What's Needed to Report Your System Getting Hacked?

kysstfafm · July 30, 2021, 7:47pm

Continuing the discussion from "They managed to hack the AppVM Whonix-gw-15 on one of my secure Qubes install":

Ask the original poster if they’d like to file an official Project QubeBook report? There will have to be a place to officially file, although it also might want for some ground rules…

Things that help the community make sense of things. How much detail does the poster have? What specialty arrangements have they been playing around with on their system (is the system plain vanilla non-beta Qubes OS with no dual or multi-booting going on)? What is their best description of what they experienced that made them think (no judgement just gathering intel) that they had been hacked.

Lots of people may assume hack when it was merely something simpler or even merely transient (limited MITM like behavior, test traffic injections).

Moderator Notice

Please do not send anything to the official Qubes Security Team unless you can demonstrate an actual security vulnerability in Qubes OS. That email address is intended for responsible disclosure by security researchers and anyone else who finds a legitimate security vulnerability. It is not for anyone who suspects they’ve been hacked.

adw · July 30, 2021, 11:48pm

I have no idea what this is referring to. What is “an official Project QubeBook report”?

Sven · July 31, 2021, 1:05am

@adw wrote:

What is “an official Project QubeBook report”?

I suspect word play.

kysstfafm · July 31, 2021, 1:38am

I suppose that the community could insist upon a bare minimum for making a report (So, you think that you got hacked? Here’s what we need you to do to help all of the community…gather details BEFORE removal of evidentiary means)?

Not to throw too much fuel upon this fire but in this case we might insist that the poster mention (helping to clarify the extent of any perceived invasion, like how it’s recommended to report UFOs?):

Believed that someone had sufficient access to the whole screen to read text in any window (does Intel ME allow this? unknown but likely, X11 in dom0 or the new GUI VM?)
Believed that someone had total control over their keyboard (hate to break it to people but USB is not as clear cut secure as some would have thought it to be, particularly with wireless USB devices)
Believed that someone had total control over their mouse (same as keyboard)
Believed that someone had total control over their network connection (Router just as likely compromised as the associated Qubes system, allows for MITM?)
Believed that someone had total control over their HDD (SATA vs. USB? shared OSes?)

Or forget the whole thing & let the reports fly how they may?

Quser59 · July 31, 2021, 1:57am

Not to add to the numbers, but isn’t this a separate topic?
Current reporting procedure is stated here:

If you believe you have found a security issue affecting Qubes OS, either directly or indirectly (e.g., the issue affects Xen in a configuration that is used in Qubes OS), then we would be more than happy to hear from you! Please send a PGP-encrypted email to the Qubes Security Team. We promise to take all reported issues seriously. If our investigation confirms that an issue affects Qubes, we will patch it within a reasonable time and release a public Qubes Security Bulletin (QSB) that describes the issue, discusses the potential impact of the vulnerability, references applicable patches or workarounds, and credits the discoverer.

Discussion on whether this can be improved is a topic of its own (@deeplow can you split the topic?). Forgive me if I am jumping the gun here, just trying to keep the forum navigable (I’m curious now as to people’s thoughts on the reporting process).

P.S (on-topic):
Is ‘STMAN’ on the forum? I didn’t gather much from his twitter feed, only that he was allegedly going to post the logs, I have seen nothing since then - did anybody get to the bottom of this alleged attack?

newbie · July 31, 2021, 5:19am

as for myself, i posted my experience,
most importantly, so that everyone can learn and to be aware,
that such thing exist, and it may happen,

and specifically, for the benefit of the Qubes itself, and the forum,

also, the solution can be helpful for everyone,
that in case, experience the same thing.

i believe that, the forum are intelligent enough,
to differentiate, which one really seeking for solution,
also, which one only polluting.

besides, the one who get hacked, mostly are newbie in security,
and, the one who hack, definitely are expert in hardware, IT, networking,
especially, if he can hack Qubes,

how do we expect, an expert to left evidence,
also, how do we expect, a newbie to capture evidence, besides in detail,
maybe he only know, how to create VM,
therefore, all evidence he provides, can be simply denied,

in that case, the victim maybe withdraw before sending anything,
and the OS, lost potential user,

therefore, why don’t we just open arm widely,
and simplify everyone, who come seeking for help, and solution,

since, Qubes is for security, and not everyone, take security seriously,
therefore, anyone who come, seeking for security, are friends.

but, the email, also a good option.

deeplow · July 31, 2021, 4:04pm

Like this? Suggestions for a better title?

adw · July 31, 2021, 4:08pm

Please do not send anything to the official Qubes Security Team unless you can demonstrate an actual security vulnerability in Qubes OS. That email address is intended for responsible disclosure by security researchers and anyone else who finds a legitimate security vulnerability. It is not for anyone who suspects they’ve been hacked.