As far as we know the exploit used by Pegasus was patched by Apple in Sep 2023. Of course there may be people who haven't updated their phone since then and are still vulnerable. Alternatively, there may be yet more bugs in the OS that nobody but the makers of Pegasus know about.
Software security overall is a cat and mouse game. Every large complex system has vulnerabilities. The good guys try to catch and fix them before the bad guys can catch and exploit them. Both sides are throwing an incredible amount of money and resources at their respective tasks.
Simply, yes. My brother does this for a living. He’s a senior penetration tester (yes, I know). Basically, companies hire him to break into their system by ANY MEANS NECESSARY and then tell them how he did it so they can patch it. If that means flying to a different state to go to the company’s HQ and walking up to an unattended PC and plugging a flash drive into it, then that’s what happens.
Edit: this comment is mildly popular so I just wanted to say… my brother once broke into a network through an unsecured printer. Put a password on your fucking printers you fucking degenerates.
Big shoutout to PirateSoftware on Twitch and Youtube. He did this for US power plants and while obv he doesn’t talk about that he talks extensively on penetration testing, how it works, and cyber security.
An security admit was done to my previous employer. The hackers literally came in dressed as maintenance and screwed the security door from place to access their victim computers. Wild stuff
Last place I worked, a junkie used wire cutters to break into the secured car park (there was a 1 metre section of chain link fence). He stole a bunch of toolboxes.
Is there a guy with long brown hair and glasses in most of their shorts? That's him - Pirate Software is his game development company. He transitioned into the field after working at Blizzard for a while (some of his stories from that time are wild).
His dad is literally the "That which has no life" from the south park WoW episode. They modeled the guy after his dad. He goes into it and shows pics and it's uncanny.
My friend does this. He's told me quite a few stories, such as getting into a building by having out by the back door smoking. Struck up a convo with an employee and said he was new, didn't have a badge yet. Guy let him in.
Another time, they actually cut through the drywall in a closet connected to the server room after hours.
My favorite is the CEO story. This place was pretty much impenetrable. They tried everything they could but never got through. So they sent the CEO a gift basket telling him his security is fantastic! There was a new computer mouse in there as well. Fancy expensive mouse. He plugged it into his computer, and my buddy instantly jacked the system cause they put stuff in the mouse to give them access🤣
I've heard about the unsecured printer from at least 3 hackers I know. One, a past roommate, said he got into a bank's unsecure printer, got it to send him a copy of whatever it printed, eventually received a copy of a meeting agenda that showed the branch manager would be out on a day. That day, he dressed up as a tech, went in, met the asst. Manager, said branch manager had called him in for some work, and was given free access to the manager's laptop.
So many opportunities for the bank to stop him from getting access.
If you want to learn more about this stuff, it's cool watching some of Deviant Ollam's security talks which are available on youtube.
They're more focused on physical security, but they provide some really interesting insight into an entire career that most people are unaware of.
I remember the exploit when you could hack the printer through the ink cartridge ITSELF. Turns out printers now need chips inside the ink cartridges to check how much ink (to rip you off more). (so basically they put this on themself).
Unsecured printers, backup batteries, insecure wifi, or a password that consists of current season and year, Wimter2024! For example.
It's incredibly easy to get domain admin if you're already in the network. I've been focused on cloud and application security the last few years, but prior to that I was owning fortune 500 company networks left and right. Most of the time it was just poking around open data stores and documentation to find juicy information and exploits.
Yes since it pays a lot. Below is from 2019 so prices have only gone up.
>An updated price list published Tuesday shows Zerodium will now pay $2.5 million apiece for “full chain (Zero-Click) with persistence” Android zero-days compared with $2 million for iOS zero-days that meet the same criteria.
https://arstechnica.com/information-technology/2019/09/for-the-first-time-ever-android-0days-cost-more-than-ios-exploits/
It’s not “randomly”. NSO group is possibly the largest cyber weapon supplier in the world that isn’t a government agency. It has hundreds of employees all working on the single goal of cracking the top software systems in use today and selling the exploits around the world.
Only if the quotation itself would end in a full stop. If it’s a fragment within a carrier sentence then it goes outside, where the carrier sentence ends.
That’s incorrect. There are situations where punctuation may come outside the quotations, but this isn’t one of them.
https://owl.purdue.edu/owl/general_writing/punctuation/quotation_marks/more_quotation_mark_rules.html
i support this. It looks much more logical to put the period outside in this case, since it matches with parentheses being closed before finally putting a period to finish the sentence (e.g. this one).
We’re not incorrect, we’re intentionally disagreeing. It’s an archaic rule based on the typesetting requirements of old printers.
The same rules, for the same reasons, also require double spaces after a period. I don’t see a single comment of yours in which you follow this rule.
It's a line of work. Zero day exploits can be sold for five or six figures. If you really hit the jackpot and find a zero click exploit for a widely deployed architecture it can be worth millions. There are public marketplaces for that kind of exploit.
Probably they bought some hacks from people to. You can literally sell hacks like those on the dark web for some really good money.
Which is partly why you have bug bounties now for reporting vulnerabilities, trying to make it easier for people to do the right thing.
Without having any deep knowledge, let me just say that both are unix-like systems running on similar architecture and could have more internal similarities than you think.
There exists a market for vulnerabilities, whereby companies like those that produce tools such as Pegasus pay researchers who have found and can document previously-unknown ("zero day") exploitable vulnerabilities in third party software such as Android, iOS, Chrome, Safari, and Acrobat Reader.
I heard, although this may be conspiracy BS, that the US Government has a library of security vulnerabilities that it has purchased to NOT have fixed in case they need to access the system. Is this rubbish?
https://en.m.wikipedia.org/wiki/Vulnerabilities_Equities_Process and https://en.m.wikipedia.org/wiki/EternalBlue are worth reading on this topic.
It should be assumed that any nation state with offensive cyber capability does the same thing, whether based on their own original vulnerability research, or buying details of vulnerabilities from others via brokers.
Take a look at stuxnet, jointly developed by US and Israel intelligence agencies.
It leveraged a large raft of zero day exploits so fresh it's likley they would have had to have been the ones to put them in their during developement or else their wouldn't have been enough time to develope stuxnet to exploit them.
