"They managed to hack the AppVM Whonix-gw-15 on one of my secure Qubes install"

on 28/jun Frédéric JOUVIN a Researcher on IC Security Flows, P2P & Mesh Networks, FPGA & Microprocessors Architectures. Hardware Hacker. Electronician and Low-level Programming Engineer posted on his twitter:

@Snowden @QubesOS FYI - As Edward knows it, I am targeted by the highest level of states cyber weapons thanks to Amazon and Postal Operators of 8 countries involved in Antitrust complaint I deposited against them. I just wanted to inform you that “they” managed to hack the AppVM Whonix-gw-15 on one of my secure Qubes install. It seems their attack did not propagated to other qubes. I reinstalled the whonix-gw-15 template and everything went back to normal.

see the post here

Does anyone knows more about this attack? how did he detected it?

I don’t know any details, but still it would be nice to at least speculate how on earth THEY could infect a template? What could be possible attack vectors? Most definitely this would involve software updates, so some sort of supply chain attack.

QSB or it didnt happen

His tweet is not clear. He says “AppVM Whonix-gw-15” so maybe he means an AppVM based on Whonix-gw-15 template. In that case reinstalling the template was overkill, as he could have deleted and created a new AppVM.

First step I would have taken would be to power down, pull the drive to a forensics machine and make an image of the drive with DD. Then I would invest a large amount of time doing at least a basic analysis that backed up my position, asa precursor to making the image of the compromised VM available to sec research community.

What I would not have done is tweeted “this happened” and then re-installed, erasing any hope of understanding how this happened and fixing the alleged vulnerability for everyone else in the world.

@noti2p I find post such as your highly problematic.

What"s the news? It happens to me all the time… at the template
level too.

This you better back up with lots of details if you want to be taken
seriously.

The new thing is through the Video API.

Can you be more specific? Which API exactly? What is happening? References?

The only anonymity you MIGHT get is through p2p’s.

What does anonymity have to do with this topic? We are talking about
compromised templates and if/how such a thing might happen.

MuWire

… helps with any of the above how?

I am trying very hard to be open to the possibility that you have
something of value to share, but what you’ve written so far makes that
extremely difficult.

he talked so much that he ended up saying nothing…

please @noti2p be more specific and share with us your knowledge…

i marked i2ps post as spam, because they only plugged thier network scheme without adding value to the topic.

this should be standard procedure for everyone who may have been owned, now he is having problem with the vm…

Related reading:

How to hack Qubes:

1. Keep screen unlocked and walk away

In seriousness, if something was hacked at a sophisticated level, we should not be surprised. Qubes does more to acknowlege their possibility and protect against them compared to standard linux distros, but should not be considered immune to all forms of attacks. Those familiar with security already accept that vulnerabilities exist and the best defense is to find them, acknowledge them, and fix them.

That said, many things can go wrong with an install or intermittent network conditions which makes you think your machine is “hacked”.

Taken from the screenshot it could be a man-in-the-middle attack “only”.
No AppVM needs to be compromised for this to happen.
Workaround: use another (open wifi) internet connection, socks/vpn bouncer, etc.

Yeah, if you think about intrusions hard enough, you will eventually see one.

Starting a news post on the site with “Occasionally fuckups happen”

Liking the personality on display here. Maybe @adw can bring back some of Joanna’s flair for QSBs and other announcements?

could you stop spamming? this is so annoying, hecking textbots.

Not really my style, sorry.

I was hoping to see a critical QSB begin with a string of expletives, just to emphasize the dire situation. I’ll just have to write my own Joanna QSB fanfiction then.

“They” talk a lot of SEPARATION but when it comes to implementation… “they” walk away and sell-out.

The best SEPARATION at the template level is achieved with GUIX OS, Silver Blue or NixOS. You should also have encrypted BTRFS, XFS or Hammer file systems. I get hacked everyday with Qubes… but Mr Censor (Danish Sven) wants proof from an unpredictable build. I expect him to block this posting also to secure a high paying gig with Facebook or Twitter.

I don’t know if this message was blocked or not.

The problem is that anyone can say - “I’ve been hacked.” In most
cases, it’s simply not true. I’ve been involved in a number of
investigations and in most cases, the reporter is simply mistaken.

In the case of Qubes, “I’ve been hacked” could be true, but not
particularly important. I mean that if a standard qube is hacked, the
isolation given in Qubes will reduce the impact.
There are some steps that users can take to enhance the protections
given by Qubes - multiple qubes, disposables, firewall protections,
template configurations, limiting installed applications, good isolation
within security domains, and so on.

In most cases in Qubes, “I’ve been hacked” will be relatively
unimportant, and no more concerning than being hacked when running a
live distro.

The important cases would be where the claim is either intra-qube or
attack on dom0. Both of these are possible. But a claim that either has
taken place has to come with some evidence. (The fact that the build is
not reproducible is unimportant here.)
You may not want to provide evidence publicly - the right thing to do
then is to send detailed information to the security team, and say that
you have done so. You should send a PGP encrypted email to
security@qubes-os.org but the team will expect detail.

The detail might include details on your Qubes configuration, templates
and qubes, installed applications, and so on. You should provide
information about how you think you may have been hacked - e.g “I
visited this website and clicked on this”, or “I opened an attachment
from this email”.
You should also provide information about why you think you have been
hacked, or what the security fault might be. This might range from “my
mouse clicked on a new tab, and a web address was entered, but
not by me”, to “All the money was taken from my bank account, and the
only keys were stored in my offline vault”, with variations in between.

This might sound like a lot of work, but remember, you are a) asking to
be taken seriously, and b) asking other people to put in their time to
help you.
The best detail would allow the team to reconstruct the issue for
themselves.

In some cases, there may be evidence of hacking, but it is irrelevant
to Qubes. For example, if a user reported that material entered in to
the vault was appearing online, it could be that the keyboard has been
compromised with a keylogger, hardware or software, or that someone has
set up a camera over the keyboard and is capturing enough detail to
reconstruct what has been typed, or that someone is keyjacking, or that
someone has access to the computer, or that…
Asking for evidence is not unreasonable - after all,it’s you that
has made the claim and hopes to be taken seriously.

It was only hidden. Users can still see it if they click “view ignored content”.

Really great reponse. Do you mind if I make canned response out of it and use it in similar situations?

6 posts were split to a new topic: What’s Needed to Report Your System Getting Hacked?