Watch a Cat Video, Get Hacked: the Death of Clear-Text

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

This is just evil.

[sabri]

And evil doesn't cover it.

Re:This is just evil.

[mythosaz]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

Re:This is just evil.

[Noah+Haders]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

"I disagree" -- hackers.

Re:This is just evil.

[mysidia]

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

Re:This is just evil.

[LordLimecat]

Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

"Executing structured code" perhaps?

https is useless

[bbn]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Re:https is useless

[HaeMaker]

Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?

Re:https is useless

[gameboyhippo]

Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

Re:https is useless

[heypete]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

Re:https is useless

[TechyImmigrant]

If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with. Your own private keys will not protect you.

This is one of the many reasons why the public PKI is broken.

Re:https is useless

[AmiMoJo]

Chrome pins Google's certs, so if anyone did try to make new fake ones the browser would flag it up. I believe there is a plug-in for Firefox that alerts you when certs change too.

This vulnerability has been known for a long time.

Re:https is useless

[PopeRatzo]

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

Re:https is useless

[jedidiah]

Security is fine if you are no one of interest. It doesn't matter if it's physical security or computer security. Once you are important enough for anyone to be interested in, most security measures are completely meaningless. This is just the harsh reality.

For most of us, security measures just dissuade the opportunitistic idiot trying for an easy score with no particular interest in you as an individual.

Once you've managed to attract unwanted attention, you will have to engage more serious security measures (in general).

Re:https is useless

[pla]

unless we want to strip the state off their power to search us (and trail us).

Dingdingding! We have a winner!

Two and a half centuries ago we allowed the government those powers, under certain strict conditions, for the good of society as a whole. The government has repeatedly shown itself incapable of acting up to its side of that bargain. We The People therefore need to strip them of that power entirely. Can't find physical evidence of a crime without making my computer tell on me? Then It didn't happen.

"But we need the government to have those powers to preserve the public order", you say? No. The sort of crimes the NSA catches (heh, I typed that as "commits" and had to correct it) have nothing to do with you and I in our daily lives. They protect megacorps and the government itself, and nothing else.

Re:https is useless

[grcumb]

Going to slashdot is safe? No SSL here.

GCHQ has already spoofed Slashdot in the past. So no, going to Slash dot is not safe.

If they want you, they can't get you?

All right then. Let's all just roll over and die, why don't we?

Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:

• - Stop making it easy on them. Stop using Windows. Seriously. Understand that what's convenient for you is often convenient for them.
• - Stop using proprietary software at all. Yes, yes, HeartBleed nothing is safe bla bla bla. I'm not talking about safe, though; I'm talking about safer. And FOSS is, objectively, a safer environment, and will remain so even after it becomes popular.
• - Start building and using federated, encrypted, decentralised, peer-to-peer systems. I honestly don't know why geeks didn't do this years ago, but why the fuck is Facebook the state of the art in social media? I mean, seriously. It's not only a privacy disaster area, it's a badly polished piece of shit to boot. We know that They don't like TOR because it's harder for Them. We know That they don't like bittorrent because it's harder for Them. So why the fuck are we not taking a clue from that and creating a UseNET we can go back to? I mean, I get why the peons don't, but we're geeks, for fuck sake. That used to mean something.
• - Start re-imagining an internet whose physical characteristics resemble its protocols. At the outset, we thought it would be cool to have generic protocols that ran more or less transparently on any old network at all. What we didn't realise was that just because stupid networks were possible, that didn't mean they were inevitable. The whole ICANN/ITU fiasco is all the evidence we need to see that the world's telcos have begun to realise how much ground they've lost and they want it back. But that doesn't mean we have to give it to them. Mesh topologies using low-power devices are the only we we cut them back down to size.

You can get all fatalistic if you like, but if your only response to the encroachments of authority is to run further and faster, then (apologies to Scotsmen everywhere) you're not a real geek.

Re:https is useless

[Altrag]

What's inconvenient for them is often impossible for us. Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac. Indie games tend to be somewhat better for this but most casual gamers just want the big name games.

And it gets even worse in a business environment where you often have software restrictions imposed on you by corporate policy and frequently by the fact that you need to interact with vendors/customers who use Windows-only products.

"Just stop using Windows" is a stupid catchphrase. Its like trying to end starvation by saying "just give them food." Actually its worse because food is a pretty good solution to starvation whereas its pretty unproven that FOSS software is "objectively" safer than closed software (I mean its probably true, but until Linux becomes a significant hacking target, we can't say definitively that the lack of exploits is due to better software rather than due to fewer people attempting to exploit it.)

Similarly with Facebook. Its the "state of the art" in social media because of absolutely nothing to do with privacy protection. In fact a lot of its popularity was initially based on its _lack_ of privacy considerations -- "Facebook stalking" and such activities. I mean that probably wasn't the main driving factor (being fresh and simple right around the time that Myspace was bloating itself out of existing is likely the biggest contributing factor. I doubt FB would have gotten as big as it did if Myspace had stuck to being a site people actually enjoyed using rather than letting themselves be overrun by commercial interests.)