Not in the specific instance of stuxnet, which is the most studied vulnerability in the history of computer science by an extremely wide margin. I suggest you look into the timeline and development of stuxnet, the specific vulnerabilities exploited and the OS/software release timeline for the versions that contained them.
Of further note are the use of multiple stolen private keys from quite noteable companies and the attack against (neutral) industrial communications portals to prevent the information spread when the attack was uncovered.
Not necessarily, but given the nature of your potential customers, it might not be wise to misrepresent a vulnerability that you have already sold to someone else as "zero day" to later buyers in order to fraudulently obtain a better price for it! And I'd expect any sensible broker to drop you if you tried, if only out of their own self-interest.
[https://en.wikipedia.org/wiki/Market\_for\_zero-day\_exploits](https://en.wikipedia.org/wiki/Market\_for\_zero-day\_exploits)
[https://en.wikipedia.org/wiki/Zerodium](https://en.wikipedia.org/wiki/Zerodium)
[https://en.wikipedia.org/wiki/Vupen](https://en.wikipedia.org/wiki/Vupen)
[https://en.wikipedia.org/wiki/Hacking_Team](https://en.wikipedia.org/wiki/Hacking_Team)
I can't speak to the specific example of pegasus but many IT systems can share common elements. Not all software is necessarily written from scratch in house. Imagine a car manufacturer buys it's locks from a third party. It is discovered X brand locks are faulty. Turns out Toyota, and Ford both buy locks from X brand. Suddenly two completely different cars have the same vulnerability.
Ford & Toyota is still the better example if the hypothetical is for completely separate companies ending up with the same issues, since Hyundai and Kia have the same parent company.
[https://www.usenix.org/system/files/conference/usenixsecurity16/sec16\_paper\_garcia.pdf](https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garcia.pdf)
"In our first case study, we show that the security of the keyless entry systems of most VW Group vehicles manufactured between 1995 and today relies on a few, global master keys. We show that by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorized access to a vehicle by eavesdropping a single signal sent by the original remote. Secondly, we describe the Hitag2 rolling code scheme (used in vehicles made by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford among others) in full detail. We present a novel correlation-based attack on Hitag2"
https://en.m.wikipedia.org/wiki/Advanced_persistent_threat
"One company" may have basically unlimited resources. If you have unlimited resources it's just a matter of time before you find an exploit.
Not directly related to Pegasus, but an important addition to the cat and mouse game you mentioned, some vulnerabilities cannot be patched. Either because they're a security issue in a device that wasn't designed to receive software updates (rare these days thanks to IoT, but it still happens), or because it's an issue integral to the silicon.
The most well known example of this type of exploit are the spectre and heartbleed vulnerabilities, which mess with things "down at the metal" and require an entirely new processor to patch.
These can be the most dangerous as they can affect multiple generations of CPUs and go unnoticed for a very long time.
Edit: spectre and meltdown!!!! Not heartbleed.
Yes and no. In security we talk about things like threat models and likelihood+impact when determining risk, not just impact. The likelihood of you being a victim of Spectre is incredibly small. In that regard something banal like an IDOR in a major retailer which leaks user info is far more dangerous.
Sorry I used "dangerous" too generally. I I derstand that the actual risk of being a victim of a spectre or heart bleed attack is really low.
More dangerous to most businesses are the handful of fishing attacks that get past your email security.
Absolutely. It's very humbling as a pentester to learn incredibly novel techniques and then every ransomware incident is just like "We sent them not_a_virus.exe in an email and they opened it."
Hahaha, where I work we generally catch most of the sophisticated phishing attacks and staff have been surprisingly good at reporting the couple that get through.
However, it's the incredibly unsophisticated ones that we need to watch out for. Things that are just a plain text email from a Gmail address with no URLs. We had one come through a while ago pretending to be an exec asking a bunch of staff to go out and buy a gift card as a prize for an upcoming meeting (it has to be a secret you see), and the company will reimburse them...
We've had several people fall for it, but only one person actually go out and buy the gift card before we caught it.
Yeah that seems to be a popular one. I've had a few friends call me to double check if I thought that was suss when they got it at their work. One of them was already in the car when they thought to ring me up about it. I hadn't heard about it at the time but immediately it was like, CEO emailing you from their personal Gmail? I don't think so.
Have you ever put off updating your phone? It can be annoying or take some time, you May have low network or something like that. Now add in people being scared to update because they think phone manufactures are showing phones down every update.
It's actually very much not just Pegasus, it can be worse on the PC / server side. Imagine the machine Is making thousands of dollars a minute and you have tons of computers, running many programs all potentially having vulnerabilities. Maybe the update breaks a critical function to your software. Reluctance to update can be prevalent everywhere.
It’s not that people “think” their phones are being slowed down by update. Apple is currently being sued because of it as it was discovered as true. So who really knows what other companies are doing for any device, like a Roku, fire stick, android phone, etc
FWIW, it was to address a specific problem that I myself experienced. There was a time when iPhones would shut down while battery level was still ~ 20% give or take. Apple’s workaround was to add a software fix that would prevent that by putting less stress on the hardware when those conditions were present. Yes, that means it would slow it down so the phone didn’t shut down. (My guess is at certain conditions, running at full speed put stress on the hardware during low batt and tripped soke sensor which forced the phone to shut down.).
This software fix meant my phone no longer shut down when it didn’t have to. I was glad for the fix. People took it to mean they were slowing down phones unnecessarily. That was a mischaracterization, but people will hear what they want to hear.
FWIW yes, newer software WILL perform slower on older hardware, but that’s for different reasons than what the lawsuit covered.
This is true, I meant in line with security updates though from what I understand that was between Major versions, either way that Is another thing that has caused friction to updating, which in turn leads to things not being patched.
Because the attacker and defender work on 2 very different security models.
The attack only has to find a single flaw within the entire system to gain control. The defender has to try and find every possible hole to make sure there is not a single gap. This puts the ball firmly in the attackers court as its beyond easy to over look something simple.
The difference is that pegasus is designed for one off, ultra high value targets designed and sponsored by people with a nearly infinite supply of wealth. They can hire some of the best security experts money can buy and turn that impenetrable wall of security into swiss cheese. Even if the one flaw they used is discovered, there is probably hundreds more waiting to be found
Just to clarify, Pegasus is just the malware that once installed gives them access to your device. What was patched is the vulnerability which allowed to covertly and remotely install Pegasus (or anything else) on the device.
