Slashdot Mirror
Leaked Demo Video Shows How Government Spyware Infects a Computer (vice.com)
An anonymous reader quotes a report from Motherboard: Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man, including a tutorial on how to use the spyware's control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website. RCS Lab's spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select "inject HTML" to force the malicious popup to appear, according to the video. Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard. The company's employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware. A direct link to the YouTube video can be found here.
Why should the purported "spyware" be able to do anything real, when tax payer money is easier to grab than ever before?
Sir, your stupidity is pegged off, scale high.
In the video it shows that the fake flash installation is to avoid the certificate warnings about the mitm attack. Yet how is the mitm set up? Have they gained access to network devices or another section of this network
Ah, I think you missed the sarcasm in the parent post.
it relies on popups to work?
That's probably because a lot of people say the exact same thing without being sarcastic at all.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
So no one has ever used or would ever use their position/knowledge for person gain or personal reasons? Would you trust your neighbor with this or anyone you went to highschool with this? The government is made of people and people make mistakes... a lot of mistakes.
Slick tricks to trick user to downloading and installing malware.
All i see is a supposed "hacker" that doesn't even know that by clicking "Advanced" link button on the Chrome security warning page you can proceed, don't know how they set up the MITM attack on the users PC, and Avira is off as you can clearly see the umbrella is closed.
When I was a little kid, I learnt to not stuff into my mouth everything I found on the streets (sometimes I disregarded that advice and got what I deserved: let me assure you: fresh goat shit is round and shiny and looks somewhat like chocolate but tastes... like shit).
Why browsing people download executable content (real or fake Flash players, but Javascript counts in my book too) and execute it on their computers just escapes me.
An excellent illustration of Poe's Law in fact. https://en.wikipedia.org/wiki/...
No, your children are not the special ones. Nor are your pets.
"You computer may be infected with Spyware! Download the cleaner to fix it now"..
Soooooo elite, and beyond 0day
How about revealing the identity of the group of people who have taken over our societies and are running them as giant gulags? (For people like you, of course, this is news... because you can't be bothered to investigate things for yourself, or to question anything.)
i.e. wouldn't it be a GOOD thing if somebody proved that 6 million Jews weren't killed in the 'Holocaust'? So wouldn't it be better that Jews were shown to be liars, than for 6 million of them to have been killed? Yet people are imprisoned for YEARS for merely PROVING that it didn't happen.
Mmm.... 5/10 on the troll scale. Good effort, lots of triggers, but overused.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Italian surveillance contractor called RCS Lab"
Rat Cunt Shits because those are the people who work there. These douchebags take money from government to spy on fellow citizens and inflict human rights abuses. They are human trash.
If it weren't for the abuses we've already seen (look up LOVEINT for just a simple example), if it weren't for secret courts that approve warrants and perform trials with hidden evidence, then maybe you would have a point.
We've already seen too many abuses of these powers.
"First they came for the slanderers and i said nothing."
"Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware"
The article forgot to mention the malware only 'infects' Microsoft Windows desktops.
That video is pure bullshit. Even the Avira AV software has been disabled for the "demonstration".
Someone correct me if I'm wrong, but if a website uses both SSL and HSTS this attack becomes much more difficult, if not impossible (depending on how your browser handles HSTS) as long as its not your first time visiting the website. If you have visited the website before and HSTS is enabled on the site a forged certificate will not work and the victim will not be able to continue. Still scary but its just further reason that more sites, even those that don't transmit critical information, should use HTTPS and HSTS.
It's a wonder that even normal computer users haven't yet associated the word 'Adobe' with the software equivalent of nuclear waste.
If you think it couldn't be done on browsers running on Linux/OSX too you're kidding yourself.
"a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware."
The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page. Heck flash would probably not work from a random web page.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"How about revealing the identity of the group of people who have taken over our societies and are running them as giant gulags? "
you mean the bilderberg group? their memberlist is public
Would this infect a Chromebook? I am told they are virus proof.
