Slashdot Mirror
Watch a Cat Video, Get Hacked: the Death of Clear-Text
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
And evil doesn't cover it.
I'm not a complete idiot... Some parts are missing.
What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?
This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.
Interesting. Unencrypted command-and-control channels embedded in the commnications of custom application communication.
Next up: Buffer overruns and similar by violating the same stream or data stream.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
...So why does Slashdot redirect HTTPS back to HTTP??
https everywhere. https://www.eff.org/https-ever...
and for those of you wondering why slashdot redirects to http, it could be any number of conspiracy theories but the most obvious: a BigIP appliance controls ssl handoff and they dont have the licenses for every freaking connection.
Good people go to bed earlier.
Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?
I've seen a lot of web tracking bugs inserted into https traffic coming from unencrypted sources.
This is in major US companies too. Ebay, Paypal, Microsoft, etc. So, either these companies are dropping it in, or the https is being proxied somewhere.
Really, revelations like this are all the more reason to run a fully rom based OS for anything touching the internet.
Before somebody says something absurd, this is basically what a thin client does anyway. The difference is that you keep the system image inside the thin client itself, rather than pulling it from the network. A modified chromebook would work just fine. An sdcard slot that is hardware designed to be electronically incapable of raising its line voltages to write-enable levels, while still being physically accessible by the owner, would round out the package for where to store the system image.
Everything else is stored exclusively in RAM, and blanks completely on power off.
If the user WANTS persistent data, they can use external media. it comes in quite acceptable sizes these days.
This could very easily be done with a chromebook with some simple modifications. Instead of doing google chrome, pack it with a squashfs knoppix image.
watch all the seditious cat videos you want.
fear, uncertainty, doubt. that's all this story has to offer.
How is HTTPS going to protect me against this? It doesn't solve the problem of holey network-facing applications.
Ezekiel 23:20
TFS says: ... [Adobe Flash can be exploited by an ISP].
> many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true.
Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)
Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my default browsers. For many years, there has been precisely one site for which I ever had any interest in having Flash installed, that was Youtube. Not anymore. Youtube no longer requires Flash. https://www.youtube.com/html5
So how does this work? Do you get a black box with the words "Please type 'Windows-R, cmd[enter], net user nsa foobar /add, net localgroup administrators nsa /add' before you can watch your cat video."? In other words, there has to be a bug on the client that lets the web page run arbitrary code, in which case the solution is to patch your damn system.
You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.
Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.
state actors involving "network injection appliances" installed at ISPs.
So, since we're being charged by the bit now, and the government is taking my bits (that we pay for) off the pipe and replacing them with their bits (that we also pay for)... wouldn't that imply that these "state actors" should be on the hook for at least part of our ISP usage bills?
An enigma, wrapped in a riddle, shrouded in bacon and cheese
just wait till backdoors get installed in your fancy html5 browsers.... or the network card firmware and OS and something that gets logged as a malformed packet triggers an automatic installation of government spyware... pre loaded in the hardwares memory
netgear doesn't need to advise it's customers and if they manufacture oversease there is plausible deniablity from both our government and the manufacturer.
more likely China gets $$ and trade for pulling shit like that already
$FUTURE_DATE: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs and with the possibly-coerced "cooperation" of https: web sites or the companies issuing https: certificates. These devices can target and intercept encrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked - like visiting an unencrypted web site, ...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now - but just one more reminder to not trust the person on the other end to not cooperate with The Man in the middle. It is unknown how long such attacks have been happening but they might date to 2014 or earlier.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So... https will protect me while watching cat videos?
I don't watch cat videos. :-)
...OpenDNS. I bypass my ISP all together when it comes to getting web content using their DNS. Hopefully OpenDNS doesn't ever get hacked of course but since they deal with security, they are better on top of things then most IPSs are when it comes to DNS lookup injection issues. :)
"This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https."
Except if the local proxy is designed to intercept https traffic and replace the senders digital signature with its own. ref
Will this targeted exploitation technique work if the target isn't Microsoft Windows ©
I believe there is a plug-in for Firefox that alerts you when certs change too.
Certificate Patrol is an example of such extension.
It does detect strange changes in certificate authority (for exemple when a Man-In-Middle attacker is using a bogus certificate signed by rogue CA or by stolen keys from some CA).
It also detect un-called-for changes in certificate (for exemple, the actual authority has been coerced by the government to sign their spy-server keys, and thus you get a new legit-looking certificate, even if the old hasn't been revoked and and is still well within its validity range)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
It's trivial to step out of chroot. Chroot was not designed for security. It's very similar to cd and getting out basically consists of making a symlink and doing cd. Chroot is for cross-compiling, installing grub, etc. - changing the DEFAULT. value of / that your session uses.
AMD's virtualization is much more appropriate for security, as it's designed to make it such that a guest can't even KNOW whether it's a guest or not, much less escape and access the host system.
it's just a large ignorant media conglomerate that cares not for its AUDIENCE
FTFY
Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.