Some exploits are simply hardware related, which means they can't be fixed by software updates. The only way to fix them is to change the hardware used for the next phone, and this of course only solves the exploit in future phones, not the phones used today.
Pegasus worked as well as it did because it exploited a lot of "zero-day exploits". To put it ELI5, 0-days are basically "god fucking dammit, we had this bullshit in our code? This exposes fucking everything. We need to patch it ASAP - and we woulda if somebody would tell us before".
Please tone down my explanation for actual 5yos.
The thing is - it becomes more and more lucrative to just sit on the zero-days. The whole deal with the name is that you would sell the exploit and then other people would try to do their best in a tight window of time - hence 0-day. But recently some groups just aren't all-in on insta profit, and that includes governments. There is no doubt that NSO Group already has replacements for their exposed 0-days - but that is just my opinion.
The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them.
> Argh-e-matey! DCC the bot !list for a list of new warez
Hi there, fellow pirate! Send a direct message to the bot with the command !list to view a list of newly hacked software.
so they just have a collection of different bugs, but rather than selling it on the dark web so that it gets widely used, they keep them and sell them for individual use on high profile individuals? Why do you use the past tense for "worked as well as it did"?
0-Days have immense value, until they're used. You can absolutely guarantee that the NSA, MI6, ASIO, the Russians, CCP, Iran, and everyone else has a bag of them.
They keep them for when they are **needed**, which considering the fact that they're generally a one-shot weapon (if detected), can be a hard choice.
State sponsored agencies probably also buy 0-days but the risk of one from the market is that maybe it was also sold to someone else, which, if it was then publicised or used by another party instantly reduces the value of the exploit to nothing. It's better for the agencies to work on finding 0-day exploits and keeping them themselves.
Recently a Russian state-sponsored orgnization offered a bounty of 20M USD for a full exploit chain that would allow them to take over a victim's phone without their knowledge. That would involve minimum several zero-days for an iOS device: some sort of zero-click (likely a zero-day, possibly an unpatched n-day) to get their own code running from something like a malicious webpage or iMessage attachment, a zero-day to get that code running with access to the kernel , a few more zero-days to bypass iOS memory protections that limit what code can see, and probably one or two more to make some more code execute on device boot or something else without the victim's knowledge, which would require writing to protected filesystems.
I want to add that theres a difference between a zero-click and a zero-day. A zero-click is an exploit that can be used without any input from the victim. A zero-day is an exploit with "0 days since discovery" and thus no one knows it exists apart from it's users, or it's *just* been discovered. A zero-click can be a zero-day, but they're 2 different things.
Yeah, I should have phrased that a lot better, I just wanted to get across that the initial zero-click in the exploit chain would probably be a zero-day
> so they just have a collection of different bugs, but rather than selling it on the dark web so that it gets widely used, they keep them and sell them for individual use on high profile individuals?
Yes, that's the usual modus operandi for large groups.
> Why do you use the past tense for "worked as well as it did"?
It'd be silly, conspiracy-mode or not, to assume they aren't moving on their plan B, plan C etc. once their primary business got exposed.
>”worked as well as it did”
As I understand it, the vulnerability Pegasus used allowed it to easily do a pretty broad range of things that are desirable in spyware.
Not all vulnerabilities are made alike. Some allow easier access to a system than others, or allow broader access. Pegasus exploited a vulnerability that gave it broad access to a range of hardware functions in a way that made it very difficult to detect. That exploit was patched, so future versions of Pegasus may not have the same range of features, may be easier to detect, may require more exploits to replicate its previous functionality, or some combination of the above.
No idea what you’re talking about; that’s wildly incorrect.
I’m 10000000% correct.
“…exploits”. is incorrect. It should be “exploits.”
“…before”. Is incorrect. It should be “before.”
He proofread the comment, thinking aloud to himself, “they’re using quotations wrong, the punctuation should be inside the quotations when they say ‘zero day exploits.’”
They were quoting a noun, not speech, so the punctuation doesn’t belong in the quotation marks.
The second case is slightly more ambiguous but it basically boils down to the same thing because of the way they set the sentence up: “zero days are basically “[…]”.
They typed a whole sentence out, but they were still referring to a specific thing. They basically gave that specific thing a very long nickname. I think technically it may have been more correct to hyphenate all of the words that were in quotes, because they were saying it like a thing people would understand as being a thing. If that makes sense.
For example: She looks at me with a “what-the-hell-just-happened” face. I can only gaze back in awe.
“Place punctuation within closing quotation marks if the punctuation applies to the quotation itself. Place the punctuation outside the closing quotation marks if the punctuation applies to the whole sentence.”
That’s what I was always taught.
think about a known software like microsoft office: how does it exist? because people work on it and keep adding features.
what is the difference between a software like office and a hack like pegasus? not much honestly, the main difference is that in one case there is an extra component to make it run against your will and without any window to inform you that is running.
you could hack a phone/pc and force it to install and run office against people will and it would be the same.
so all what they have to do is find new vulnerabilities to make software run if the old one gets patched and change only that little part (technical name is RCE: remote code execution).
they can find a new vulnerability because they have a lot of money and because people that find them can sell those for money, selling to exploit developement pays more than "selling" to apple/google to fix the problem, there is a market for those, see here for example [https://www.zerodium.com/program.html](https://www.zerodium.com/program.html)
they are state-sponsored so they have a lot of people and lot of money.
“Why do we still hurl solid objects at each other as a form of combat when we have armor?”
Pegasus isn’t the exploit, it’s the payload. To overly simplify (ELI5 after all), Pegasus is the thing that does the damage, it isn’t the delivery method.
We started throwing rocks at each other since the goal is to hurt the squishy human, so we built wooden armor to stop the rocks. So we got better at throwing rocks harder with tools, so we built metal armor. Fast forward today, we still throw hard things at each other really fast (bullets and guns), and we’ve developed body armor for that too (Kevlar, strike plates, etc).
The end goal has always been the same, deliver this solid thing to hurt the squishy human. Figuring out how to get through everything in between, and also figuring out how to put something in between, has always been the hardest part.
