The malware known as PowerPoint has infected millions of systems worldwide and has cost businesses, NGO’s and governments untold billions in lost productivity. PowerPoint files seem to be self-spawning and capable of infinite replication in the wild. Small variations in the PowerPoint files forces administrators to keep endless permutations of these highly virulent files.
PowerPoint is often introduced into an organization by highly sophisticated threat actors using deeply customized versions of the software. McKinsey, BCG, and Bain deploy the PowerPoint malware to a multiplicity of customers whose human capital and infrastructure become mired in endless recursive loops known as PowerPoint cycles.
The actual introduction of PowerPoint is typically merely incidental to these threat actors ambitions. Most often they derive substantial portions of their income by reselling organizations intellectual property which they already own.
Once the organizations systems become bogged in ever more bloated PowerPoint files productivity plummets. Morale drops among employees and management often re-engages the threat actors to attempt to right the ship.
The PowerPoint Malware is seemingly unstoppable at this point. Any computers that contain it should be air gapped and protected by highly restricted physical access.
I like the word "foreign" in the title, which I assume is to imply the US government is not doing this. It's also neat how they point out examples of all the "bad" countries doing this, but of course none of the "good" ones.
Given I'm not American, so the US government is "foreign" to me.
I'll tell you what the USGOV isn't doing. They're not jailing twitter dissidents. They're not sniping protestors from rooftops. They aren't destroying the credit ratings of political dissenters. They aren't even doing a very good job of using Twitter or other technologies to communicate all the good humanitarian work the USGOV does in the world. There are times I wish the US would disengage from the world so humanity can be reminded of what its like to live without a generally benevolent hegemonic power.
I feel this is a straw man. I'm Swedish, but have always loved the US for some strange reason. I still do, but that doesn't mean that the US is perfect in any way, shape or form. It is a fantastic country with many flaws. You are obviously right in much of what you write, but that does not excuse a lot of the things that NSA et. al. does in the name of freedom. My point is just that we should not hold ourselves to the lowest of standards ("We're better than <non-democratic country" is not a good excuse).
Au contraire, it is actually you who is creating a Straw Man. rrggrr doesn't write that the US is perfect, but rather, s/he writes that the US is a "generally benevolent hegemonic power".
It's not benevolent, that's pure propaganda at work. It's a nation that acts in its own interests like any other. It just disguises them extremely well.
They are forcing countries to extradite accused citizens while refusing to do the same. They have gitmo. They're asking companies like MSFT to collect data that even MSFT is not legally allowed to do. So, yeah, they're more 'covert' than others, but not necessarily more benevolent.
As I said, I'd like you to live in a world without US humanitarian and foreign aid for awhile. A world where the USGOV doesn't project its power in all the places that offend you. I give it four to six weeks before the world devolves into a nasty, brutish chaos.
> A world where the USGOV doesn't project its power in all the places that offend you. I give it four to six weeks before the world devolves into a nasty, brutish chaos.
Once upon a time, the British Empire took it upon itself to civilize the uncivilized world, bringing heavy-handed order in many faraway 'nasty, brutish' places for queen and country. The sun has since set on the British Empire, and yet the world is doing just fine. Empires rise and they fall all the time.
>Dude, without the USA, the world will do just fine. Sure, there will still be wars, but when are men not fighting over one thing or the other?
Bullshit defense. There has never been a period in history with fewer wars and proportionally lower fatality rates due to violence. The existence of war at all does not somehow invalidate the value of American hegemony.
> There has never been a period in history with fewer wars and proportionally lower fatality rates due to violence.
How long is your time frame? Many more people have died after Sep. 2001 than in the decades prior.
> The existence of war at all does not somehow invalidate the value of American hegemony.
What you seem to forget or don't realize is that the wars of the last decade are a direct result of what we're doing to maintain that American hegemony. So while it's been good for you because you're watching the wars on TV and reading it on the Internet, it's been very bad for those on whose land the wars are being fought.
As an American, I fantasize about the day when our 325 million no longer try to manage the other 7 billion. But, yet I worry that when that day comes, the ideas of American liberalism will be long gone.