This is one of the core (ha) problems with client-side execution in a general purpose machine.
If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.
But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.
For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)
I've fallen off your lawn, and I can't get up.
OK, but - unless I'm missing something - you can't do that while chrooted. A browser running chrooted can't execute code that will make links to "out of chroot".
Knowledge is power; knowledge shared is power lost.
There are several ways. Some use the fact that file handles aren't chrooted. You can, for example, call fchdir() with handle inside the chroot, then chdir(..) several times. If the wrapper changed the working directory of the process before chroot, the escape code needs to fchdir to a directory other than the chroot root, so it'll mkdir first.
There IS some level of inconvenience to escaping chroot, so there is a degree of security against an unsophisticated attack. I guess it could be compared to locking a window - that'll make the window less convenient to open, but simply throwing a rock at it will do the trick.
many otherwise well-informed people think they have to do something wrong, or stupid, or insecure
Wait how does executing code delivered over a clear text channel without some other strong attribution and integrity controls in place not count as stupid or insecure.
Then we have slashdot here were we shove our session cookies back and forth in clear text. Not ideal but I don't execute code from slashdot (noscript) and I don't reuse my user name ore password elsewhere. So that lowers my exposure somewhat.
The browser makes need to at this point:
Disable the execution of any script or content of any script tag that was not transferred securely or loaded from local media; by default. Perhaps provide a white-list function to accommodate legacy intranets and stuff. They should similarly deny embedded objects like flash, sliverlight, acrobat, etc in those situations.
This would do a lot to protect people from both inject attacks and various forms of phishing. It would also really push site operators and web hosts to make sure SSL is available everywhere.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
1. The algorithm that is used to create the certs was backdoored by the gov actors inside the standards body or company that created it.
2. Google would not revoke a root cert if a company was issuing the government bogus certs, because google is 100% part of the evil cabal running the west.
3.They don’t even care about backdooring most software, because they have backdoored most hardware now.
Intel systems from sandy bride forward are impossible to secure. The next move is infiltrate open source organizations and projects to inject malicious code for people running hardware that isn’t compromised. They will also use these agents to sabotage, because the gov and the big companies like IBM are scared that they are losing control.
Any reasonably intelligent person should have already figured this out.
Keep being naive, and keep getting pwned.
Now “send in, the TROLLS”, “we’ve got one that can see”!
Web admins in particular should turn on https by default since there's no reason not to unless you're intentionally being shady.
I agree that hosting providers ideally ought to offer HTTPS. But IE and IE wrappers on Windows XP doesn't support Server Name Indication (SNI), a TLS extension that allows the use of name-based virtual hosting. Nor do Android Browser and Android Browser wrappers on Android 2.x. Both of these SNI-ignorant browsers have reached their end of support, but until they actually pass out of use, hosts still need to accommodate them. This means most shared hosts will continue to require customers to upgrade to a VPS (or at least pay extra per month for a dedicated IPv4 address) to avoid support issues associated with SNI-ignorant browsers. WebFaction is one exception that I've found that supports SNI.
The Perspectives extension works alongside the CA system to help the browser trust a certificate from an unrecognized CA. If multiple "notary" machines in different parts of the Internet see the same certificate, it's unlikely that the same entity is MITMing them all.
Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac.
A lot don't even run under Windows because they're made for consoles. This is especially true of "party" games whose draw is offline multiplayer with two to four gamepads and a single TV.
Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider!
I guess a lot of that is because cities make it too hard to start a competing ISP.
client computers are such unique devices
If significant subsets of PCs aren't monocultures with the same vulnerability, then how do worms like Blaster and Slammer spread and leave behind hooks to form botnets?
Everybody else is using HTTPS except Slashdot.
Does this include "everybody else" that uses the major ad networks? Using an HTTP-only ad network in an HTTPS site won't work because of mixed content policy.
Until very recently, major advertising networks were available only through HTTP, not HTTPS. Only in September of last year did AdSense announce HTTPS support.
Many YouTube videos with advertisements require Flash. If you try to view them on a PC without Flash, you get a notice that Flash is required. If you try to view them on a platform to which Flash is not ported, such as iOS or Android 4.1+, you get "The content owner has not made this video available on mobile. Besides, what's the alternative to Flash game sites like Newgrounds and Kongregate?
NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection .
Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence).
Furthermore, NoScript 2.6.8.37rc2 introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.
There's a browser safer than Firefox, it is Firefox, with NoScript
Do any virus scanners detect the malware installed from this exploit?
That's true of Slashdot because Slashdot isn't an ID provider. But some other sites, such as Facebook, Twitter, Google, and webmail, are identity providers. If you compromise a user's Twitter account, you compromise the user's account at any service that uses "Login with Twitter". If you compromise a user's webmail account, you compromise the user's account at every service that lets the user recover his password through e-mail. That's why the major identity providers have gone all HTTPS all the time.