Forgot your password?
typodupeerror
Security Encryption Youtube

Watch a Cat Video, Get Hacked: the Death of Clear-Text 166

Posted by Soulskill
from the internet-doomed dept.
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
This discussion has been archived. No new comments can be posted.

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Comments Filter:
  • by sabri (584428) on Friday August 15, 2014 @03:37PM (#47681105)
    And evil doesn't cover it.
  • https is useless (Score:5, Insightful)

    by bbn (172659) <baldur.norddahl@gmail.com> on Friday August 15, 2014 @03:38PM (#47681107)

    What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

    • Re:https is useless (Score:5, Interesting)

      by HaeMaker (221642) on Friday August 15, 2014 @03:58PM (#47681263) Homepage
      Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?
      • Re: (Score:3, Interesting)

        by grcumb (781340)

        Going to slashdot is safe? No SSL here.

        GCHQ has already spoofed Slashdot [techdirt.com] in the past. So no, going to Slash dot is not safe.

        If they want you, they can't get you?

        All right then. Let's all just roll over and die, why don't we?

        Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:

        • - Stop making it easy on them. Stop using Windows. Seriously [imagicity.com]. Understand that what's convenient for you is often convenient for them.
        • - Stop using proprietary software at all. Yes, yes, HeartBleed nothing is safe bla bla bla. I'm not talking about safe, though; I'm talking a
        • by Altrag (195300) on Friday August 15, 2014 @07:28PM (#47682461)

          What's inconvenient for them is often impossible for us. Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac. Indie games tend to be somewhat better for this but most casual gamers just want the big name games.

          And it gets even worse in a business environment where you often have software restrictions imposed on you by corporate policy and frequently by the fact that you need to interact with vendors/customers who use Windows-only products.

          "Just stop using Windows" is a stupid catchphrase. Its like trying to end starvation by saying "just give them food." Actually its worse because food is a pretty good solution to starvation whereas its pretty unproven that FOSS software is "objectively" safer than closed software (I mean its probably true, but until Linux becomes a significant hacking target, we can't say definitively that the lack of exploits is due to better software rather than due to fewer people attempting to exploit it.)

          Similarly with Facebook. Its the "state of the art" in social media because of absolutely nothing to do with privacy protection. In fact a lot of its popularity was initially based on its _lack_ of privacy considerations -- "Facebook stalking" and such activities. I mean that probably wasn't the main driving factor (being fresh and simple right around the time that Myspace was bloating itself out of existing is likely the biggest contributing factor. I doubt FB would have gotten as big as it did if Myspace had stuck to being a site people actually enjoyed using rather than letting themselves be overrun by commercial interests.)

          And lastly protocols. Protocols are king. If TOR or similar ever comes out with a product that you can just install and "it works," then we might be getting somewhere. I mean "it works" as in it starts up with Windows, and immediately funnels all traffic through its own pipes and doesn't significantly impact the speed of watching a cat video on Youtube and basically in all ways stays the fuck out of the way. If it can get to that level, we might see some better adoption. As long as its something you have to consciously connect and disconnect and slows down your connection by 50% and whatever else, it won't pick up widespread adoption. Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider! (Disclaimer: I haven't used TOR myself in a few years so I don't know how close to this ideal its gotten.)

          At the end of the day, the real problem isn't Windows or lack of encryption or any other technical issue -- the problem is that 90% of the population doesn't care. Or I should say, doesn't care _enough_. We care enough to sign online petitions and shit that's easy to do in the hopes that someone who has more time on their hands will be able to make a difference (openmedia.ca up here in Canada is a great example of an organization that has taken the "enough" qualifier to heart and used online petitions to make significant changes in the way our government treats privacy and other online issues.)

          But on their own? Most people are too busy to worry about things that have a very low chance of ever impacting them directly. Its one thing for the NSA to tap a billion email accounts. Its another for them to filter through that data and pick targets. Yes everyone gets uppity when they pick a target wrong, but unless that target happens to be "me", most people have jobs and families and other things to do than worry about it for longer than it takes to exclaim "damned go'ment!"

          TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

          • by grcumb (781340)

            TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

            Okay, so go back to the top of my post and read it again for my response to 'It's too hard.' :-)

            If you think that 'just fix everything' is what I'm saying, then you haven't even done me the justice of thinking about what I'm suggesting. I am saying that we geeks should know better, that we should do what we did in the 80s and 90s and turn our collective back on the well-trodden path and build our own internet, only this time with hookers and blackjack. Then I offered a few key suggestions about things we as

            • by Altrag (195300)

              I'm not sure which well-trodden path you're talking about.. the only significant change in "the internet" in the 80s and 90s was the introduction and popularization of the web, the latter of which really only gained ground when it became available out of the box with Win95. Sure there was AOL and Compuserv and whatnot but those weren't taken over by geeknet 0.1, they were taken over by easy access to Internet Explorer.

              And yes, "we" as geeks should and mostly do know better.. that's why things like TOR exis

              • Web admins in particular should turn on https by default since there's no reason not to unless you're intentionally being shady.

                I agree that hosting providers ideally ought to offer HTTPS. But IE and IE wrappers on Windows XP doesn't support Server Name Indication (SNI), a TLS extension that allows the use of name-based virtual hosting. Nor do Android Browser and Android Browser wrappers on Android 2.x. Both of these SNI-ignorant browsers have reached their end of support, but until they actually pass out of use, hosts still need to accommodate them. This means most shared hosts will continue to require customers to upgrade to a VPS

            • by hairyfeet (841228)

              how to write a Linux virus in 5 easy steps [geekzone.co.nz] using the exact same tricks used to infect Windows. Say that is only hypothetical? How about some real world pwning like kernel.org [slashdot.org] and its not a fluke [slashdot.org] by any means [theregister.co.uk]. Oh and what happens when the "secure" Linux kernel gets used by a target worth hitting? A million plus infected systems [techworld.com] that is what.

              Linux "security" is security by obscurity, simple as that. The "many eyes" myth was proven false by Heartbleed which sat there for fricking years without being caught, t

          • Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac.

            A lot don't even run under Windows because they're made for consoles. This is especially true of "party" games whose draw is offline multiplayer with two to four gamepads and a single TV.

            Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider!

            I guess a lot of that is because cities make it too hard to start a competing ISP.

    • Re:https is useless (Score:5, Informative)

      by heypete (60671) <pete@heypete.com> on Friday August 15, 2014 @04:00PM (#47681287) Homepage

      What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

      Sure, they could, but I doubt they are.

      If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

      While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

      Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

      I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

      • by PopeRatzo (965947) on Friday August 15, 2014 @04:57PM (#47681721) Homepage Journal

        If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

        Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

        I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

        No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

        • No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

          Alright. What do you propose?

          Fundamentally, encrypting all traffic all the time requires a public key infrastructure and the only way we know how to build one that works is to have trusted third parties. You trust your browser, for example. Your browser maker outsources ID verification of websites to CA's.

          Ultimately SSL cannot survive being explicitly banned or subverted by the state. It just

          • by PopeRatzo (965947)

            No system can survive explicitly being banned by the state.

            Then we need to see if the state can survive banning privacy.

      • "browser vendors will revoke their roots."

        Oh come on who are these "browser vendors"? Microsoft (definitely in the NSA's pocket), Apple, yup owned... Google? definitely owned as well... Mozilla? one is also left wondering about them as well... Opera?

        at least with Firefox, we have source code...

    • What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

      That's not how it works. But of course, if they are inside Google, and Microsoft (and they are) then you're screwed. But, in my experience with keys, these sorts of attacks have to be very directed. You can't just "Hack everyone" it's an exploit you'd have to hack on an individual basis. Usually because most sites, and client computers are such unique devices. Most corporate websites have been developed over decades and are a mess of hundreds of different programmers over years. I'm involved peripherally in

      • by jedidiah (1196)

        Security is fine if you are no one of interest. It doesn't matter if it's physical security or computer security. Once you are important enough for anyone to be interested in, most security measures are completely meaningless. This is just the harsh reality.

        For most of us, security measures just dissuade the opportunitistic idiot trying for an easy score with no particular interest in you as an individual.

        Once you've managed to attract unwanted attention, you will have to engage more serious security measur

      • client computers are such unique devices

        If significant subsets of PCs aren't monocultures with the same vulnerability, then how do worms like Blaster and Slammer spread and leave behind hooks to form botnets?

