Watch a Cat Video, Get Hacked: the Death of Clear-Text

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

https is useless

[bbn]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Re:https is useless

[HaeMaker]

Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?

Re:https is useless

[gameboyhippo]

Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

Re:https is useless

[heypete]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

Re:https is useless

[TechyImmigrant]

If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with. Your own private keys will not protect you.

This is one of the many reasons why the public PKI is broken.

Re:https is useless

[AmiMoJo]

Chrome pins Google's certs, so if anyone did try to make new fake ones the browser would flag it up. I believe there is a plug-in for Firefox that alerts you when certs change too.

This vulnerability has been known for a long time.

Re:https is useless

[PopeRatzo]

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

Re:https is useless

[pla]

unless we want to strip the state off their power to search us (and trail us).

Dingdingding! We have a winner!

Two and a half centuries ago we allowed the government those powers, under certain strict conditions, for the good of society as a whole. The government has repeatedly shown itself incapable of acting up to its side of that bargain. We The People therefore need to strip them of that power entirely. Can't find physical evidence of a crime without making my computer tell on me? Then It didn't happen.

"But we need the government to have those powers to preserve the public order", you say? No. The sort of crimes the NSA catches (heh, I typed that as "commits" and had to correct it) have nothing to do with you and I in our daily lives. They protect megacorps and the government itself, and nothing else.

Re:https is useless

[Altrag]

What's inconvenient for them is often impossible for us. Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac. Indie games tend to be somewhat better for this but most casual gamers just want the big name games.

And it gets even worse in a business environment where you often have software restrictions imposed on you by corporate policy and frequently by the fact that you need to interact with vendors/customers who use Windows-only products.

"Just stop using Windows" is a stupid catchphrase. Its like trying to end starvation by saying "just give them food." Actually its worse because food is a pretty good solution to starvation whereas its pretty unproven that FOSS software is "objectively" safer than closed software (I mean its probably true, but until Linux becomes a significant hacking target, we can't say definitively that the lack of exploits is due to better software rather than due to fewer people attempting to exploit it.)

Similarly with Facebook. Its the "state of the art" in social media because of absolutely nothing to do with privacy protection. In fact a lot of its popularity was initially based on its _lack_ of privacy considerations -- "Facebook stalking" and such activities. I mean that probably wasn't the main driving factor (being fresh and simple right around the time that Myspace was bloating itself out of existing is likely the biggest contributing factor. I doubt FB would have gotten as big as it did if Myspace had stuck to being a site people actually enjoyed using rather than letting themselves be overrun by commercial interests.)

And lastly protocols. Protocols are king. If TOR or similar ever comes out with a product that you can just install and "it works," then we might be getting somewhere. I mean "it works" as in it starts up with Windows, and immediately funnels all traffic through its own pipes and doesn't significantly impact the speed of watching a cat video on Youtube and basically in all ways stays the fuck out of the way. If it can get to that level, we might see some better adoption. As long as its something you have to consciously connect and disconnect and slows down your connection by 50% and whatever else, it won't pick up widespread adoption. Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider! (Disclaimer: I haven't used TOR myself in a few years so I don't know how close to this ideal its gotten.)

At the end of the day, the real problem isn't Windows or lack of encryption or any other technical issue -- the problem is that 90% of the population doesn't care. Or I should say, doesn't care _enough_. We care enough to sign online petitions and shit that's easy to do in the hopes that someone who has more time on their hands will be able to make a difference (openmedia.ca up here in Canada is a great example of an organization that has taken the "enough" qualifier to heart and used online petitions to make significant changes in the way our government treats privacy and other online issues.)

But on their own? Most people are too busy to worry about things that have a very low chance of ever impacting them directly. Its one thing for the NSA to tap a billion email accounts. Its another for them to filter through that data and pick targets. Yes everyone gets uppity when they pick a target wrong, but unless that target happens to be "me", most people have jobs and families and other things to do than worry about it for longer than it takes to exclaim "damned go'ment!"

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

I'd love to use https!

[XanC]

...So why does Slashdot redirect HTTPS back to HTTP??

Re:I'd love to use https!

because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

Flash vulnerability?

[Animats]

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Re:Flash vulnerability?

[timeOday]

No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

Re:Flash vulnerability?

[onproton]

From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."

Re:This is just evil.

[mythosaz]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

Re:This is just evil.

[Noah+Haders]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

"I disagree" -- hackers.

Re:This is just evil.

[mysidia]

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

Re:This is just evil.

[LordLimecat]

Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

"Executing structured code" perhaps?

Clearly

[fyngyrz]

Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.

This is one of the core (ha) problems with client-side execution in a general purpose machine.

If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.

But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.

For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)