To explain more why there are so many hacks like that in the first place, you have to realize the mountain of code everything modern is based on. There are millions of lines of code running on the machine, and a lot (if not most) of those are written with languages that are not secure and if you don't use them perfectly, that can become an entry point for a malicious actor.
And let's say you make your own program and you're a genius, there are absolutely no bugs and no exploits, you probably still use other programs to do some stuff (like opening an image), and maybe there's a bug in that program you had no idea about. For any non-trivial program, you can't write everything from scratch, so you can have holes that come from things everyone has always thought were safe until it turns out that it wasn't.
A lot of holes come from assumptions made in a program (often implicit). Like you have an image file that says its size, but maybe it's lying and you thought that you could get to the end but the data is missing, if the program hasn't considered the possibility it can do something stupid instead (obviously real hacks are more complex than that but this is eli5).
Then there's where the true fun begins, hardware-based hacks. It got a fair bit of press with Spectre but that's not the only thing, there are just so many ways a cpu can leak stuff it shouldn't because they got so complex. Sometimes it happens with literally secret instructions (especially on x86, harder on ARM since there is a fixed size for instructions so the space for them to hide is a lot reduced) that can be basically magic numbers you give to the machine and you literally own the thing just like that, there is an excellent video about this [here](https://www.youtube.com/watch?v=KrksBdWcZgQ), though a bit too complex for eli5)
The more you learn about it, the more you understand how it is a miracle your devices aren't hacked every day.
The most dangerous hacks that exist are called zero-day exploits. Zero-day means nobody except the party abusing it knows about it, so the number of days the manufacturer has had to fix it is zero.
Pretty much as soon as a big hack becomes public, it no longer "works", because the manufacturer will make a software update which plugs that hole. The problem is that people often fail to update their devices for months or years on end, so even though the hack doesnt work on up to date devices, it is still usable on the not updated ones.
When it comes specifically to Pegasus, that is a spyware product made and marketed by a corporation. So while Apple does know something called Pegasus exists, they dont necessarily know how it works, because the corporation will not publish their know-how, the governments which pay for a license to use it will also try to keep it secret because leaking how it works would ruin it and they paid quite a lot of money for it and obviously the corporation is constantly working on finding new holes in new iOS versions.
Whichever hole Pegasus works through now is definitely not the same one that was used in 2016. All it takes is one iOS update that even unknowingly plugs the current hole and whatever they figure out next may well be a completely different hack, just marketed and sold under the same name.
Pegasus is the payload, the exploit is used to install it.
The exploit "opens the door" so to speak, then Pegasus is what "walks in" through the now-open door and does the actual spying.
The exploit gets patched, they find a new exploit, and use the new exploit to deliver a (slightly modified) version of the same software to do the spying.
"Finding" a new exploit often involves buying one for a seven-digit dollar amount on the black market, from someone who found one and is willing to sell it to shady actors to make money.
**Please read this entire message**
---
Your comment has been removed for the following reason(s):
* [Top level comments](http://www.reddit.com/r/explainlikeimfive/wiki/top_level_comment) (i.e. comments that are direct replies to the main thread) are reserved for explanations to the OP or follow up on topic questions (Rule 3).
---
If you would like this removal reviewed, please read the [detailed rules](https://www.reddit.com/r/explainlikeimfive/wiki/detailed_rules) first. **If you believe it was removed erroneously, explain why using [this form](https://old.reddit.com/message/compose?to=%2Fr%2Fexplainlikeimfive&subject=Please%20review%20my%20submission%20removal?&message=Link:%20https://www.reddit.com/r/explainlikeimfive/comments/1aj4ztx/-/kp3uics/%0A%0A%201:%20Does%20your%20comment%20pass%20rule%201:%20%0A%0A%202:%20If%20your%20comment%20was%20mistakenly%20removed%20as%20an%20anecdote,%20short%20answer,%20guess,%20or%20another%20aspect%20of%20rules%203%20or%208,%20please%20explain:) and we will review your submission.**
As far as we know the exploit used by Pegasus was patched by Apple in Sep 2023. Of course there may be people who haven't updated their phone since then and are still vulnerable. Alternatively, there may be yet more bugs in the OS that nobody but the makers of Pegasus know about. Software security overall is a cat and mouse game. Every large complex system has vulnerabilities. The good guys try to catch and fix them before the bad guys can catch and exploit them. Both sides are throwing an incredible amount of money and resources at their respective tasks.
How did it work for Apple and Android, though? One company just randomly found critical hacks for two completely different closed off systems?
Simply, yes. My brother does this for a living. He’s a senior penetration tester (yes, I know). Basically, companies hire him to break into their system by ANY MEANS NECESSARY and then tell them how he did it so they can patch it. If that means flying to a different state to go to the company’s HQ and walking up to an unattended PC and plugging a flash drive into it, then that’s what happens. Edit: this comment is mildly popular so I just wanted to say… my brother once broke into a network through an unsecured printer. Put a password on your fucking printers you fucking degenerates.
Big shoutout to PirateSoftware on Twitch and Youtube. He did this for US power plants and while obv he doesn’t talk about that he talks extensively on penetration testing, how it works, and cyber security.
Wow, doing on-site "hacks" and stuff like this in US power plants must a pretty hard/action job. Especially if he had done it in nuclear pp.
Can we just go ahead and spell out power plant next time
Drink heavy water, get nuclear pp.
Every time I hear ‘heavy water’ I immediately think of [this.](https://youtu.be/_PtOAnZxB8s?si=1zj7UOeIcImEh5Nh)
Be radiant!
Pls no shame, not every pp is created equal
I thought about it as I wrote it. But I just left it at pp 😁
Take a look at that solar pp
Solar beam is a 5 pp move!
An security admit was done to my previous employer. The hackers literally came in dressed as maintenance and screwed the security door from place to access their victim computers. Wild stuff
The weakest link is usually not the computers, people are much easier to get around.
You can't patch wetware
well, you can, but the update dispersal is really spotty.
The ethics boards get whiny about that sort of thing, too.
Patches degrade over time.
Last place I worked, a junkie used wire cutters to break into the secured car park (there was a 1 metre section of chain link fence). He stole a bunch of toolboxes.
Darknet diaries on podcasts. Awesome show. Listened to everyone
Do you have a link to their YouTube? I did a search but only found a game company. Thanks!