    • Re:https is useless (Score:4, Informative)

      by AmiMoJo (196126) * <mojo@NOspAm.world3.net> on Friday August 15, 2014 @04:32PM (#47681553) Homepage

      Chrome pins Google's certs, so if anyone did try to make new fake ones the browser would flag it up. I believe there is a plug-in for Firefox that alerts you when certs change too.

      This vulnerability has been known for a long time.

      • I believe there is a plug-in for Firefox that alerts you when certs change too.

        Certificate Patrol [mozilla.org] is an example of such extension.

        It does detect strange changes in certificate authority (for exemple when a Man-In-Middle attacker is using a bogus certificate signed by rogue CA or by stolen keys from some CA).
        It also detect un-called-for changes in certificate (for exemple, the actual authority has been coerced by the government to sign their spy-server keys, and thus you get a new legit-looking certificate, even if the old hasn't been revoked and and is still well within its validity

    • by drolli (522659)

      They dont have to hand over the keys. Just get another certificate from another vendor using fake identities.

  • by SQLGuru (980662) on Friday August 15, 2014 @03:38PM (#47681111) Journal

    This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.

    • by vux984 (928602)

      This is one of the reasons that I don't use an admin/root level account for normal activity.

      A good practice to be sure.

      While that also won't prevent all hacks, it drastically reduces my exposure.

      Well, at least your device drivers are safe, and its a little harder for you to join a bot net.

      But pretty much everything you have of value can be accessed from user space, including all your documents. That's generally what identity and data thief hackers (and state actors) want.

      • by SQLGuru (980662)

        They also have a harder time installing executable code.....if my browsing user can't install code, then they've only got memory to play with.

        • by vux984 (928602)

          not entirely true. It just can't install it in c:\program files or your platforms equivalent. It can drop executables in folders you DO have access to though, and run them from there. And even get them to auto run if it puts the start command in a settings file you can edit as that user.

        • Well, there have been a whole host of attacks associated with vulnerable versions of Flash and Java that could at least cripple a profile. I ran up against one of them around 2010. One of the staff at one of our remote locations suddenly had all their files supposedly disappear, desktop wiped out and the like, and a notification about a ransom if they wanted the files back. The user had no admin privileges, so I checked, and sure enough, the other profiles were untouched. What had happened is the auto updat

        • by sqlrob (173498)

          A shell / powershell script is plain text.

          • by jhantin (252660)

            A shell / powershell script is plain text.

            Well then, the obvious solution is to disable #! recognition and set-executionpolicy restricted, so shell scripts become useless! ... then watch as everything grinds to a screeching halt.

            Oh well, back to the drawing board.

      • by AmiMoJo (196126) *

        Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine. Then at least only your browser data is vulnerable.

        • Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine.

          Simply chroot the browser, no?

          • It's trivial to step out of chroot. Chroot was not designed for security. It's very similar to cd and getting out basically consists of making a symlink and doing cd. Chroot is for cross-compiling, installing grub, etc. - changing the DEFAULT. value of / that your session uses.

            AMD's virtualization is much more appropriate for security, as it's designed to make it such that a guest can't even KNOW whether it's a guest or not, much less escape and access the host system.

            • getting out [of chroot] basically consists of making a symlink and doing cd.

              OK, but - unless I'm missing something - you can't do that while chrooted. A browser running chrooted can't execute code that will make links to "out of chroot".

              • There are several ways. Some use the fact that file handles aren't chrooted. You can, for example, call fchdir() with handle inside the chroot, then chdir(..) several times. If the wrapper changed the working directory of the process before chroot, the escape code needs to fchdir to a directory other than the chroot root, so it'll mkdir first.

                There IS some level of inconvenience to escaping chroot, so there is a degree of security against an unsophisticated attack. I guess it could be compared to lock

  • by XanC (644172) on Friday August 15, 2014 @03:39PM (#47681121)

    ...So why does Slashdot redirect HTTPS back to HTTP??

    • by Anonymous Coward on Friday August 15, 2014 @03:51PM (#47681219)

      because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

      Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Simplicity and overhead.