And lastly protocols. Protocols are king. If TOR or similar ever comes out with a product that you can just install and "it works," then we might be getting somewhere. I mean "it works" as in it starts up with Windows, and immediately funnels all traffic through its own pipes and doesn't significantly impact the speed of watching a cat video on Youtube and basically in all ways stays the fuck out of the way. If it can get to that level, we might see some better adoption. As long as its something you have to consciously connect and disconnect and slows down your connection by 50% and whatever else, it won't pick up widespread adoption. Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider! (Disclaimer: I haven't used TOR myself in a few years so I don't know how close to this ideal its gotten.)

At the end of the day, the real problem isn't Windows or lack of encryption or any other technical issue -- the problem is that 90% of the population doesn't care. Or I should say, doesn't care _enough_. We care enough to sign online petitions and shit that's easy to do in the hopes that someone who has more time on their hands will be able to make a difference (openmedia.ca up here in Canada is a great example of an organization that has taken the "enough" qualifier to heart and used online petitions to make significant changes in the way our government treats privacy and other online issues.)

But on their own? Most people are too busy to worry about things that have a very low chance of ever impacting them directly. Its one thing for the NSA to tap a billion email accounts. Its another for them to filter through that data and pick targets. Yes everyone gets uppity when they pick a target wrong, but unless that target happens to be "me", most people have jobs and families and other things to do than worry about it for longer than it takes to exclaim "damned go'ment!"

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Reduced rights

[SQLGuru]

This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.

Re:Reduced rights

[vux984]

This is one of the reasons that I don't use an admin/root level account for normal activity.

A good practice to be sure.

While that also won't prevent all hacks, it drastically reduces my exposure.

Well, at least your device drivers are safe, and its a little harder for you to join a bot net.

But pretty much everything you have of value can be accessed from user space, including all your documents. That's generally what identity and data thief hackers (and state actors) want.

I'd love to use https!

[XanC]

...So why does Slashdot redirect HTTPS back to HTTP??

Re:I'd love to use https!

because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

Re:I'd love to use https!

Simplicity and overhead.

HTTPS has overhead in encrypting all content. This can be mitigated by processors with AES instruction set, but it still impacts the scalability for the site. Most content on slashdot can probably be cached and thus CPU usage is kept to a minimum as users scale.

Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

No one with the know-how and resources to capture your slashdot HTTP cares what inane comments you are making or what you're reading. I'm sure some kooks think otherwise, but the government has bigger fish to fry. The HTTPS is used for critical steps, such as logging in to prevent accounts from being compromised.

Flash vulnerability?

[Animats]

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Re:Flash vulnerability?

[Animats]

Didn't look at the source of a Youtube page, did you? Look for "http://s.ytimg.com/yts/swfbin/player-vflZsDuOu/watch_as3.swf". Videos can also play with "HTML5 video", but there's Flash code there to be executed.

Re:Flash vulnerability?

[timeOday]

No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

Re:Flash vulnerability?

[onproton]

From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."

All the more reason--

[wierd_w]

Really, revelations like this are all the more reason to run a fully rom based OS for anything touching the internet.

Before somebody says something absurd, this is basically what a thin client does anyway. The difference is that you keep the system image inside the thin client itself, rather than pulling it from the network. A modified chromebook would work just fine. An sdcard slot that is hardware designed to be electronically incapable of raising its line voltages to write-enable levels, while still being physically accessible by the owner, would round out the package for where to store the system image.

Everything else is stored exclusively in RAM, and blanks completely on power off.

If the user WANTS persistent data, they can use external media. it comes in quite acceptable sizes these days.

This could very easily be done with a chromebook with some simple modifications. Instead of doing google chrome, pack it with a squashfs knoppix image.

watch all the seditious cat videos you want.

Simpler way: virtualization + snapshot

[raymorris]

You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.

Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.

Tax Rebate

[CanHasDIY]

state actors involving "network injection appliances" installed at ISPs.

So, since we're being charged by the bit now, and the government is taking my bits (that we pay for) off the pipe and replacing them with their bits (that we also pay for)... wouldn't that imply that these "state actors" should be on the hook for at least part of our ISP usage bills?

Certificate Patrol

[DrYak]

I believe there is a plug-in for Firefox that alerts you when certs change too.

Certificate Patrol is an example of such extension.

It does detect strange changes in certificate authority (for exemple when a Man-In-Middle attacker is using a bogus certificate signed by rogue CA or by stolen keys from some CA).
It also detect un-called-for changes in certificate (for exemple, the actual authority has been coerced by the government to sign their spy-server keys, and thus you get a new legit-looking certificate, even if the old hasn't been revoked and and is still well within its validity range)

Clearly

[fyngyrz]

Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.

This is one of the core (ha) problems with client-side execution in a general purpose machine.

If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.

But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.

For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)