I'm not sure if this is the appropriate forum in which to ask this question, but I would so appreciate it if anyone is able to clarify a few technical points as I am very keen to keep as close to the facts as possible. I'm writing a book about a subversive journalist-cum-activist who is framed and discredited by the intelligence services by way of false evidence being planted on their computer, and I need to know how possible this is and how far I can take the idea without crossing over too far into the realm of fantasy. I have bulleted the main points below: the deed is accomplished remotely, by a hacker hired by the intelligence services the hacker is able to take full control of the computer remotely, without the target knowing, and is able to both add and/or exfiltrate data/files at will the hacker is also able to modify timestamps, registry entries, server logs etc., in order to create a false profile of the target and their online habits/preferences etc once the hack has been completed, the hacker is able to obfuscate their tracks so expertly that computer forensics experts will not be able to find any evidence that the hack has taken place According to the so-called Vault 7 disclosures released last year by WikiLeaks, the above hack is indeed possible, in that the intelligence services do now have the ability to obfuscate their tracks so well that they are able to get in and out of a target's computer undetected by current forensics tools and technologies, to the extent that it will appear the computer hasn't been hacked at all, even when examined by computer forensics experts. However, this is only my unqualified interpretation of the Vault 7 disclosures. If there is anyone here who is able to either confirm my interpretation, or indeed, correct my misinterpretation, and to offer any technical pointers, I would be so grateful. Many thanks in advance
If I told you I'd have to kill you that aside yes its possible with enough computer power any password can be broken, and once signed in as an admin all of the rest is possible... the only total defence is to to disconnect the computer from the net
Haha well it's not quite worth dying for so thanks for not revealing the whole secret but for saying as much as you did, much appreciated The only bit I wasn't certain about really was whether or not the hack could be obfuscated to such an extent that it would effectively remain 'invisible' - i.e. that a computer forensics expert wouldn't be able to find any evidence that the hack had taken place. But your answer seems to cover that so thanks again!
If I logged in to your computer with your password the log would show you logging in, not me, so so long as I did it while you could plausibly be using the computer, such as during the night while you're asleep. There's a lot of crap talked about hacking 99% of it is about either guessing someone's password, tricking them into revealing it, or using a computer to try millions of combinations to guess it randomly. Which of course assumes they haven't left the administrator password set to administrator. That said if mi5 wanted to frame someone there are easier ways.
Unrelated: Back in my days working in intel, one of the easiest and most assured ways of digital security was simple physical disconnection. A SCIF is a self-contained world that doesn't connect to the outer world, and anything that is going to leave there, typically has to make a physical trip at some point. The digital moat must be maintained. At least that's how it was in my day... Fast-forward to Comey testifying in front of congress and at one point in the testimony he mentions using a "secure" laptop inside his car... on the street... not in a SCIF. A little pavlovianly trained part of my brain started panicking, just hearing him say those words.
Can MI5 Plant Evidence on a Computer Remotely and Anonymously... They can but it doesn't work as an excuse in court. If they are in on it then the expert who examines the computer won't find any evidence of tampering... If that makes sense. Or after the arrest/seizure of the computer, during the examination process the evidence could be added so no need for the hacking.