      HTTPS has overhead in encrypting all content. This can be mitigated by processors with AES instruction set, but it still impacts the scalability for the site. Most content on slashdot can probably be cached and thus CPU usage is kept to a minimum as users scale.

      Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

      No one with the know-how and resources to capture your slash

      • by choprboy (155926)

        Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

        I think that is the real crux... I was stunned to recently see that, in a completely clean browser, just going to the Slashdot root page loads 45 third-party domain cookies. That is excluding slashdot.org and dice.com properties....

    • Until very recently, major advertising networks were available only through HTTP, not HTTPS. Only in September of last year did AdSense announce HTTPS support [blogspot.com].
  • https everywhere. https://www.eff.org/https-ever... [eff.org]
    and for those of you wondering why slashdot redirects to http, it could be any number of conspiracy theories but the most obvious: a BigIP appliance controls ssl handoff and they dont have the licenses for every freaking connection.
  • Flash vulnerability? (Score:4, Interesting)

    by Animats (122034) on Friday August 15, 2014 @03:59PM (#47681273) Homepage

    Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

    • by timeOday (582209) on Friday August 15, 2014 @05:15PM (#47681803)
      No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

      In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

      • by Animats (122034)

        It is awfully obscured in the article by general hand-waving...

        Agreed. Anyone know what kind of exploit this is?

        • by onproton (3434437) <emdanyi@gmail. c o m> on Friday August 15, 2014 @06:30PM (#47682205)
          From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."
  • by wierd_w (1375923) on Friday August 15, 2014 @04:11PM (#47681383)

    Really, revelations like this are all the more reason to run a fully rom based OS for anything touching the internet.

    Before somebody says something absurd, this is basically what a thin client does anyway. The difference is that you keep the system image inside the thin client itself, rather than pulling it from the network. A modified chromebook would work just fine. An sdcard slot that is hardware designed to be electronically incapable of raising its line voltages to write-enable levels, while still being physically accessible by the owner, would round out the package for where to store the system image.

    Everything else is stored exclusively in RAM, and blanks completely on power off.

    If the user WANTS persistent data, they can use external media. it comes in quite acceptable sizes these days.

    This could very easily be done with a chromebook with some simple modifications. Instead of doing google chrome, pack it with a squashfs knoppix image.

    watch all the seditious cat videos you want.

    • You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.

      Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.

    • I once had a computer which did that, a Commodore 64. I am pretty sure most others at that time were that way too. The whole "store the O/S on a R/W hard drive" was an IBM PC/Microsoft idea, as were viruses.

      A ROM based system with Ubuntu or Knoppix would be pretty sweet for surfing teh Interwebs.

  • How is HTTPS going to protect me against this? It doesn't solve the problem of holey network-facing applications.
  • TFS says:
    > many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true. ... [Adobe Flash can be exploited by an ISP].

    Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)

    Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my default browsers. Fo

    • Many YouTube videos with advertisements require Flash. If you try to view them on a PC without Flash, you get a notice that Flash is required. If you try to view them on a platform to which Flash is not ported, such as iOS or Android 4.1+, you get "The content owner has not made this video available on mobile. Besides, what's the alternative to Flash game sites like Newgrounds and Kongregate?
  • by CanHasDIY (1672858) on Friday August 15, 2014 @04:49PM (#47681665) Homepage Journal

    state actors involving "network injection appliances" installed at ISPs.

    So, since we're being charged by the bit now, and the government is taking my bits (that we pay for) off the pipe and replacing them with their bits (that we also pay for)... wouldn't that imply that these "state actors" should be on the hook for at least part of our ISP usage bills?

  • by DarkOx (621550)

    many otherwise well-informed people think they have to do something wrong, or stupid, or insecure

    Wait how does executing code delivered over a clear text channel without some other strong attribution and integrity controls in place not count as stupid or insecure.

    Then we have slashdot here were we shove our session cookies back and forth in clear text. Not ideal but I don't execute code from slashdot (noscript) and I don't reuse my user name ore password elsewhere. So that lowers my exposure somewhat.

    The browser makes need to at this point:
    Disable the execution of any script or content of any script

  • NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection [noscript.net].

    Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence [convergence.io]).

    Furthermore, NoScript 2.6.8.37rc2 [noscript.net] introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...