Slashdot Mirror

← Back to Stories (view on slashdot.org)

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Posted by Soulskill on from the internet-doomed dept.

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

14 of 166 comments (clear)

  1. https is useless by bbn · · Score: 5, Insightful

    What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

    1. Re:https is useless by HaeMaker · · Score: 4, Interesting

      Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?

    2. Re:https is useless by gameboyhippo · · Score: 5, Insightful

      Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

    3. Re:https is useless by heypete · · Score: 4, Informative

      What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

      Sure, they could, but I doubt they are.

      If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

      While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

      Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

      I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

    4. Re:https is useless by TechyImmigrant · · Score: 4, Informative

      If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with. Your own private keys will not protect you.

      This is one of the many reasons why the public PKI is broken.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:https is useless by PopeRatzo · · Score: 4, Insightful

      If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

      Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

      I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

      No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

      --
      You are welcome on my lawn.
  2. I'd love to use https! by XanC · · Score: 5, Interesting

    ...So why does Slashdot redirect HTTPS back to HTTP??

    1. Re:I'd love to use https! by Anonymous Coward · · Score: 5, Informative

      because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

      Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

  3. Re:This is just evil. by mythosaz · · Score: 4, Informative

    Rendering HTML isn't "executing arbitrary code" in any meaningful way.

  4. Re:This is just evil. by mysidia · · Score: 5, Insightful

    Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

    No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

    It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

  5. Re:Flash vulnerability? by timeOday · · Score: 4, Informative
    No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

    In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

  6. Re:Flash vulnerability? by onproton · · Score: 5, Informative

    From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."

  7. Re:This is just evil. by LordLimecat · · Score: 4, Insightful

    Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

    "Executing structured code" perhaps?

  8. Clearly by fyngyrz · · Score: 4, Interesting

    Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.

    This is one of the core (ha) problems with client-side execution in a general purpose machine.

    If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.

    But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.

    For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)

    --
    I've fallen off your lawn, and I can't get up.