Unless you're clearly up to no good, you don't have to worry about spyware like this.
You mean up to no good like Angela Merkel, Chirac, Sarkozy and Hollande the last three French presidents, and 35 world leaders?
But of course you don't need to be a celebrity or a politician to be up to no good. You could be trying to help people through a humanitarian organization like the Red Cross, Doctors Without Borders, , or you could just have said something bad about the government of a minor island, etc.
And even if you're not one of the above 'bad people', you could simply be one of the 90% of people who are collateral surveillance victims. So no, you don't need to be up to no good to be under surveillance and that's something to be concerned about.
I guess this is only supposed to work about people who shouldn't be using a computer with admin rights in the first place.
If I (or most people here, I hope) got a message about a Flash update:
- If it was on Slashdot or Reddit, I would go to flash.com and download the newest version.
- If it was a popup, hit Alt+F4 faster than I can read the actual content. I don't care if there's a Flash update on a non-Adobe site, I won a lottery I didn't enter, or a woman wanting to f**k who lives so close that it can only be two people, neither of whom look anything like the photo...
but most of those who use Linux/OSX think long an hard about installing Flash. If they do, they make sure it is the genuine article (or crapware).
Frankly, the sooner Flash dies a nasty horrible death the better for everyone.
I've seen the fake flash installer before, at sites that are otherwise respected. I think it gets through their ad network since I started running a blocker I haven't seen it anymore.
Flash updates, that look exactly like that, are notorious for "randomly" popping up and requesting installation when trying to work, whether on a web page or not. These Falsh updates are so frequent that even I would not give much thought to one randomly popping up after I opened a browser.
I've seen many fake Flash install attempts and this one is flawless. The Flash install pop-up looks entirely real. The source URL for the Flash install shows Adobe. This source URL is not quite normal behavior, but only those very familiar with Flash installs would realize that this isn't quite right, otherwise it looks perfectly legit. The installation progress looks perfectly legit, right down to the infuriating and unnecessary slowness of Flash update installs.
I could not blame a user for falling for this trick.
This is a MITM attack. The rest is just fancy window dressing. The important and difficult part, that is not discussed, is how the MITM session was established in the first place. That is the key! The entire rest of it is simply a user installed trojan. Clearly, this attack could also be launched from a compromised website, but that's not what the story is talking about.
You CLEARLY have never tried to install Flash on Linux.....
Chrome has a built in Flash player. Always updated.
So when I see a "you must update Flash" i know it's bogus, since I'm already updated. I tell my family this, since they're non-techies and wouldn't be able to tell a legit popup from a fake. (Im not going to be 100% either).
Oh and Chrome sandboxes its built-in flash better than the plugin can.
Linux has a built-in security feature in that things like flash hardly ever work correctly, so it's less likely to be installed.
How dare the government...be a small Italian company.
"If you have nothing to hide you have nothing to fear". If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details. I could go on. Yes I have something to hide. We all do.
I reject the premise that there was an excuse for the surveillance in the first place. People were stupid enough to buy into the idea that it would protect them from terrorism, but how many terrorist attacks in the US in the last 8 years....something like 8 or so last time I looked. "Well the numbers of dead are small" isn't an argument. The fact that the attacks happened invalidates the justification for the surveillance and the Patriot Act. If people are going to die anyway, most would prefer to be free from government surveillance.
The sad part is that once you lose a freedom, getting it back has a price in blood. The retards who cheered on the Patriot Act failed to think about this.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Angela Merkel
Well clearly germans are bad people. they have been the bad guys in at least 2 world wars.
last three french presidents
i think that says it all, can we really trust the french anyway?