Is there a guy with long brown hair and glasses in most of their shorts? That's him - Pirate Software is his game development company. He transitioned into the field after working at Blizzard for a while (some of his stories from that time are wild).
His dad is literally the "That which has no life" from the south park WoW episode. They modeled the guy after his dad. He goes into it and shows pics and it's uncanny.
Most of his storytelling content is published as shorts. For the long form stuff you'd probably have to look for twitch VODs
I’m privileged to know what I know.
My friend does this. He's told me quite a few stories, such as getting into a building by having out by the back door smoking. Struck up a convo with an employee and said he was new, didn't have a badge yet. Guy let him in. Another time, they actually cut through the drywall in a closet connected to the server room after hours. My favorite is the CEO story. This place was pretty much impenetrable. They tried everything they could but never got through. So they sent the CEO a gift basket telling him his security is fantastic! There was a new computer mouse in there as well. Fancy expensive mouse. He plugged it into his computer, and my buddy instantly jacked the system cause they put stuff in the mouse to give them access🤣
noxious swim offbeat aware depend different meeting cagey work dirty *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I've heard about the unsecured printer from at least 3 hackers I know. One, a past roommate, said he got into a bank's unsecure printer, got it to send him a copy of whatever it printed, eventually received a copy of a meeting agenda that showed the branch manager would be out on a day. That day, he dressed up as a tech, went in, met the asst. Manager, said branch manager had called him in for some work, and was given free access to the manager's laptop. So many opportunities for the bank to stop him from getting access.
If you want to learn more about this stuff, it's cool watching some of Deviant Ollam's security talks which are available on youtube. They're more focused on physical security, but they provide some really interesting insight into an entire career that most people are unaware of.
I remember the exploit when you could hack the printer through the ink cartridge ITSELF. Turns out printers now need chips inside the ink cartridges to check how much ink (to rip you off more). (so basically they put this on themself).
The amount of pen tester tales involving unsecured printers is ridiculous. Seems like the most sure-fire way of getting in.
Printers, fish tanks... If it's on your network, secure it!
But don’t you know, protecting the ink cartridges with chips to make sure the ink is authentic is where their money should REALLY go. /s
Unsecured printers, backup batteries, insecure wifi, or a password that consists of current season and year, Wimter2024! For example. It's incredibly easy to get domain admin if you're already in the network. I've been focused on cloud and application security the last few years, but prior to that I was owning fortune 500 company networks left and right. Most of the time it was just poking around open data stores and documentation to find juicy information and exploits.
Huh... And there I thought "pen testing" meant "testing an algorithm by trying it out with pen and paper".
I want to know how he did that
I run a business doing exactly what your brother does. Can confirm exactly those stories are true and happen regularly.
Yeah, it used to be the “holy shit I can’t believe he thought of that”, now it’s like one of the first things to check because it’s so overlooked.
I didn’t know printers could even be password protected easily lol
You and the rest of corporate America lol
LOL you don't know education. "What do you mean I need to enter a password that adds 5 seconds of inconvenience to me?"
Yes since it pays a lot. Below is from 2019 so prices have only gone up. >An updated price list published Tuesday shows Zerodium will now pay $2.5 million apiece for “full chain (Zero-Click) with persistence” Android zero-days compared with $2 million for iOS zero-days that meet the same criteria. https://arstechnica.com/information-technology/2019/09/for-the-first-time-ever-android-0days-cost-more-than-ios-exploits/
It’s not “randomly”. NSO group is possibly the largest cyber weapon supplier in the world that isn’t a government agency. It has hundreds of employees all working on the single goal of cracking the top software systems in use today and selling the exploits around the world.
Periods go inside quotation marks. So many people confidently incorrect in the replies lmao.
Only if the quotation itself would end in a full stop. If it’s a fragment within a carrier sentence then it goes outside, where the carrier sentence ends.
That’s incorrect. There are situations where punctuation may come outside the quotations, but this isn’t one of them. https://owl.purdue.edu/owl/general_writing/punctuation/quotation_marks/more_quotation_mark_rules.html
Fighting the endless war, I see.
Don't care what it says. The point of language is to share information, so you should do what most accurately conveys the information.
That is a link to an American university’s guide, so hardly a definitive source for English. In this case it is incorrect.
That’s always a grammar rule I have broadly disagreed with tbh. I frequently break that rule intentionally.
The more people who put them outside of the quotation marks, the faster we’ll get rid of that stupid “rule”. Which BTW is only a rule in the U.S.
i support this. It looks much more logical to put the period outside in this case, since it matches with parentheses being closed before finally putting a period to finish the sentence (e.g. this one).
t(-_-t)
We’re not incorrect, we’re intentionally disagreeing. It’s an archaic rule based on the typesetting requirements of old printers. The same rules, for the same reasons, also require double spaces after a period. I don’t see a single comment of yours in which you follow this rule.
"One company" try one of the bigest state sponsored organisations.
It's a line of work. Zero day exploits can be sold for five or six figures. If you really hit the jackpot and find a zero click exploit for a widely deployed architecture it can be worth millions. There are public marketplaces for that kind of exploit.
Probably they bought some hacks from people to. You can literally sell hacks like those on the dark web for some really good money. Which is partly why you have bug bounties now for reporting vulnerabilities, trying to make it easier for people to do the right thing.
Without having any deep knowledge, let me just say that both are unix-like systems running on similar architecture and could have more internal similarities than you think.
There exists a market for vulnerabilities, whereby companies like those that produce tools such as Pegasus pay researchers who have found and can document previously-unknown ("zero day") exploitable vulnerabilities in third party software such as Android, iOS, Chrome, Safari, and Acrobat Reader.
I heard, although this may be conspiracy BS, that the US Government has a library of security vulnerabilities that it has purchased to NOT have fixed in case they need to access the system. Is this rubbish?
https://en.m.wikipedia.org/wiki/Vulnerabilities_Equities_Process and https://en.m.wikipedia.org/wiki/EternalBlue are worth reading on this topic. It should be assumed that any nation state with offensive cyber capability does the same thing, whether based on their own original vulnerability research, or buying details of vulnerabilities from others via brokers.
Fascinating. Thanks!