Ooo, a network security topic. You’ve peaked my interest. I’m no expert but I do study in my spare time. Short answer: absolutely yes. However, the difficulty increases as you go down each bullet point. For the sake of this post I’m going to assume that MI5 have hacking tools (aka cyber warfare tools) comparable to the NSA and other U.S. agencies. Under this assumption, MI5 has enormous resources, advanced hacking tools, and likely software backdoors and 0-day exploits available. Based on your title Vault 7, I assume you’ve https://wikileaks.org/ciav7p1/]done your research[/url] on the NSA hacking tools that were released into the wild? They literally have thousands of tools of this nature. And they could, and presumably still can, access anything. They can hack nearly any computer, smart phone, or toaster. That smart TV? Not too smart when it’s a listening device running your footsteps and conversations through an AI machine learning algorithm. Those modern cars? Assassination machines. As our technology becomes more connected, the attack surface increase. Each new system, device, program, app, or website we visit contains a multitude of potential attack vectors. And anti-virus and old conventional wisdom is nothing to stop it. https://techcrunch.com/2017/03/09/names-and-definitions-of-leaked-cia-hacking-tools/]After a quick review of the tools[/url] there are a few that are immediately relevant, confirming what’s possible. Note that there are multiple related tools, this is just an example. That’s one tool. Their hacking division has a branch or at least branch of tools dedicated to remote access and implanting (I.e. dropping a virus/malware, planting evidence, stealing data). It’s called the Automated Implant Branch and has a whole suite of tools. I’m going to stop there before I continue telling you what you probably already know, of before I go on a tirade on security literacy and personal responsibility. I think the jury is still out on the last one, whether than can completely cover those tracks and truly be anonymous. In most cases yes. They certainly have the tools to help cover those tracks. However, with the increased system complexity we are observing in network systems, I don’t think it’s unreasonable to say that while there are an increased number of attack vectors/surfaces, there is also a potentially larger trail you have to cover up. Every system used to access your device - along with any monitoring systems - increases their footprint / hacking signature. They might have to carefully exploit and cover thier tracking in your network router, operating system, browser, kernel system, Gmail account, and ISP. Potentially for one exploit. I think the answer is that it depends on the resources and skill of the computer forensic analyst. They can probably hide from one skilled person - but could they hide from a competing spy agency? Maybe not. I’d love to talk more on the subject, I’m currently fascinated in recognizing attack vectors and the scope of an attack surface. I don’t know what your story is like, but you may want to familiarize yourself with these and develop an actual hacking plan of attack they (and anyone who investigate them) use. Again, depends on your story. Please let me know if you post it in then workshop for critique.
If you have any specific scenario-related questions I’d love to have a crack at it. P.S. password hacking is 101, and while they certainly have these tools, many systems can be accessed without breaking a login. Most computers are constantly making both incoming and outgoing connections (100s, potentially 1000s a day). The biggest road block to this, aside from an air-gapped device, would probably be full disk encryption - but this can be bypassed through kernals, trojans, physical access, or completely side-stepped through a zero-day exploit or backdoor.
Not to be overly simple about things, but... It's similar to cheats on computer games, they put in backdoors in the process of making them so they can access any part of it at will
Hey Daniel, thank you so much for this reply. It's way more than I was expecting or hoping to get, but just what I need. I will need to go through the points systematically but apologies as I just don't have time tonight (it's around 10pm here in the UK). I have so many questions. I will give it my full attention tomorrow. Until then, many thanks once again. Will be in touch
My pleasure. Before I forget, I want to recommend you watch a few episodes of Mr. Robot. It does a superb job of getting into the minds of hackers and glimpsing network systems.
Hi Daniel. Okay so, as promised, here's my response to your post, inclusive of my barrage of questions for you! Yes. According to the Vault 7 disclosures, MI5 and the CIA have collaborated in the development of weaponized malware (the smart TV bug, Weeping Angel, developed by the CIA's EBD in conjunction with MI5, is a case in point). There is no reason to presume their collaborations stopped there. Note: MI5 work hand-in-glove with Britain's GCHQ (Government Communications Headquarters - the UK's equivalent to America's NSA). GCHQ and NSA are notorious bed partners. GCHQ pretty much has the power to hack anyone and anything … and they do! https://www.theguardian.com/uk-news/2017/oct/05/court-to-hear-challenge-to-gchq-bulk-hacking-of-phones-and-computers Yes, undoubtedly. I have certainly researched, yes, and I’m aware of (though don’t fully understand) the Vault 7 leaks. I understand the ‘theory’ of CIA/NSA/MI5/MI6/GCHQ hacking technologies and capabilities