Slashdot Mirror

← Back to Stories (view on slashdot.org)

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Posted by Soulskill on from the internet-doomed dept.

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

2 of 166 comments (clear)

  1. Re:I'd love to use https! by Anonymous Coward · · Score: 5, Informative

    because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

    Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

  2. Re:Flash vulnerability? by onproton · · Score: 5, Informative

    From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."