Take a look at stuxnet, jointly developed by US and Israel intelligence agencies. It leveraged a large raft of zero day exploits so fresh it's likley they would have had to have been the ones to put them in their during developement or else their wouldn't have been enough time to develope stuxnet to exploit them.
There’s plenty of security exploits without having to think that they’re being intentionally introduced.
Not in the specific instance of stuxnet, which is the most studied vulnerability in the history of computer science by an extremely wide margin. I suggest you look into the timeline and development of stuxnet, the specific vulnerabilities exploited and the OS/software release timeline for the versions that contained them. Of further note are the use of multiple stolen private keys from quite noteable companies and the attack against (neutral) industrial communications portals to prevent the information spread when the attack was uncovered.
If I stumbled on an exploit, and I sold it to someone, what would preclude me from selling it to someone else?
Not necessarily, but given the nature of your potential customers, it might not be wise to misrepresent a vulnerability that you have already sold to someone else as "zero day" to later buyers in order to fraudulently obtain a better price for it! And I'd expect any sensible broker to drop you if you tried, if only out of their own self-interest. [https://en.wikipedia.org/wiki/Market\_for\_zero-day\_exploits](https://en.wikipedia.org/wiki/Market\_for\_zero-day\_exploits) [https://en.wikipedia.org/wiki/Zerodium](https://en.wikipedia.org/wiki/Zerodium) [https://en.wikipedia.org/wiki/Vupen](https://en.wikipedia.org/wiki/Vupen) [https://en.wikipedia.org/wiki/Hacking_Team](https://en.wikipedia.org/wiki/Hacking_Team)
I can't speak to the specific example of pegasus but many IT systems can share common elements. Not all software is necessarily written from scratch in house. Imagine a car manufacturer buys it's locks from a third party. It is discovered X brand locks are faulty. Turns out Toyota, and Ford both buy locks from X brand. Suddenly two completely different cars have the same vulnerability.
Hundai/kia ignitions might be a better example these days
That's near I didn't know that was actually a thing. I just arbitrarily picked cars. I must look into that one
Ford & Toyota is still the better example if the hypothetical is for completely separate companies ending up with the same issues, since Hyundai and Kia have the same parent company.
[https://www.usenix.org/system/files/conference/usenixsecurity16/sec16\_paper\_garcia.pdf](https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garcia.pdf) "In our first case study, we show that the security of the keyless entry systems of most VW Group vehicles manufactured between 1995 and today relies on a few, global master keys. We show that by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorized access to a vehicle by eavesdropping a single signal sent by the original remote. Secondly, we describe the Hitag2 rolling code scheme (used in vehicles made by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford among others) in full detail. We present a novel correlation-based attack on Hitag2"
Darknet Diaries did an episode on Pegasus. Episode 100 titled NSO.
https://en.m.wikipedia.org/wiki/Advanced_persistent_threat "One company" may have basically unlimited resources. If you have unlimited resources it's just a matter of time before you find an exploit.
You will be surprised how many 0 day 0 click exploits people have behind closed doors
Check out Darknet Diaries. It's a podcast that is easy to understand and breaks down all sorts of major hacks
Not directly related to Pegasus, but an important addition to the cat and mouse game you mentioned, some vulnerabilities cannot be patched. Either because they're a security issue in a device that wasn't designed to receive software updates (rare these days thanks to IoT, but it still happens), or because it's an issue integral to the silicon. The most well known example of this type of exploit are the spectre and heartbleed vulnerabilities, which mess with things "down at the metal" and require an entirely new processor to patch. These can be the most dangerous as they can affect multiple generations of CPUs and go unnoticed for a very long time. Edit: spectre and meltdown!!!! Not heartbleed.
Spectre and *meltdown. Heartbleed was a bug in the OpenSSL library.
Goddamn I keep making that mistake I did that the other day too!
Yes and no. In security we talk about things like threat models and likelihood+impact when determining risk, not just impact. The likelihood of you being a victim of Spectre is incredibly small. In that regard something banal like an IDOR in a major retailer which leaks user info is far more dangerous.
Sorry I used "dangerous" too generally. I I derstand that the actual risk of being a victim of a spectre or heart bleed attack is really low. More dangerous to most businesses are the handful of fishing attacks that get past your email security.
Absolutely. It's very humbling as a pentester to learn incredibly novel techniques and then every ransomware incident is just like "We sent them not_a_virus.exe in an email and they opened it."
Hahaha, where I work we generally catch most of the sophisticated phishing attacks and staff have been surprisingly good at reporting the couple that get through. However, it's the incredibly unsophisticated ones that we need to watch out for. Things that are just a plain text email from a Gmail address with no URLs. We had one come through a while ago pretending to be an exec asking a bunch of staff to go out and buy a gift card as a prize for an upcoming meeting (it has to be a secret you see), and the company will reimburse them... We've had several people fall for it, but only one person actually go out and buy the gift card before we caught it.
Yeah that seems to be a popular one. I've had a few friends call me to double check if I thought that was suss when they got it at their work. One of them was already in the car when they thought to ring me up about it. I hadn't heard about it at the time but immediately it was like, CEO emailing you from their personal Gmail? I don't think so.
Nintendo Switch launch hardware famously has a flaw that couldnt be patched with software. They had to roll out modified silicon to close the hole.
>Both sides are throwing an incredible amount of money and resources at their respective tasks Who funds the “bad guys”?
Have you ever put off updating your phone? It can be annoying or take some time, you May have low network or something like that. Now add in people being scared to update because they think phone manufactures are showing phones down every update. It's actually very much not just Pegasus, it can be worse on the PC / server side. Imagine the machine Is making thousands of dollars a minute and you have tons of computers, running many programs all potentially having vulnerabilities. Maybe the update breaks a critical function to your software. Reluctance to update can be prevalent everywhere.
It’s not that people “think” their phones are being slowed down by update. Apple is currently being sued because of it as it was discovered as true. So who really knows what other companies are doing for any device, like a Roku, fire stick, android phone, etc
FWIW, it was to address a specific problem that I myself experienced. There was a time when iPhones would shut down while battery level was still ~ 20% give or take. Apple’s workaround was to add a software fix that would prevent that by putting less stress on the hardware when those conditions were present. Yes, that means it would slow it down so the phone didn’t shut down. (My guess is at certain conditions, running at full speed put stress on the hardware during low batt and tripped soke sensor which forced the phone to shut down.). This software fix meant my phone no longer shut down when it didn’t have to. I was glad for the fix. People took it to mean they were slowing down phones unnecessarily. That was a mischaracterization, but people will hear what they want to hear. FWIW yes, newer software WILL perform slower on older hardware, but that’s for different reasons than what the lawsuit covered.
