PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

CIA Hacking Notepad++

https://www.purebasic.fr/english/viewtopic.php?t=68063

Page 1 of 2

CIA Hacking Notepad++

Posted: Thu Mar 09, 2017 10:12 am
by purenet
Hello,

This is not good.

https://wikileaks.org/ciav7p1/cms/page_26968090.html
https://notepad-plus-plus.org/news/note ... issue.html

How about ScintillaGadget in PB, same scilexer.dll problem?

Re: CIA Hacking Notepad++

Posted: Thu Mar 09, 2017 10:35 am
by Lunasole
purenet wrote:Hello,

This is not good.

https://wikileaks.org/ciav7p1/cms/page_26968090.html
https://notepad-plus-plus.org/news/note ... issue.html

How about ScintillaGadget in PB, same scilexer.dll problem?
This is no more dangerous than if CIA replace your whole notepad.exe. Ie. if they can do that, then you're already totally pwned :)
Also npp is just one of thousands apps usable for that.

What about PB, it's no so mainstream to be interesting for CIA, but surely it also has enough vulnerabilities in it's libraries, etc.

No need to worry about such things, until your PC is not configured using philosophy like "Internet-Of-Stupid-Things-device". Nice firewall which sits in OS kernel makes such a children-level efforts futile, just don't forget to check if firewall itself is not exploited by something really evil :3

Re: CIA Hacking Notepad++

Posted: Thu Mar 09, 2017 2:25 pm
by Keya
Lunasole wrote:No need to worry about such things, until your PC is not configured using philosophy like "Internet-Of-Stupid-Things-device". Nice firewall which sits in OS kernel makes such a children-level efforts futile, just don't forget to check if firewall itself is not exploited by something really evil :3
its hardware like routers and modems i don't trust! at least with software i can look at it in a debugger, but with this black box with green LED lights in front of me I really hope keeping my fingers crossed is helping

Re: CIA Hacking Notepad++

Posted: Thu Mar 09, 2017 7:06 pm
by Lunasole
Keya wrote:its hardware like routers and modems i don't trust! at least with software i can look at it in a debugger, but with this black box with green LED lights in front of me I really hope keeping my fingers crossed is helping
Yes, it is too doubtful to use those modern routers coming with questionable leaky linux builds and having really excessive hardware abilities, overloaded with plenty unnecessary & complicated functions in the name of pseudo-progress.
That's why I prefer those older routers instead [pff, as well as archaic j2me mobile against androids :3 ], they having very limited abilities [but enough to not get DOSed or to handle 100 mbps on each of several LAN ports], simple optimized firmware stored on some small ROM, requiring MUCH more skills to exploit them remotely and so on.

"Security through minority", or obscurity or whatever ^_^
Generally modern situation with all that looks like one from "Battlestar Galactica" (2003) movie.

Re: CIA Hacking Notepad++

Posted: Thu Mar 09, 2017 8:08 pm
by DarkDragon
Lunasole wrote:"Security through minority", or obscurity or whatever ^_^
Security through obscurity is not secure. Security through minimalism is also not secure, because thats simply obscurity by reducing the system components in my eyes. However, the probability that there is a security hole in a minimalistic system is far less than in a large, bloated system. That said, I would prefer using a modem in front of the router, but nowadays this is impossible with VDSL and so on.

Re: CIA Hacking Notepad++

Posted: Thu Mar 09, 2017 8:37 pm
by Michael Vogel
Keya wrote:its hardware like routers and modems i don't trust! at least with software i can look at it in a debugger, but with this black box with green LED lights in front of me I really hope keeping my fingers crossed is helping
For smaller environments there are fine products (e.g. the european made Mikrotik devices or components from the originally japanese Allied Telesys) available which seems to do their job and nothing else...

But for large networks it is difficult to get rid of the "standard" US-products (except you like chinese copies - okay, not complete copies, they have changed two commands in the CLI) and so I had to deal with more "interesting" things than wanted.

Personally, I don't like network vendors ignoring standards, concealing backdoors for years or using funny protocols like CDP and VTP by default. Maybe all these things have been done by a single vendor as well.

So good luck with your blinking box...

Re: CIA Hacking Notepad++

Posted: Fri Mar 10, 2017 9:15 am
by tj1010
They binary patched the Dll and replaced the original. Not an issue..

I wouldn't have done signature checks as a response and just pointed out end-user fault..

A buffer overflow in a browser or malicious firmware on gateway shouldn't result in a rootkit in 2017 where there are AES, SHA3, and sandboxes..

You can do the same on Linux, BSD, and OSX without sandboxing and signature verify

Re: CIA Hacking Notepad++

Posted: Fri Mar 10, 2017 2:37 pm
by Lunasole
DarkDragon wrote:Security through obscurity is not secure.
Surely It is not secure (in meaning "for 100%"), but MUCH more secure than without it.

