When's the book coming out? I'd read that.
On 10 Mar 2016, at 16:15, dave aitel wrote: > So here I am as a Chinese tool developer and operator on one of the > lesser known, but higher skills teams, sitting at my desk drinking > Starbucks, uber-ironicially, as I like to do. We work for the PLA out > of an office in Shanghai, but we don't have a catchy name. Just the > world's most boring cover company that in theory does IT Support for the > local businesses, but in reality does anything but. > > I'm finishing up a heap overflow in Flash, technically an integer > overflow, that leads to heap corruption, if you must know. The PLA group > I work for has given me about a few million 32-bit key numbers, which > are stored on a laptop that has never been connected to any network, and > is itself stored in a safe in the back room. I open it up, and run a > quick script to find a 32-bit number from the set that has no bad bytes > in it, and also is a NOP for the purposes of this exploit. > > I use that as the fill-string for my exploit, and then for my Javascript > obfuscator pick another one of the numbers and use that as my XOR key. > The third one I use inside the shellcode itself. I mark these three > numbers as used in a file so I don't reuse them later. All my other > variables names are unrelated 32-bit numbers, because why not? But this > is a heap overflow, and not an MFC application, so I don't have room to > sign giant cryptographically secure blobs of random numbers with a > private key of any sort. > > What I'm hacking today is a concrete company. They compete with the > Chinese concrete companies in many places of the world, but that's not > the point. They also supply the US Military's Asian bases. So while I > will be pulling down their entire Exchange server, once I get into their > network, which is basically a forgone conclusion, I'm not here for > industrial espionage purposes. Likewise, knowing how much they are > selling goes into our larger economic reports, which are used to make > decisions by the State in terms of interest rates and that sort of > thing. Stuff above my level. > > I fire my exploit off at my target three times, to three different > people. One of them succeeds, and I've made my coffee money for the day > (and a bunch more, let's be honest, this is a good gig). I have been > told that if I give any email from this target to my friend who works in > construction, I will of course be fired. > > But one of them gets silently caught, and Mandiant includes it in a > report, along with a long detailed description about my trojan, which I > stole from a Russian criminal group. Later, because that concrete > company has been losing a lot of business in Asia a DHS official is > asked if this intrusion is a potential violation of our agreement. He > looks at the very detailed internal Mandiant report on the initial > intrusion, and runs each interesting constant in the report through his > oracle, forwards and backwards, and he says, "I cannot say whether or > not it is the Chinese or the Russians, but they are CLAIMING to follow > our norms process, at least." > > -dave > > On 3/9/2016 10:29 AM, Konrads Smelkovs wrote: >> PKI for APT then :) >> -- >> Konrads Smelkovs >> Applied IT sorcery. >> >> >> On Wed, Mar 9, 2016 at 3:04 PM, Kevin Noble <[email protected]> wrote: >>> I don't agree, this is more like finding a rifle and knowing it has smart >>> components and being able to classify the weapon because it has an orange >>> stripe sprinkled with a software taggant. It has forensic value, not >>> masking the threat. >>> >>> On Wed, Mar 9, 2016 at 7:19 AM, Konrads Smelkovs >>> <[email protected]> wrote: >>>> Was difficult to read your piece, but if I understand the gist, then >>>> doesn't your proposal suffer from the same problem as toy guns that >>>> were supposed to have a non-removable one-inch-wide orange stripe >>>> running down both sides of the barrel and the front end of the barrel? >>>> if I take my AK-47 and paint it brightly, cops won't shoot. >>>> -- >>>> Konrads Smelkovs >>>> Applied IT sorcery. >>>> >>>> >>>> On Tue, Mar 8, 2016 at 7:10 PM, dave aitel <[email protected]> wrote: >>>>> http://cybersecpolitics.blogspot.com/2016/03/a-technical-scheme-for-watermarking.html >>>>> >>>>> It'd be great to hear from some non-US people in the industry as to >>>>> whether they think this sort of thing is doable on their end. Likewise, >>>>> it's not clear what parts of a technical proposal are most important? >>>>> Are we most worried about non-state actors pretending to be State >>>>> actors, or having a high confidence level in our result? >>>>> >>>>> In any case, hopefully ya'll enjoyed reading it! >>>>> >>>>> -dave >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dailydave mailing list >>>>> [email protected] >>>>> https://lists.immunityinc.com/mailman/listinfo/dailydave >>>> _______________________________________________ >>>> Dailydave mailing list >>>> [email protected] >>>> https://lists.immunityinc.com/mailman/listinfo/dailydave >>> >>> >>> >>> -- >>> Thanks, >>> >>> Kevin > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