well enough. It’s the ‘technical terminology’ I struggle with, and this is one of the main things I need to get right for my book. I don’t want to get found out for my lack of technical correctness, and this is something you seem to have a good handle on. Speaking of the book, just briefly (as you ask what the story is about), the basic scenario is this. An investigative journalist (let’s call him David) has discovered that vast amounts of government foreign aid money is being funnelled, illegally, into offshore accounts. David has also discovered that a corrupt high-level government official is a major beneficiary of the embezzled funds, and he is in process of making his discovery public when MI5 hit him with their very own deterrent. They instruct one of their ultra-secret ‘hacker cells’ to plant illegal material on David's computer so that they can then blackmail him into keeping the story quiet. That’s the basic low-down. What I need to know is just how realistic this scenario is in terms of the hack – i.e. the hacker cell taking control of David’s computer remotely, without him knowing, and planting the files – the ‘false evidence’ – to incriminate and frame him. And moreover, that they are able to do it without leaving any detectable tracks. The thing is, if a digital forensics expert were able to find evidence of the hack then it would undermine the plot before it gets off the ground, because if David were able to prove that he was in fact hacked then he could pretty much prove that the evidence was planted and that he, therefore, is innocent. If, on the other hand, the hack was effectively ‘invisible’ – no evidence of the MI5 hack – then David’s in big trouble… Okay, so … one by one: Time Stomper: let’s take a model of David’s internet usage over, say, a period of a few months. The tracks of this usage will be recorded on his hard drive, in his registry, in his server logs etc and will create a profile of a fairly regular guy and his fairly regular internet usage. However … would you say it’s possible for the hacker cell to overlay a ‘fake usage profile’ by modifying the registry and server logs so that it looks as though David has different internet habits altogether? So the registry and the server logs record that, at 1pm, David visited the CNN website. Two minutes later he opened an email. A few minutes after that he visited a dark web hacking forum and downloaded illegal code snippets and left a self-incriminating post on the forum. But David never actually did any of this. He did not visit CNN at 1pm, did not open an email two minutes later and he did not visit the dark web hacking forum. According to entries in his registry and on his server logs, however, David's computer did all of these things. Could it be done? Is this what Time Stomper (or perhaps a different tool) in the hands of a highly skilled hacker could do? Remember this is not ‘Johnny Hacker’ sat in his bedroom across the block who is doing this (as good as Johnny Hacker may be). It is the cream of the Western world’s 'script-kidz' with the almost unlimited arsenal of MI5/CIA hacking tools at their disposal (according to Vault 7, the CIA alone has a network of 5000 hackers on their payroll). Could this be done? Could they create a false profile with a completely different pattern of internet usage? Automated Implant Branch: to your knowledge, what would you understand to be a ‘self-running implant’? In fact, what exactly is an ‘implant’ in this context? What is its function? Could an implant, for example, download files from the internet onto David’s hard drive? Could it do it without David knowing? And could it be done over a period of time? Or perhaps more pertinently: could it be made to look as though it was done over a period of time? Also, when it speaks of a ‘fully integrated implant system inclusive of command and control, listening post and implant software’, I’m not sure exactly what all this terminology means in practical terms??? Would you be able to explain it to this layman? Lastly here, would it be possible to use – is there even such a thing as – let's say, a 'self-deleting trojan' (or other piece of malware) that could literally delete itself once it has done its job, so that it leaves no trace that it was ever there? Or am I venturing into the realm of science fiction now haha? Marble Framework: the CIA’s obfuscation tool (or one of them at least). Would you say this capability is limited to disguising attribution, or do you think it’s possible to obfuscate the hack to the extent that no tracks are left behind, and standard forensics experts are thus unable to find any evidence of it? I know you kind of answered this question in your initial post, but from what I've read about Vault 7 some people seem to be saying that Marble simply overwrites the source files so that the hack, rather than being attributed to the CIA, is attributed to Russia or China or someone else. Others, though, seem to be saying that the hackers can actually evade existing forensic tools and capabilities completely, to the extent that the hack is effectively undetectable, or 'invisible'. Keen to hear your thoughts on this... Okay, I’m sure I have (or will have) more questions but I’d best stop there for now. Many thanks again for sharing your wisdom on the topic Daniel. Genuinely appreciated. And a big thanks to everyone else for offering their insights too. Again, very much appreciated.
P.S. We can only get Mr Robot as an online stream over here in the UK, on Amazon Prime, but I will def check it out.