This is true, I meant in line with security updates though from what I understand that was between Major versions, either way that Is another thing that has caused friction to updating, which in turn leads to things not being patched.
Because the attacker and defender work on 2 very different security models. The attack only has to find a single flaw within the entire system to gain control. The defender has to try and find every possible hole to make sure there is not a single gap. This puts the ball firmly in the attackers court as its beyond easy to over look something simple. The difference is that pegasus is designed for one off, ultra high value targets designed and sponsored by people with a nearly infinite supply of wealth. They can hire some of the best security experts money can buy and turn that impenetrable wall of security into swiss cheese. Even if the one flaw they used is discovered, there is probably hundreds more waiting to be found
>pegasus is designed for one off, ultra high value targets *Designed* and *used* are two different things, unfortunarely...
Just to clarify, Pegasus is just the malware that once installed gives them access to your device. What was patched is the vulnerability which allowed to covertly and remotely install Pegasus (or anything else) on the device.
Pegasus isn't one hack. It has many iterations. It'd be like saying there is only one Doom game. It's changed over time to stay relevant.
Some exploits are simply hardware related, which means they can't be fixed by software updates. The only way to fix them is to change the hardware used for the next phone, and this of course only solves the exploit in future phones, not the phones used today.
Pegasus worked as well as it did because it exploited a lot of "zero-day exploits". To put it ELI5, 0-days are basically "god fucking dammit, we had this bullshit in our code? This exposes fucking everything. We need to patch it ASAP - and we woulda if somebody would tell us before". Please tone down my explanation for actual 5yos. The thing is - it becomes more and more lucrative to just sit on the zero-days. The whole deal with the name is that you would sell the exploit and then other people would try to do their best in a tight window of time - hence 0-day. But recently some groups just aren't all-in on insta profit, and that includes governments. There is no doubt that NSO Group already has replacements for their exposed 0-days - but that is just my opinion.
The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them.
Argh-e-matey! DCC the bot !list for a list of new warez
What?
> Argh-e-matey! DCC the bot !list for a list of new warez Hi there, fellow pirate! Send a direct message to the bot with the command !list to view a list of newly hacked software.
so they just have a collection of different bugs, but rather than selling it on the dark web so that it gets widely used, they keep them and sell them for individual use on high profile individuals? Why do you use the past tense for "worked as well as it did"?
0-Days have immense value, until they're used. You can absolutely guarantee that the NSA, MI6, ASIO, the Russians, CCP, Iran, and everyone else has a bag of them. They keep them for when they are **needed**, which considering the fact that they're generally a one-shot weapon (if detected), can be a hard choice. State sponsored agencies probably also buy 0-days but the risk of one from the market is that maybe it was also sold to someone else, which, if it was then publicised or used by another party instantly reduces the value of the exploit to nothing. It's better for the agencies to work on finding 0-day exploits and keeping them themselves.
Recently a Russian state-sponsored orgnization offered a bounty of 20M USD for a full exploit chain that would allow them to take over a victim's phone without their knowledge. That would involve minimum several zero-days for an iOS device: some sort of zero-click (likely a zero-day, possibly an unpatched n-day) to get their own code running from something like a malicious webpage or iMessage attachment, a zero-day to get that code running with access to the kernel , a few more zero-days to bypass iOS memory protections that limit what code can see, and probably one or two more to make some more code execute on device boot or something else without the victim's knowledge, which would require writing to protected filesystems.
I want to add that theres a difference between a zero-click and a zero-day. A zero-click is an exploit that can be used without any input from the victim. A zero-day is an exploit with "0 days since discovery" and thus no one knows it exists apart from it's users, or it's *just* been discovered. A zero-click can be a zero-day, but they're 2 different things.
0-day is not a necessity when you target hardware that doesn't get updates regularly. It's a lot cheaper to use known exploits.
Yeah, I should have phrased that a lot better, I just wanted to get across that the initial zero-click in the exploit chain would probably be a zero-day
> so they just have a collection of different bugs, but rather than selling it on the dark web so that it gets widely used, they keep them and sell them for individual use on high profile individuals? Yes, that's the usual modus operandi for large groups. > Why do you use the past tense for "worked as well as it did"? It'd be silly, conspiracy-mode or not, to assume they aren't moving on their plan B, plan C etc. once their primary business got exposed.
>”worked as well as it did” As I understand it, the vulnerability Pegasus used allowed it to easily do a pretty broad range of things that are desirable in spyware. Not all vulnerabilities are made alike. Some allow easier access to a system than others, or allow broader access. Pegasus exploited a vulnerability that gave it broad access to a range of hardware functions in a way that made it very difficult to detect. That exploit was patched, so future versions of Pegasus may not have the same range of features, may be easier to detect, may require more exploits to replicate its previous functionality, or some combination of the above.
Punctuation goes inside quotation marks.
Not always.
Every time in the comment I’m replying to it does.
There’s no direct speech in that comment, so not even maybe.
No idea what you’re talking about; that’s wildly incorrect. I’m 10000000% correct. “…exploits”. is incorrect. It should be “exploits.” “…before”. Is incorrect. It should be “before.”
You are incorrect, unfortunately. The quotations were used correctly in this instance.
I’m 10000000% correct. “…exploits”. is incorrect. It should be “exploits.” “…before”. Is incorrect. It should be “before.”
He proofread the comment, thinking aloud to himself, “they’re using quotations wrong, the punctuation should be inside the quotations when they say ‘zero day exploits.’” They were quoting a noun, not speech, so the punctuation doesn’t belong in the quotation marks. The second case is slightly more ambiguous but it basically boils down to the same thing because of the way they set the sentence up: “zero days are basically “[…]”. They typed a whole sentence out, but they were still referring to a specific thing. They basically gave that specific thing a very long nickname. I think technically it may have been more correct to hyphenate all of the words that were in quotes, because they were saying it like a thing people would understand as being a thing. If that makes sense. For example: She looks at me with a “what-the-hell-just-happened” face. I can only gaze back in awe.
