so mainstream to be interesting for CIA, but surely it also has enough vulnerabilities in it's libraries, etc.

No need to worry about such things, until your PC is not configured using philosophy like "Internet-Of-Stupid-Things-device". Nice firewall which sits in OS kernel makes such a children-level efforts futile, just don't forget to check if firewall itself is not exploited by something really evil :3
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
User avatar
Keya
Addict
Addict
Posts: 1891
Joined: Thu Jun 04, 2015 7:10 am

Re: CIA Hacking Notepad++

Post by Keya »

Lunasole wrote:No need to worry about such things, until your PC is not configured using philosophy like "Internet-Of-Stupid-Things-device". Nice firewall which sits in OS kernel makes such a children-level efforts futile, just don't forget to check if firewall itself is not exploited by something really evil :3
its hardware like routers and modems i don't trust! at least with software i can look at it in a debugger, but with this black box with green LED lights in front of me I really hope keeping my fingers crossed is helping
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: CIA Hacking Notepad++

Post by Lunasole »

Keya wrote:its hardware like routers and modems i don't trust! at least with software i can look at it in a debugger, but with this black box with green LED lights in front of me I really hope keeping my fingers crossed is helping
Yes, it is too doubtful to use those modern routers coming with questionable leaky linux builds and having really excessive hardware abilities, overloaded with plenty unnecessary & complicated functions in the name of pseudo-progress.
That's why I prefer those older routers instead [pff, as well as archaic j2me mobile against androids :3 ], they having very limited abilities [but enough to not get DOSed or to handle 100 mbps on each of several LAN ports], simple optimized firmware stored on some small ROM, requiring MUCH more skills to exploit them remotely and so on.

"Security through minority", or obscurity or whatever ^_^
Generally modern situation with all that looks like one from "Battlestar Galactica" (2003) movie.
Last edited by Lunasole on Sat Mar 11, 2017 6:45 am, edited 1 time in total.
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
DarkDragon
Addict
Addict
Posts: 2218
Joined: Mon Jun 02, 2003 9:16 am
Location: Germany
Contact:

Re: CIA Hacking Notepad++

Post by DarkDragon »

Lunasole wrote:"Security through minority", or obscurity or whatever ^_^
Security through obscurity is not secure. Security through minimalism is also not secure, because thats simply obscurity by reducing the system components in my eyes. However, the probability that there is a security hole in a minimalistic system is far less than in a large, bloated system. That said, I would prefer using a modem in front of the router, but nowadays this is impossible with VDSL and so on.
bye,
Daniel
User avatar
Michael Vogel
Addict
Addict
Posts: 2666
Joined: Thu Feb 09, 2006 11:27 pm
Contact:

Re: CIA Hacking Notepad++

Post by Michael Vogel »

Keya wrote:its hardware like routers and modems i don't trust! at least with software i can look at it in a debugger, but with this black box with green LED lights in front of me I really hope keeping my fingers crossed is helping
For smaller environments there are fine products (e.g. the european made Mikrotik devices or components from the originally japanese Allied Telesys) available which seems to do their job and nothing else...

But for large networks it is difficult to get rid of the "standard" US-products (except you like chinese copies - okay, not complete copies, they have changed two commands in the CLI) and so I had to deal with more "interesting" things than wanted.

Personally, I don't like network vendors ignoring standards, concealing backdoors for years or using funny protocols like CDP and VTP by default. Maybe all these things have been done by a single vendor as well.

So good luck with your blinking box...
User avatar
tj1010
Enthusiast
Enthusiast
Posts: 621
Joined: Mon Feb 25, 2013 5:51 pm
Location: US or Estonia
Contact:

Re: CIA Hacking Notepad++

Post by tj1010 »

They binary patched the Dll and replaced the original. Not an issue..

I wouldn't have done signature checks as a response and just pointed out end-user fault..

A buffer overflow in a browser or malicious firmware on gateway shouldn't result in a rootkit in 2017 where there are AES, SHA3, and sandboxes..

You can do the same on Linux, BSD, and OSX without sandboxing and signature verify
The truth hurts.
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: CIA Hacking Notepad++

Post by Lunasole »

DarkDragon wrote:Security through obscurity is not secure.
Surely It is not secure (in meaning "for 100%"), but MUCH more secure than without it.

Any closed-sources soft requires much more efforts and skills to find vulnerability in it, unlike one with all sources published and you just sitting reading them and founding lot of places to attack. Unless you have huge army of ppl to analyze and fix opensource code, any closed thing is more secure.