Any closed-sources soft requires much more efforts and skills to find vulnerability in it, unlike one with all sources published and you just sitting reading them and founding lot of places to attack. Unless you have huge army of ppl to analyze and fix opensource code, any closed thing is more secure.

Moving it to routers -- if take some 7 or 10-years old firmware coded in C on small ROM, and it didn't has known vulnerabilities, then it is almost zero probability that someone including those CIA can ever hack it in 2017, especially without even knowing HW/SW info (which looks impossible to collect remotely, at least I didn't know any tool able to do it with my 2 routers). Both obscurity and system complexity making a difference.
As well as "minority' -- the less it is mainstream or popular, the more secure it will be, there are enough small soft and hardware vendors having awesome quality.

Re: CIA Hacking Notepad++

Posted: Sat Mar 11, 2017 5:28 am
by tj1010
Lunasole wrote:
DarkDragon wrote:Security through obscurity is not secure.
Surely It is not secure (in meaning "for 100%"), but MUCH more secure than without it.

Any closed-sources soft requires much more efforts and skills to find vulnerability in it, unlike one with all sources published and you just sitting reading them and founding lot of places to attack. Unless you have huge army of ppl to analyze and fix opensource code, any closed thing is more secure.

Moving it to routers -- if take some 7 or 10-years old firmware coded in C on small ROM, and it didn't has known vulnerabilities, then it is almost zero probability that someone including those CIA can ever hack it in 2017, especially without even knowing HW/SW info (which looks impossible to collect remotely, at least I didn't know any tool able to do it with my 2 routers). Both obscurity and system complexity making a difference.
As well as "minority' -- the less it is mainstream or popular, the more secure it will be, there are enough small soft and hardware vendors having awesome quality.
Most firmwares don't even implement classic POSIX policies let alone use chmod, SELinux, AppArmor or thrid-party "containers". Most of the big IoT and gateway stuff in the news isn't even buffer overflows or directory transverse it's simple configured authentication policy stuff. The team who did that firmware for the foundry who made your PCB doesn't care and in most cases don't even know about buffer overflows or basic policy. You'll buy it anyways.

Even on x86 and PPC stuff with big market share things like memory sandboxing are only done on remote vectors and only by big vendors like MS, Adobe, and Google.

Even cheap routers typically have a ARM or x86 chip with things like TEE, DEP, ASLR they just aren't used and nothing is audited. It's purely a software-standards problem.

Also with memory corruption, there are things you can't see but in one form of analysis and only after a lot of deep inspection. There are some buffer overflows you can only see with static analysis, and then some you can only see in simulation or runtime debugging; even some you can only see in actual source code or fuzzing. This is why bounties are so high these days for stuff with a big market-share and not entirely because things like NX, ASLR, Cookies, Canaries, sandboxing etc..

One of the most annoying and obviously-wrong beliefs are that of "secure coding practices". Having to audit binaries wouldn't be profitable and there is no automated fuzzing or analysis or else there would be little of a security industry in the first place since memory corruption and policy stuff are the only two vectors..

Re: CIA Hacking Notepad++

Posted: Sat Mar 11, 2017 10:08 am
by DarkDragon
Lunasole wrote:
DarkDragon wrote:Security through obscurity is not secure.
Surely It is not secure (in meaning "for 100%"), but MUCH more secure than without it.

Any closed-sources soft requires much more efforts and skills to find vulnerability in it, unlike one with all sources published and you just sitting reading them and founding lot of places to attack. Unless you have huge army of ppl to analyze and fix opensource code, any closed thing is more secure.

Moving it to routers -- if take some 7 or 10-years old firmware coded in C on small ROM, and it didn't has known vulnerabilities, then it is almost zero probability that someone including those CIA can ever hack it in 2017, especially without even knowing HW/SW info (which looks impossible to collect remotely, at least I didn't know any tool able to do it with my 2 routers). Both obscurity and system complexity making a difference.
As well as "minority' -- the less it is mainstream or popular, the more secure it will be, there are enough small soft and hardware vendors having awesome quality.
The CIA and NSA have many people working for them day by day on finding security holes. Bricking a device is no problem for them, they just buy a new one. If they want to find a hole in a closed source system they will find it. By using an open source software you can ensure, that people around the world will check the system for security holes and eventually report them. CIA/NSA will never report them. See also: https://arstechnica.com/security/2016/0 ... for-years/

Re: CIA Hacking Notepad++

Posted: Sat Mar 11, 2017 11:18 am
by IdeasVacuum
So, the CIA hacked NP++ to catch Hackers..........
Was probably done some time ago, updating to the latest NP is closing the barn door after the horse has bolted.