The US has big issues and internal ideological conflicts and many inconsistencies, for sure. But, if you randomly sample the population you'll find that most of us want peace, freedom, success and happiness for everyone.
The American government gets its powers from its citizens, so yes, actually, American citizens == American government. Americans are responsible for the acts of their government: Period. Whether you like it or not.
Only killing people on the other side of the world with drones. And if the wrong people are killed, well, 'shit happens', let's just call those dead innocents 'collateral damage'.
> There are times I wish the US would disengage from the world so humanity can be reminded of what its like to live without a generally benevolent hegemonic power.
You should be made aware that the US isn't being a 'generally benevolent hegemonic power' out of the goodness of it's heart. It's doing so to protect its political and economic interests.
By all means, elect Trump, and secede back into isolationism. It's going to suck for you as well, as all that economic power you get from sweetheart deals from your military projection? It's going to fade away. As for foreign aid, US foreign aid is, per capita, well below that of other western democracies.
It's always amusing when USians pretend like they're doing the world an altruistic favour by being 'world cop', when in reality they get plenty of kickbacks. Ask yourself this: if the US was really the 'altruistic world cop', then why does it ignore so many trouble spots?
Sure, we're not jailing Twitter dissidents, but do you know what we do to whistleblowers? One of our whistleblowers has been forced to take up residence in Russia.
Of course we're not sniping protesters from rooftops, but our friends do it when we egg them on to further our interests in foreign lands.
"Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience."
Awesome, the USGOV is doing a better job than governemnts in undeveloped (3rd world) and developing (2nd world) countries. That's great. Do you want a medal for that?
C'mon, aim higher. You're supposed to be in the big leagues now, compare yourself to developed countries if you want to see how well the USGOV is doing.
Thanks for the link. It's not necessarily true that Wolin's views are entirely justified, the article admits as much with "Wolin holds that" and "according to Wolin". Also I don't believe his views go contrary to what I wrote.
> Among the malware was a malicious spyware, including a remote access tool called “Droidjack,” that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails.
How is this even possible? I have always considered phones to be more secure then PC due to additional security measures (such as sandboxing for every app as well as more fine granted permission systems).
I'm aware that malware can be installed on a phone but I always though I was required to explicitly allow that (at least on android) and I thought it was impossible on iOS without jail breaking.
Or does this app use some zero days, that have been discovered years ago but have not been patched because of androids broken update policy?
More information on how this works would be highly appreciated.
> How is this even possible? I have always considered phones to be more secure then PC due to additional security measures (such as sandboxing for every app as well as more fine granted permission systems).
Zero Day Exploits are frequently unpatched unless you have a Nexus phone for Android or an iOS device. :/
> We have demonstrated that memory corruptions in baseband firmwares exist and can be practically exploited. These security problems are to be taken seriously: practical exploitation of these completely compromises the integrity of the attacked handset. Merely coming into the proximity of a malicious base station is is sufficient to take over any vulnerable handset – no user interaction is required by the bugs we have outlined above. The cost of exploitation is low enough to make these attacks
a reality even for attackers with a limited budget: for the price of a mid-range laptop – USD 1500 – an attacker can buy the hardware to operate a malicious GSM cell with OpenBTS.
User interaction isn't even really required, just a rogue base station + a vulnerable baseband (and those are updated even less frequently, iirc, Apple and the Nexus line are the only ones that update those)
Most likely they are exploiting a security hole to quickly gain root access. Over the years a number of "one-click" root exploits have appeared for Android, so it's not unthinkable that they are rooting on the fly. Besides, most Android phones aren't particularly up-to-date, so in a lot of cases it's not like they would even need an undisclosed zero day exploit.
Droidjack can do the following according to Symantec:
* No root access required
* Bind the DroidJack server APK with any other game or app
Sounds like its delivered using an 'innocent' game or app in the Play store. Convincing someone to install a random Play app isn't that tough. Send them a powerpoint and leave a link to an 'innocent' Powerpoint Viewer. Voila! You have Droidjack.
If social engineering doesn't work you can bribe or compel someone close to the person you're monitoring to borrow his/her phone and have them install the infected Play store item. Or get pulled over by a cop or intelligence agent, who takes your phone for one moment and installs it behind your back. Non-technical people may not even think this suspicious.
As far as I can tell, you can package this software with any legitimate game or application. Mix in some social engineering and spear phishing, and it wouldn't take much effort to get this installed either on a targeted victim, or a large number of random victims.
It is explicitly required, so either DroidJack has a way around that, or (more likely) there's an obfuscated version of it in the Play Store which can then be told to install the app via code that remotely controls the browser (or steals cookies).
I don't know about droidjack specifically, but your phone is not at all secure, particularly for android. All it takes is a little bit of bad C code to cause an overflow of some sort. Combine that with widely available unencrypted firmware and you have a real vulnerability.
Are you implying that you could create an Android exploit with "little bit of bad C code"? If so, I'm not sure you understand how exploits work and the work required to get around all of the mitigations in place.
I've been volunteering teaching Latin American journalists how to research, communicate, and store data privately to protect themselves and their sources against attackers. The threat against freedom of expression there is just as real as it is with oppressive regimes in other parts of the world although they don't get nearly as much attention as the Middle East. This article doesn't highlight enough the need for volunteers and professionals to lend a hand. Most recently I've been working with journalists in Venezuela. If you know anything about Venezuela you should know that they have an incredibly oppressive government and they also have had massive inflation further eliminating their buying power. Things like a $3 (USD) a month VPN are hard for a middle class citizen to afford.
I'm trying to remember where I saw it, but there was a journalist who showed over the past year how much food 1000 bolivars bought. At the beginning of the photo essay, she could have fed a family for a week. By the end, it was barely enough for 1 person for a meal.
Anyone can really help out and make a difference too. Not just in LATAM, but around the world. The amount of knowledge about cybersecurity, threat models, and risks associated with electronic communications spans a wide range. Of course you have civil society groups who know how to use PGP, but there are others who still rely on Facebook Messenger to communicate with sources and keep passwords sticky noted to their computer screen.
Edit: Also wanted to note that it's pretty great what Citizen Labs is doing. Other great resources for learning/teaching/staying updated ( in both English and Spanish and several others) can be found on the EFF's website - https://ssd.eff.org/en/playlist/journalist-move
Took a look at DroidJack[0], and it's impressively nefarious. Seems like Android is Windows all over again when it comes to security. I already see people running virus scanners on their phones.
> I already see people running virus scanners on their phones.
From what I've read and seen, those virus scanners are of little help, mainly because they are subject to the same sandbox restrictions as all the other apps (and aren't going to break the sandbox like the viruses). Most of them appear to be as good as those "Android cleanup" apps that do nothing but constantly clear caches (meaning they will be rebuilt unnecessarily) and bother the user with notifications and adverts.
OK, it's a RAT, but how do we get from receiving a supposed .ppt on email to having DroidJack .apk installed on the system ? Assuming user isn't tricked into confirming the install (not to mention disabling the manual apk install protection).
Good old fake Flash update. But still relies on user to be installed, so nothing sophisticated or "Android is bad" here.
If anything the Powerpoint malware looks interesting. The .ppsx extension kinda gives it away, since it's unusual for casual presentations, but that's hard to spot for Joe User.
The fact that installing an app can give people arbitrary access to your phone without understanding WHAT you installed definitely implies Android app installation is broken in some way.
Well, it's exactly what the warning popup when enabling side-loading states ;] But it's still possible, so that's pretty fine in my book compared to the fruit company.
> Who is the right person to decide who "needs" to side-load?
The person who decides to explicitly opt in to allowing side-loading. Just don't allow apps, web pages, etc etc to opt-in for you to ensure the technically non-adept have a difficult time getting themselves into trouble.
I can practically guarantee that iphone, windows phone, blackberry, etc also have similar exploits out there being used by nation state level attackers and the people who sell to them.
But yes, android is a bit more "wild west"/less curated so that plus the fragmentation/lack of good update channels leads to lots of attack vectors.
And yet the exploitation of Android phones is extremely low according to Google and their live analytics. Meanwhile, iOS devices not running OS 9.3.3 are susceptible to a TIFF image attack that requires no user interaction whatsoever and allows an attacker to steal all of the passwords on the device.
From an endpoint security perspective, 'activists' really need to be trained not to just click on everything blindly and to open everything suspicious in a sandbox.
Yes it's possible to escape from a VM, but it's significantly harder to code executable malware that will escape from, for example, a Windows 10 VM running inside Virtualbox on an XUbuntu/XFCE4 host laptop.
> I wonder what kind of programmer works for companies that produce this spyware...
I think you have a mix of ideas:
"I'm the best at what I do and I deserve to be rewarded for that, particularly when vulnerabilities are so valuable today."
(and for some) "If other people aren't smart enough, they deserve to be exploited."
(and for some) "The governments I work for* are the good guys and their targets are the bad guys."
I've said before that people reading these threads on HN have a chance to influence culture to make these ideas less appealing to people.
* particularly for people who work full time for a single government agency or military service, or for companies that have a list of which governments they will and won't sell to
I have a feeling tech companies would oppose that, because there is little difference between "governments spying on people" like this, and companies tracking people everywhere, and building shadow profiles of them (like what Facebook Like and Google Analytics are doing).
This is why Schneier is calling it "surveillance as a business model":
I don't agree, the intent has to be taken into account: hackers working at Vupen for example don't work to make a better Google analytics, they work exclusively to circumvent existing protections to expose private data to random third parties whatever the human consequences are as long as they profit from it.
I'm not sure if you're being ironic ? The Wassenaar Arrangement already applies to both conventional arms and computer exploit technologies. That's what you're referring to, correct?
With very few exceptions, even "peace-loving" post colonial soft power countries like France, Sweden, Brazil sell arms to just about anyone. Only top secret weapons are reserved for friends... So basically you're saying it should be an open market with few exceptions.
How is France peace-loving exactly? It has numerous campaigns around the world (recently Syria, Mali just to name a few) and is the 2nd largest weapons manufacturer/exporter in the world.
That's their image. Left leaning progressive government. In any event, the main point, is I don't believe there are any meaningful arms export controls in any country -except for very advanced weapons systems. The scare quotes also imply some aren't exactly as peace loving as their image implies.
>I wonder what kind of programmer works for companies that produce this spyware...
One that likes high salary and hefty bonuses. Being mixed with the security services gives you great access to otherwise unobtainable information and connections. You may be a lowly codemonkey, but talk with government agencies heads. And they will listen. And emitting cloak and dagger vibe definitely helps in the dating scene.
> I wonder what kind of programmer works for companies that produce this spyware...
Googling around there's several similar tools available on GitHub... so I guess the answer to your question is lots of people would do it mostly for fun. Definitely sounds more interesting than the stuff I work on most days. And you're not even really involved in the exploitation, just the post-exploitation control.
Puff piece. Despite "twitter" being in the title, the article doesn't discuss twitter. The title's use of the word "how" also suggested i might read something about the technology involved, something like a backdoor in the twitter api. Nope. No discussion whatsoever about the hows. In short: Governments use spyware. Thank you Washington post for that important public service announcement.
> Despite "twitter" being in the title, the article doesn't discuss twitter.
From the article:
> In May 2016, we uncovered a Twitter-based digital malware campaign seemingly orchestrated by the United Arab Emirates, which resulted in the arrest and torture of numerous activists and journalists there.
How do the Twitter attacks work? Just malware links on the Twitter service that are working via the spear phish? The article didn't seem to go into any detail there.
PowerPoint is often introduced into an organization by highly sophisticated threat actors using deeply customized versions of the software. McKinsey, BCG, and Bain deploy the PowerPoint malware to a multiplicity of customers whose human capital and infrastructure become mired in endless recursive loops known as PowerPoint cycles.
The actual introduction of PowerPoint is typically merely incidental to these threat actors ambitions. Most often they derive substantial portions of their income by reselling organizations intellectual property which they already own.
Once the organizations systems become bogged in ever more bloated PowerPoint files productivity plummets. Morale drops among employees and management often re-engages the threat actors to attempt to right the ship.
The PowerPoint Malware is seemingly unstoppable at this point. Any computers that contain it should be air gapped and protected by highly restricted physical access.