Moving it to routers -- if take some 7 or 10-years old firmware coded in C on small ROM, and it didn't has known vulnerabilities, then it is almost zero probability that someone including those CIA can ever hack it in 2017, especially without even knowing HW/SW info (which looks impossible to collect remotely, at least I didn't know any tool able to do it with my 2 routers). Both obscurity and system complexity making a difference.
As well as "minority' -- the less it is mainstream or popular, the more secure it will be, there are enough small soft and hardware vendors having awesome quality.
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
User avatar
tj1010
Enthusiast
Enthusiast
Posts: 621
Joined: Mon Feb 25, 2013 5:51 pm
Location: US or Estonia
Contact:

Re: CIA Hacking Notepad++

Post by tj1010 »

Lunasole wrote:
DarkDragon wrote:Security through obscurity is not secure.
Surely It is not secure (in meaning "for 100%"), but MUCH more secure than without it.

Any closed-sources soft requires much more efforts and skills to find vulnerability in it, unlike one with all sources published and you just sitting reading them and founding lot of places to attack. Unless you have huge army of ppl to analyze and fix opensource code, any closed thing is more secure.

Moving it to routers -- if take some 7 or 10-years old firmware coded in C on small ROM, and it didn't has known vulnerabilities, then it is almost zero probability that someone including those CIA can ever hack it in 2017, especially without even knowing HW/SW info (which looks impossible to collect remotely, at least I didn't know any tool able to do it with my 2 routers). Both obscurity and system complexity making a difference.
As well as "minority' -- the less it is mainstream or popular, the more secure it will be, there are enough small soft and hardware vendors having awesome quality.
Most firmwares don't even implement classic POSIX policies let alone use chmod, SELinux, AppArmor or thrid-party "containers". Most of the big IoT and gateway stuff in the news isn't even buffer overflows or directory transverse it's simple configured authentication policy stuff. The team who did that firmware for the foundry who made your PCB doesn't care and in most cases don't even know about buffer overflows or basic policy. You'll buy it anyways.

Even on x86 and PPC stuff with big market share things like memory sandboxing are only done on remote vectors and only by big vendors like MS, Adobe, and Google.

Even cheap routers typically have a ARM or x86 chip with things like TEE, DEP, ASLR they just aren't used and nothing is audited. It's purely a software-standards problem.

Also with memory corruption, there are things you can't see but in one form of analysis and only after a lot of deep inspection. There are some buffer overflows you can only see with static analysis, and then some you can only see in simulation or runtime debugging; even some you can only see in actual source code or fuzzing. This is why bounties are so high these days for stuff with a big market-share and not entirely because things like NX, ASLR, Cookies, Canaries, sandboxing etc..

One of the most annoying and obviously-wrong beliefs are that of "secure coding practices". Having to audit binaries wouldn't be profitable and there is no automated fuzzing or analysis or else there would be little of a security industry in the first place since memory corruption and policy stuff are the only two vectors..
The truth hurts.
DarkDragon
Addict
Addict
Posts: 2218
Joined: Mon Jun 02, 2003 9:16 am
Location: Germany
Contact:

Re: CIA Hacking Notepad++

Post by DarkDragon »

Lunasole wrote:
DarkDragon wrote:Security through obscurity is not secure.
Surely It is not secure (in meaning "for 100%"), but MUCH more secure than without it.

Any closed-sources soft requires much more efforts and skills to find vulnerability in it, unlike one with all sources published and you just sitting reading them and founding lot of places to attack. Unless you have huge army of ppl to analyze and fix opensource code, any closed thing is more secure.

Moving it to routers -- if take some 7 or 10-years old firmware coded in C on small ROM, and it didn't has known vulnerabilities, then it is almost zero probability that someone including those CIA can ever hack it in 2017, especially without even knowing HW/SW info (which looks impossible to collect remotely, at least I didn't know any tool able to do it with my 2 routers). Both obscurity and system complexity making a difference.
As well as "minority' -- the less it is mainstream or popular, the more secure it will be, there are enough small soft and hardware vendors having awesome quality.
The CIA and NSA have many people working for them day by day on finding security holes. Bricking a device is no problem for them, they just buy a new one. If they want to find a hole in a closed source system they will find it. By using an open source software you can ensure, that people around the world will check the system for security holes and eventually report them. CIA/NSA will never report them. See also: https://arstechnica.com/security/2016/0 ... for-years/
bye,
Daniel
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: CIA Hacking Notepad++

Post by IdeasVacuum »

So, the CIA hacked NP++ to catch Hackers..........
Was probably done some time ago, updating to the latest NP is closing the barn door after the horse has bolted.
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: CIA Hacking Notepad++

Post by Lunasole »