Re: CIA Hacking Notepad++

Posted: Sat Mar 11, 2017 9:10 pm
by Lunasole
DarkDragon wrote:The CIA and NSA have many people working for them day by day on finding security holes. Bricking a device is no problem for them, they just buy a new one. If they want to find a hole in a closed source system they will find it. By using an open source software you can ensure, that people around the world will check the system for security holes and eventually report them. CIA/NSA will never report them.
Stop overestimating them. 2 days ago I've spend 4+ hours learning that lot of data leaked from CIA, I can say the methods and tools they're using are generally primitive and targeted on stupid averaged user.
Nothing you can't find on any hacker forum, some tech blog or even here on forum sometimes, in tips & tricks section, hah.
That doesn't help to hack someone who cares about security and knows enough, and obviously doesn't allows to hack some HW in conditions I've described. Unless you are someone like Ben Laden, they just have no enough resources to spend them on something like that old HW [used by 0.00001% of all users], or just on some closed and not-enough-popular systems. Not saying than in remote cases, they can't know what the system it is [if something was done to nicely hide that].

Thus, they are cool against averaged user which blindly uses modern popular stuff, which has a lot of holes and lot of interested ppl are searching and selling exploits for those holes in that modern fashioned stuff.
But well, even that is much better that russian special services, lol, as russians are "hacking" mostly in a way of sending spam with malware, or coming to an owner of some web-service and threatening him with prison if he will not give them all the data (because they even have not so much funds to make or buy wide range of own exploits/tools as CIA, or just because they are not ones who uses methods from civilized countries).

I had much more irrational paranoia about special services abilities, until examined those leaked docs.

Also, this is another stupid myth about better open source security. You said too - holes are present always, and even in those mentioned docs there is enough of 0-day exploits CIA successfully uses to hack popular open-source soft.

I previously said about opensource, should add that "it becomes more secure as army of code maintainters grows, but not more secure against special services, buying 0-day exploits from a lot of hackers and having some army of own hackers". Generally only huge developers teams like Google, MS, Apple, etc have enough resources to keep their open-sourced soft less or more secure against anyone.

For lesser projects and developers higher security through opensource looks like a great and painful myth. In both cases, I'm pretty sure CIA and NSA just love open-source. Because it is so simple and cheap... comparing to efforts and moneys needed to disassemble & patch some 40mb executables of modern software, with a lot of new pain as soon as new heavy-modified version of it arrives ^_^ For example, even just if you take typical open-source project and pass in through some powerful C/C++ static code analyzer like PVS Studio... event this simple step will bring you a list of possibly exploitable holes.

Re: CIA Hacking Notepad++

Posted: Sat Mar 11, 2017 9:24 pm
by Keya
Lunasole i was surprised by how primitive some of the things in the leaks are. Obviously theyve got the capability to develop seriously hardcore code like Stuxnet, but also lots of entry-level hacker 101 stuff:
https://wikileaks.org/ciav7p1/cms/page_2621828.html

Code: Select all

BOOL IsThereADebugger()
{
	__try
	{
	RaiseException(DBG_PRINTEXCEPTION_C, 0, 0, 0);
	}
	__except(GetExceptionCode() == DBG_PRINTEXCEPTION_C)
	{
	return FALSE;
	}
	return TRUE;
}
CIA wrote:In the course of analyzing a commercial program for a requirement, Umbrage discovered that this commercial program utilized this technique in their licensing checks to prevent a debugger from starting the program, or attaching to a running instance of the program.
they "discovered" what i thought was one of the oldest tricks in the book by analyzing a commercial program? there is no date associated with that file though.

But it makes me wonder about their income, as I would assume talented seasoned programmers can easily make a lot more than CIA can afford (what would be their max coder salary? $200k/yr?), so how long do their coders stick around for, and whats their average age/experience? Please don't tell me if you have to kill me

Re: CIA Hacking Notepad++

Posted: Sun Mar 12, 2017 2:26 am
by Lunasole
Keya wrote: But it makes me wonder about their income, as I would assume talented seasoned programmers can easily make a lot more than CIA can afford (what would be their max coder salary? $200k/yr?), so how long do their coders stick around for, and whats their average age/experience? Please don't tell me if you have to kill me
I don't know, so have not to kill :) Don't remember something like that leaked (just this one, but it says nothing https://en.wikipedia.org/wiki/Office_of ... ata_breach ).
But guessing it should be so high as market good offers or higher (surely higher than average). Probably you won't regret if find job in their state ^^

Re: CIA Hacking Notepad++

Posted: Mon Mar 13, 2017 5:19 pm
by Jan2004
On stackoverflow.com Notepad ++ is considered normally: questions, answers - as always. Nothing has changed.
http://stackoverflow.com/search?tab=new ... epad%2b%2b
All times are UTC+01:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited