Hacking Team & pfSense



  • Hi,

    I just browsed on WikiLeaks in Hacking Team emails and I did a search for pfSense, they was monitoring exploits for everything, nothing more found yet.

    https://www.wikileaks.org/hackingteam/emails/emailid/82488
    https://www.wikileaks.org/hackingteam/emails/emailid/378569

    one is from 2014
    E-371 - pfSense Snort File Disclosure

    and one from 2015.
    VulnerabilityCVE-2015-2097alert4.0.0medium37662ESF pfSense WebGUI Deletefile Directory Traversal


  • Administrator



  • I spent half a day last week looking at the "Virginia" keyword doc's. What this is a fascinating insight to a skumbag world.



  • I'd be much happier if these guys would just spend our tax dollars browsing porn all day.  At least thats not destructive in any way.



  • Whom do you mean - Hacking Team or Wikileaks?
    I don't think any of them are getting tax$.


  • Banned

    Hacking Team? Sure they were getting money from taxes. Our (Czech) police, e.g., has spent millions of $ licensing/purchasing this illegal shit.



  • They have branches in Annapolis Maryland…

    I think Annapolis is a brisk walk from NSA...  You could jog it for exercise.


  • Banned

    Its about 26km's…. I'll be a bit sweaty I must admit...



  • Yeah.  Its a 15 minute drive….

    Coincidence I'm sure.  Probably nothing.


  • Banned

    I agree. Offices at Regus…

    I wonder why they couldnt find an office closer since they waste 15 mins each way :D



  • The wikipedia page says they sell to governments and police.  Doesn't take a genius to figure out why they would be in Annapolis.



  • Come on, You don't think they had something going on with the Navy do you -Shock- You wouldn't set up shop in Annopolis then move to Dulles for nothing. Call it contract graduation. From the office of naval research(Or maybe the NA) to Tysons Corner. Payola.
    Until someone throws a pie in your face!!!…



  • To me the sketchy middleman they used for gov sales is the icing on the cake. Hiring a PI to checkout your partner. Classic.





  • To be honest I have no problems with this HT company product in a real Democracy if the Governments obey the Law; now the real problem is that code source it is free and it is taken and changed by all scumbags that will target everybody just to steal data/money.

    RCS ( from their emails ) it monitor only the targeted user and not the whole computer even if that computer have more users created, you need license for each user monitored on a computer and not for one computer monitored… this is/was a real issue for governments that don't obey the law or are tight on budget and also an obstacle for their sales.

    Lots of governments ( even in EU - ex communist countries ) that have complete control over secret services already have this kind of sw bought, stolen or developed by their experts and they target the whole computer or infrastructure ( LAN, Forums... ) and not only one target user.

    p.s.
    All IT Corporation ( Google, MS, Apple... ) are doing more or less almost the same business ( Track and Sell ) but difference is that people are happy to use and install their product.



  • Something interesting to watch:

    https://youtu.be/4BTTiWkdT8Q



  • They need to come out with a version of Windows called Zero Day and spin it in some good way…



  • Windows issues tons of Zero-Day updates…  sooooooo....


  • Rebel Alliance Developer Netgate

    @Phishfry:

    They need to come out with a version of Windows called Zero Day and spin it in some good way…

    They're about to come out with Windows one-zero (day). :-)

    The "day" is silent…



  • I found this Snort rule for detecting Adobe exploit from Rook Security:
    https://www.rooksecurity.com/hacking-team-malware-detection-utility/

    alert tcp $EXTERNAL_NET any >
    $HOME_NET any (msg:"CVE20155122:
    Adobe Flash Exploit (Memory Corruption)";
    flow:from_server,established; content:"|43 57 53|"; content:"|c9 66
    3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892;
    rev:2;
    

    anybody can post a link ( or make a quick one ) to a tutorial how to add this custom rule in Snort / Suricata ?

    thank you.


  • Banned

    Update your Snort ET rules and see if its there before the custom add…



  • It is updated and I can't find it… or I don't know where to find it...
    Here is the update log:

    Starting rules update...  Time: 2015-07-24 14:05:00
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2973.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	Snort VRT rules are up to date.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	Snort OpenAppID detectors are up to date.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2015-07-24 14:06:03
    

    Any way if I try to add this rule to Snort - custom:

    alert tcp $EXTERNAL_NET any -­> $HOME_NET any (msg:"CVE­-2015-­5122: Adobe Flash Exploit (Memory Corruption)"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;)
    

    I get this error:

    The following input errors were detected:
    
        Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/pbi/snort-amd64/etc/snort/snort_31348_rl0/rules/custom.rules(1) Illegal direction specifier: -­>
    
    

    anybody can debug and correct ?

    thank you.



  • that one worked finally:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE­-2015-­5122 Adobe Flash Exploit Memory Corruption"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;)
    

    any idea how to quick search for SID nr to find/check for duplicate ?


  • Banned

    Maybe its a UX improvement to the Snort package that Bill could undertake??



  • @n3by:

    that one worked finally:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE­-2015-­5122 Adobe Flash Exploit Memory Corruption"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;)
    

    any idea how to quick search for SID nr to find/check for duplicate ?

    Thanks. I added it to my WAN interface as a custom rule (that is: I think I did, I simply pasted it in the 'custom rules' screen; would you know how you actually enable this rule? The 'custom rules' screen is way different than the screens for the other rule sections. (just a big text field, not the usual table view with records).



  • What were we talking about again?  I've lost track…



  • @n3by:

    Lots of governments ( even in EU - ex communist countries ) that have complete control over secret services already have this kind of sw bought, stolen or developed by their experts and they target the whole computer or infrastructure ( LAN, Forums… ) and not only one target user.

    I noticed that Snort has rules for FinFisher/FinSpy. Bunch of government's "services" (also in EU) are reportedly using it.