DarkDragon wrote:The CIA and NSA have many people working for them day by day on finding security holes. Bricking a device is no problem for them, they just buy a new one. If they want to find a hole in a closed source system they will find it. By using an open source software you can ensure, that people around the world will check the system for security holes and eventually report them. CIA/NSA will never report them.
Stop overestimating them. 2 days ago I've spend 4+ hours learning that lot of data leaked from CIA, I can say the methods and tools they're using are generally primitive and targeted on stupid averaged user.
Nothing you can't find on any hacker forum, some tech blog or even here on forum sometimes, in tips & tricks section, hah.
That doesn't help to hack someone who cares about security and knows enough, and obviously doesn't allows to hack some HW in conditions I've described. Unless you are someone like Ben Laden, they just have no enough resources to spend them on something like that old HW [used by 0.00001% of all users], or just on some closed and not-enough-popular systems. Not saying than in remote cases, they can't know what the system it is [if something was done to nicely hide that].

Thus, they are cool against averaged user which blindly uses modern popular stuff, which has a lot of holes and lot of interested ppl are searching and selling exploits for those holes in that modern fashioned stuff.
But well, even that is much better that russian special services, lol, as russians are "hacking" mostly in a way of sending spam with malware, or coming to an owner of some web-service and threatening him with prison if he will not give them all the data (because they even have not so much funds to make or buy wide range of own exploits/tools as CIA, or just because they are not ones who uses methods from civilized countries).

I had much more irrational paranoia about special services abilities, until examined those leaked docs.

Also, this is another stupid myth about better open source security. You said too - holes are present always, and even in those mentioned docs there is enough of 0-day exploits CIA successfully uses to hack popular open-source soft.

I previously said about opensource, should add that "it becomes more secure as army of code maintainters grows, but not more secure against special services, buying 0-day exploits from a lot of hackers and having some army of own hackers". Generally only huge developers teams like Google, MS, Apple, etc have enough resources to keep their open-sourced soft less or more secure against anyone.

For lesser projects and developers higher security through opensource looks like a great and painful myth. In both cases, I'm pretty sure CIA and NSA just love open-source. Because it is so simple and cheap... comparing to efforts and moneys needed to disassemble & patch some 40mb executables of modern software, with a lot of new pain as soon as new heavy-modified version of it arrives ^_^ For example, even just if you take typical open-source project and pass in through some powerful C/C++ static code analyzer like PVS Studio... event this simple step will bring you a list of possibly exploitable holes.
Last edited by Lunasole on Sat Mar 11, 2017 9:32 pm, edited 3 times in total.
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
User avatar
Keya
Addict
Addict
Posts: 1891
Joined: Thu Jun 04, 2015 7:10 am

Re: CIA Hacking Notepad++

Post by Keya »

Lunasole i was surprised by how primitive some of the things in the leaks are. Obviously theyve got the capability to develop seriously hardcore code like Stuxnet, but also lots of entry-level hacker 101 stuff:
https://wikileaks.org/ciav7p1/cms/page_2621828.html

Code: Select all

BOOL IsThereADebugger()
{
	__try
	{
	RaiseException(DBG_PRINTEXCEPTION_C, 0, 0, 0);
	}
	__except(GetExceptionCode() == DBG_PRINTEXCEPTION_C)
	{
	return FALSE;
	}
	return TRUE;
}
CIA wrote:In the course of analyzing a commercial program for a requirement, Umbrage discovered that this commercial program utilized this technique in their licensing checks to prevent a debugger from starting the program, or attaching to a running instance of the program.
they "discovered" what i thought was one of the oldest tricks in the book by analyzing a commercial program? there is no date associated with that file though.

But it makes me wonder about their income, as I would assume talented seasoned programmers can easily make a lot more than CIA can afford (what would be their max coder salary? $200k/yr?), so how long do their coders stick around for, and whats their average age/experience? Please don't tell me if you have to kill me
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: CIA Hacking Notepad++

Post by Lunasole »

Keya wrote: But it makes me wonder about their income, as I would assume talented seasoned programmers can easily make a lot more than CIA can afford (what would be their max coder salary? $200k/yr?), so how long do their coders stick around for, and whats their average age/experience? Please don't tell me if you have to kill me
I don't know, so have not to kill :) Don't remember something like that leaked (just this one, but it says nothing https://en.wikipedia.org/wiki/Office_of ... ata_breach ).
But guessing it should be so high as market good offers or higher (surely higher than average). Probably you won't regret if find job in their state ^^
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
Jan2004
Enthusiast
Enthusiast
Posts: 154
Joined: Fri Jan 07, 2005 7:17 pm

Re: CIA Hacking Notepad++

Post by Jan2004 »

On stackoverflow.com Notepad ++ is considered normally: questions, answers - as always. Nothing has changed.
http://stackoverflow.com/search?tab=new ... epad%2b%2b
Post Reply