I'm glad this time it is getting more up-votes than the previous submission [0].
There are many interesting documents here, for example the "Finfisher FINFly ISP 2.0 Infrastructure Product Training" [1] which is a presentation/guide from www.gammagroup.com about how to use their software to "infect" the target and collect information about it.
I find that when dumps of data are released, other journalists go through it and curate it. So, I see WL as making more good journalism possible because there are a lot of curators who do not also have the resources to collect material to curate.
I agree. And to be fair to governments and spies, we don't know if any of this info is really dangerous to national security. Well, I certainly dont.
Yes, I am a very heavy critic of US spying and so on, over reaching, but equally, the info released must have some filtering so that stuff that is relevant to the general public is released and stuff that is really, genuinely, dangerous is held back. If an independent journalist/lawyer team say something should be held back, I think we have to, even if reluctantly, accept that. So, exactly like the Guardian people are behaving.
I want intelligent considered leaks, not dumps like this. And in some ways, this is not too dissimilar to the NSA slurping data. Mass dump, mass slurp. Neither are good.
Well, at least now we know that, if you visit Oman, you should harden your IT security stance. This type of knowledge is in the public interest, no matter how it's delivered.
From the gist of the incredible difficult to decipher training manual there are 4 systems. Overview of network topology is here:
http://i.imgur.com/gzw6nAT.png
1) ADMF-Client & Infection GUI
These seem to be HP Compaq computers, running Windows 7 Ultimate, FinFlyISP GUI and a XMPP client(which runs over TLS and is secure).
This is a tool for LEA to use which interfaces with the ADMF backend for managing infections, selection of infection methods, realtime status info and management of all components.
2) ADMF - Central Administration Function
This is the backend which all the LEA terminals in 1 connect to. These are HP DL380 G6 Intel Xeon X5550 @ 2.67GHz servers running hardened Debian(by Dreamlab best practices). It is a core component of their infrastructure and communicates in realtime with all their other component systems. It stores the configuration and initiation of infections. Realtime exchange of info and states(target coming online, being infected, etc.) Contains RFC XMPP used for secure encrypted communications.
3) Network Data processing component (iProxy/NDP01/NDP02)
Infections are remotely activated by ADMF in 2 via the GUI. Each NDP is bridged with 10GB/s fiber bypass module. Incase of hardware/logical failures this module switches automatically to by-pass mode. Thus traffic will never be interrupted. ATTENTION this is highly dynamic bridge, do not change any configuration manually. NDP has been specially configured for his network, any changes are tightly coordinated with Dreamlab.
4) Radius Probe(RP01/RP02)
Realtime monitoring of AAA processes which include:
1. Targets coming online
2. Receiving IP Addresses
3. Changing IP Addresses
4. Going offline
Recording of RADIUS authentications and accounting dialogues. Being always up to date of target IP
RP sends info to ADMF, the ADMF provisions the NDP. Running same hardware/OS as 3. The RPs have bidirectional connection with broadband remote access server(BRAS) [1] which are what connect to the global internet from a ISPs network. BRAS aggregrates user sessions from access network. This is where ISPs can inject policy management and QOS. Aggregrates DSLAM connections from locally dispersed in an ISP area network.
Communications Visualized
The slide explains that communication of all components always is initiated towards the ADMF.
I've worked with ISPs setting up RADIUS so that, and Debian, are really the only parts I understand here.
So I interpret this as a system that needs to run in full co-operation with the ISP or the owner of the fiber cables. Since that is usually who is managing the RADIUS setup.
The Radius Probe section looks like Windows Active Directory -- servers that handle Remote Desktop Protocol connections (such as bastion servers) are routinely named RDPxx for easy identification, and AD basically runs off LDAP.
Though I don't know why that cloud would be labeled "OSS"
Doesn't it mean that ADMF of FinFly somehow interferes with browser auto-update in order to upload its trojan to the target computer? I know browser update file must be somehow cryptographically signed, but NSA may have access to private RSA key used for browser updates, which allows such types of attacks. Isn't it?
I haven't read the docs, but from the wikileaks page describing it, I assume the malware "wraps" any exe. If it then manages to "unwrap" (on save?) and disappear before crypto checks happen, then they don't need actual need to attack the crypto.
I don't have time to read all this but I wish. Please anyone: I need names of organizations and those on the top involved, so I can create my own "no-use list" and avoid those at any cost.
The discussion here so far seems to be talking about something other than the general page that this link points to, as if the other commenter had some context that the current title no longer provides. I see Gamma Group being discussed specifically.
I'm going to guess that the title was edited again, so we don't have the intended context. What was the original title?
There are many interesting documents here, for example the "Finfisher FINFly ISP 2.0 Infrastructure Product Training" [1] which is a presentation/guide from www.gammagroup.com about how to use their software to "infect" the target and collect information about it.
[0] - https://news.ycombinator.com/item?id=6329435
[1] - https://wikileaks.org/spyfiles/docs/GAMMA_2010_FinfFINFISP_e...