The boys are back from Def Con! We talk about our experience with def con 25 and what we would do different next year.

We also discuss Bill C-59, the ‘Clean up’ bill for Canada’s anti-terrorism bill C-51, what does it contain and does it go far enough? And what you can do to ensure your member of parliament hears your voice on this important issue!

It’s time to revisit the WikiLeaks Vault 7 releases! It has been a few weeks since we went through the releases coming out of Vault 7 and they just keep on coming!  We get you caught up on some of the scary ones that have come out since we last discussed this topic.

All this, and more nerd humour, on tonight’s episode of 2 Dropped Tables and a Microphone.

Topic 1 – Def Con Wrap-up

What happened?

What did we like?

What did we learn?

Are we doing it again next year?

Topic 2 – Bill C-51 and it’s cleanup bill C-59 

Finally – after YEARS of pressure, the first reforms to notorious spying bill C-51 have been announced.1 

In all our years of action on C-51, this is the most critical time in our campaign to protect online security and privacy in Canada. 

The good news is that we’re closer than ever before to winning — the reforms so far that include strong oversight of intelligence activities are a huge sign that we forced the government to listen to ordinary Canadians. 

But these reforms still don’t address many of the fundamental privacy concerns Canadians have voiced: an end to out-of control information sharing, the protection of our right to encryption, and an end to warrantless mass Stingray spying.2 

MPs are on their way back to their ridings right now — and we need your messages about these issues to be at the top of their inboxes.  

At every stage for the past two years, we have forced the government to listen to us on this issue, and this will be no different. 

We’ve pushed them to hold an enormous consultation on C-51, then we flooded that consultation with over 15,000 pro-privacy messages. We successfully pressured them into making the results public, and then crowdsourced the results of the consultation before the government made its report public. And in the end, they admitted: 

“Digital surveillance and investigation was seen by most participants as having the greatest potential to directly impact their personal privacy, rights and freedoms. 

A clear majority of participants oppose giving government the capacity to intercept personal communications, even if a court authorizes the interception, and oppose any moves to weaken encryption technology. Even those who support broad powers of interception think it should only be allowed under rigorous judicial authorization and be limited in scope.”3 

They know this is what we’ve demanded. And they know that we will be the loudest voice holding them to account to their promise to listen to Canadians. Let’s make it happen: 

Send a 1-click message to your MP 

Our actions have already had huge, tangible effects: For months now, newspapers have been reporting that the government was considering “broad new powers to allow national security agencies to obtain Canadians’ data without a warrant, crack and hack cellphones, force companies to decrypt communications, and mandate interception powers for telecommunications providers.” 

None of these powers have appeared in the legislation, which has been reported as being due to the overwhelmingly negative responses to these ideas.4 

Now, this is what we need: a promise to protect our right to encryption, freedom from invasive, warrantless Stingray spying, and an end to reckless information sharing. 

When these reforms (called C-59) are debated in the fall, we need these crucial privacy issues on the top of the list. Let’s get it done! 

Thank you so much, 

Victoria with OpenMedia 


[1] The roses and the thorns of Canada’s new national security bill: Macleans 

[2] National Security reforms: major step forward, but fail to tackle many of Bill C-51’s biggest problems: OpenMedia 

[3] National Security Consultations: What We Learned Report: Public Safety Canada 

[4] The Trudeau government peels back bill C-51 — mostly: Vice 

Topic 3 – WikiLeaks Vault 7 CIA Tools Cath-up

Aug 3 –

Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

Imperial – 27 July, 2017 

Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. 

Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. 

Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. 

SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7. 

UCL / Raytheon – 19 July, 2017 

Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st, 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September 11th, 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.  

Highrise – 13 July, 2017 

Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication. 

BothanSpy – 6 July, 2017 

6 July, 2017 

Today, July 6th 2017, WikiLeaks publishes documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors. 

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine. 

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine. 

OutlawCountry – 30 June, 2017 

Today, June 30th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator. 

Elsa – 28 June, 2017 

Today, June 28th 2017, WikiLeaks publishes documents from the ELSA project of the CIA. ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors. 

Brutal Kangaroo – 22 June, 2017 

Today, June 22nd 2017, WikiLeaks publishes documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrivesBrutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.