This is clownish:
1. Only a tiny minority of macOS users use Little Snitch, and they're not necessarily the most sensitive/interesting targets.
2. If you're competent and you have enough privileges to inject a DLL into anything, the odds are overwhelming that you also own the kernel. Why would you waste time with a goofy firewall add-on package?
I joked on Twitter but I'm "ha ha only serious" about this: if you had this entire portfolio of tools and exploits 2 years ago, I'm not sure you could have gotten a job at Immunity. The leak is fascinating. The technical details: not so much.
I thought the Shadow Brokers/Equation Group dump demonstrated a not-especially-skillful group of inexperienced-seeming pentesters who happened to have acquired some interesting bugs on the black market. Today's dump shows a team that's way less impressive even than that.
Little Snitch users are the kind of people who can and would expose CIA beacon signals. It's not so much that LS users are juicy targets, but rather that they are substantial exposure risks.
You might say, well, just piggy-back the signal on something else. Indeed, that is better. But that solution is far more complicated because you have to control (cooperatively, or coercively) a legitimate end-point.
Ergo, I don't think it's clownish at all for the CIA to target LS, it addresses a real threat (to them).
Using kernel implants to hide signals from these kinds of network security tools is literally 1990s-grade hacker opsec. It's the actual, precise use case for which "amodload" was written, in 1996, by a 20-year-old, for a closed-source OS. I stand by my assessment.
...But what if you can implant into the kernel? Also, what if you don't want to use a full-featured zero-day kernel exploit if you can get your target with a somewhat lower tech exploit?
Clever to just recover all your data using a browser process which has (likely) already been fully authorized to exfiltrate data.
So, rather than targeting LS they would target the kernel with a patch to make LS (and all tools like it) blind to their traffic.
Clearly that's a neater and more complete approach, but there still might be reasons to target a specific app instead of the kernel. It might just be easier and less error prone. (Monkey-patching a running kernel's networking innards has got to pose serious risk to the underlying system's stability, increasing the likelihood that the target will simply reinstall the OS. That's fine for a DoS attack, but not for something like this).
That's not what he was saying. Yes, it would of course be a good idea to try to hide the malware implants from tools like Little Snitch. It's just that the method they propose of going about it is really dumb.
What tptacek is saying is that instead of writing some hand-tailored userspace code to specifically fool Little Snitch, they should just be using a kernel module that will hide the network and process activity from all analysis tools. That's what most nation-state malware does (or tries to do).
I don't swim in these circles so forgive my ignorance -- What is significant about Immunity? Are you saying these exploits are trivial and/or old news?
He is saying the latter. They indeed are. They are cool infection vectors but nothing new.
I think you're over-reacting. It's just a discussion (powerpoint?)
I would consider it negligent if no-one in the CIA was asking these questions.
[edit:grammar/clarification]
Plot twist: the dump is a list of summer intern projects
Hypothetical or real? If real, link to source please.
He started his comment with words "plot twist". I'm pretty sure he wasn't really considering that as a legit option.
The whole wiki that this leak released is full of the most basic configuration options for vim/VS etc. They have version control tutorials. They can't be hiring pros.
We already knew they probably don't care about hiring "the best" since they cut out a large part of the pool that they'd be able to hire from: https://mobile.nytimes.com/2015/06/30/us/state-marijuana-law...
You can't make a conclusion from that. Any large software org is going to have similar type things.