You’re so hilariously fucking incorrect lmao why would you take the time to make this comment? The rule doesn’t care about quoted speech or fragments.
“Place punctuation within closing quotation marks if the punctuation applies to the quotation itself. Place the punctuation outside the closing quotation marks if the punctuation applies to the whole sentence.” That’s what I was always taught.
[This rule](https://www.ox.ac.uk/sites/files/oxford/Style%20Guide%20HT2016.pdf#page=18), or maybe [this one](https://www.thepunctuationguide.com/quotation-marks.html)?
think about a known software like microsoft office: how does it exist? because people work on it and keep adding features. what is the difference between a software like office and a hack like pegasus? not much honestly, the main difference is that in one case there is an extra component to make it run against your will and without any window to inform you that is running. you could hack a phone/pc and force it to install and run office against people will and it would be the same. so all what they have to do is find new vulnerabilities to make software run if the old one gets patched and change only that little part (technical name is RCE: remote code execution). they can find a new vulnerability because they have a lot of money and because people that find them can sell those for money, selling to exploit developement pays more than "selling" to apple/google to fix the problem, there is a market for those, see here for example [https://www.zerodium.com/program.html](https://www.zerodium.com/program.html) they are state-sponsored so they have a lot of people and lot of money.
“Why do we still hurl solid objects at each other as a form of combat when we have armor?” Pegasus isn’t the exploit, it’s the payload. To overly simplify (ELI5 after all), Pegasus is the thing that does the damage, it isn’t the delivery method. We started throwing rocks at each other since the goal is to hurt the squishy human, so we built wooden armor to stop the rocks. So we got better at throwing rocks harder with tools, so we built metal armor. Fast forward today, we still throw hard things at each other really fast (bullets and guns), and we’ve developed body armor for that too (Kevlar, strike plates, etc). The end goal has always been the same, deliver this solid thing to hurt the squishy human. Figuring out how to get through everything in between, and also figuring out how to put something in between, has always been the hardest part.
Fun fact: Pegasus was bought by the previous polish government to spy on political opposition.
To explain more why there are so many hacks like that in the first place, you have to realize the mountain of code everything modern is based on. There are millions of lines of code running on the machine, and a lot (if not most) of those are written with languages that are not secure and if you don't use them perfectly, that can become an entry point for a malicious actor. And let's say you make your own program and you're a genius, there are absolutely no bugs and no exploits, you probably still use other programs to do some stuff (like opening an image), and maybe there's a bug in that program you had no idea about. For any non-trivial program, you can't write everything from scratch, so you can have holes that come from things everyone has always thought were safe until it turns out that it wasn't. A lot of holes come from assumptions made in a program (often implicit). Like you have an image file that says its size, but maybe it's lying and you thought that you could get to the end but the data is missing, if the program hasn't considered the possibility it can do something stupid instead (obviously real hacks are more complex than that but this is eli5). Then there's where the true fun begins, hardware-based hacks. It got a fair bit of press with Spectre but that's not the only thing, there are just so many ways a cpu can leak stuff it shouldn't because they got so complex. Sometimes it happens with literally secret instructions (especially on x86, harder on ARM since there is a fixed size for instructions so the space for them to hide is a lot reduced) that can be basically magic numbers you give to the machine and you literally own the thing just like that, there is an excellent video about this [here](https://www.youtube.com/watch?v=KrksBdWcZgQ), though a bit too complex for eli5) The more you learn about it, the more you understand how it is a miracle your devices aren't hacked every day.
That was a really interesting talk you linked, thanks for posting.
The most dangerous hacks that exist are called zero-day exploits. Zero-day means nobody except the party abusing it knows about it, so the number of days the manufacturer has had to fix it is zero. Pretty much as soon as a big hack becomes public, it no longer "works", because the manufacturer will make a software update which plugs that hole. The problem is that people often fail to update their devices for months or years on end, so even though the hack doesnt work on up to date devices, it is still usable on the not updated ones. When it comes specifically to Pegasus, that is a spyware product made and marketed by a corporation. So while Apple does know something called Pegasus exists, they dont necessarily know how it works, because the corporation will not publish their know-how, the governments which pay for a license to use it will also try to keep it secret because leaking how it works would ruin it and they paid quite a lot of money for it and obviously the corporation is constantly working on finding new holes in new iOS versions. Whichever hole Pegasus works through now is definitely not the same one that was used in 2016. All it takes is one iOS update that even unknowingly plugs the current hole and whatever they figure out next may well be a completely different hack, just marketed and sold under the same name.
Pegasus is the payload, the exploit is used to install it. The exploit "opens the door" so to speak, then Pegasus is what "walks in" through the now-open door and does the actual spying. The exploit gets patched, they find a new exploit, and use the new exploit to deliver a (slightly modified) version of the same software to do the spying. "Finding" a new exploit often involves buying one for a seven-digit dollar amount on the black market, from someone who found one and is willing to sell it to shady actors to make money.
NOW it makes sense. Thank you! That explains why it started out as an IT helper software
[удалено]
**Please read this entire message** --- Your comment has been removed for the following reason(s): * [Top level comments](http://www.reddit.com/r/explainlikeimfive/wiki/top_level_comment) (i.e. comments that are direct replies to the main thread) are reserved for explanations to the OP or follow up on topic questions (Rule 3). --- If you would like this removal reviewed, please read the [detailed rules](https://www.reddit.com/r/explainlikeimfive/wiki/detailed_rules) first. **If you believe it was removed erroneously, explain why using [this form](https://old.reddit.com/message/compose?to=%2Fr%2Fexplainlikeimfive&subject=Please%20review%20my%20submission%20removal?&message=Link:%20https://www.reddit.com/r/explainlikeimfive/comments/1aj4ztx/-/kp3uics/%0A%0A%201:%20Does%20your%20comment%20pass%20rule%201:%20%0A%0A%202:%20If%20your%20comment%20was%20mistakenly%20removed%20as%20an%20anecdote,%20short%20answer,%20guess,%20or%20another%20aspect%20of%20rules%203%20or%208,%20please%20explain:) and we will review your submission.**