35 world leaders
ok, so all kidding aside isn't it the NSA's job to...spy on foreign countries? the only issue here is that they were caught. i would expect those countries to also be trying to spy on our leaders as well. and it is also partly the NSA's job's to try to counter that, and/or provide them with false info or at the very least be aware of the capabilities and extent of the other countries spying efforts.
now as for some of these others you list, should they have been spied on? probably not. i don't fully trust the NSA, but spying on foreigners is sort of their job. i have a problem when they spy domestically on their own citizens. and getting the British intelligence to spy on your own citizens and then reporting what they find to you, in exchange for you doing the same for them, isn't much different than if you spied on your own citizens yourself.
The government doesn't have time to investigate most people. Unless you're clearly up to no good, you don't have to worry about spyware like this. I've never understood why Slashdot users are so paranoid about this type of surveillance. What exactly are you hiding? Terrorism? Illegal porn? Money laundering with Bitcoins? If you weren't breaking the law, you wouldn't have anything to be concerned about.
You assume the only thing it might be used for is terrorism or crime. What if it is a political faction listening in to another one?
That is what happens in most of the world, and why the bulk of the US Constitution was formulated around not giving the king the tools to root through the stuff of their political opponents.
With no tracking or logging, and little more than a checkbox for getting a warrant, it is trivial to bypass this. That is the problem.
And even if the US didn't have this problem with 100% honest officials, what about Putin or China or that newborn dictator in Turkey? Or the entire mideast?
We need to stop building these tools.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
whats the difference with this shit and the shit that pops up in porno sites? the fancy bot control program? nigga please
Yep. you are correct sir! Flash for Windows hardly EVER works on Linux. Of course, it hardly ever works anywhere, sooo....
I'll be here all week folks. Tip your waitresses.
but most of those who use Linux/OSX think long an hard about installing Flash. If they do, they make sure it is the genuine article (or crapware).
Frankly, the sooner Flash dies a nasty horrible death the better for everyone.
I read an article stating Adobe is reviving Adobe Flash, not merely providing security updates to the existing codebase.
Even as someone who mostly uses Windows at home, I only ever updated Flash from their official website and never through some kind of pop up. I also ditched Flash entirely as soon as *HTML5 showed up on youtube. The same goes for most of my friends. I don't even understand the need of some people to click on whatever popup is thrown at them, even after they've been told that the internet is full of cheaters and scammers.
*Yeah, HTML5 and Flash aren't really comparable, but for most intends and purposes on the internet (media streaming) they are.
yes and the parent to this comment ignores the fact that those governments also spy on the USA.
While it is arguable that yes, the NSA's job is to spy on other countries, it still invalidates the claim that "Unless you're clearly up to no good, you don't have to worry about spyware like this."
All you have to do to be the target of spyware like this is "be interesting", or an unfortunate collateral in the quest towards someone who is interesting. "Interesting" here is rather loosely defined and can basically encompass most of the world population.
Would be the best description for this post. Yes I get the overall message. Sadly this his how a low of "end-users" get pwned.
Quoting pithy but meaningless "laws"... Yup, you're a neckbeard.
I find your post interesting. You are under arrest, you have the right to remain silent...
Heyyyy wait a minute...
Linux software updates are delivered via signed packages from the distro, not via web popups.
You could also be one of those suspicious people who visits Linux Journal or uses VPNs.
Have you bothered to look at the targets of most government actions these days utilizing warrantless surveillance/records access? Beyond the few token "terrorists" (mostly mentally/financially destitute individuals conned by paid government informants into "planning attacks" with no real chance/intention of committing them) mostly it is used to go after low level drug dealers, copyright infringers and people who run afoul of some random official with access to the information. There was a case not long back where Secret Service agents used records of some politicians attempt to become an agent in an effort to discredit him. And before you say "oh well as long as I don't break the law" you are suggesting an impossibility, the legal system is so convoluted these days that it is believe that your average person is "guilty" of multiple felonies per day. People have literally been arrested for standing on a sidewalk or asking for the basis of an officers authority to disperse a group of grandmas discussing funeral arrangements. That is even before you get to the people who have committed minor crimes ("stealing" publicly funded research papers) who face decades of prison time on trumped up charges.
"Mistakes"
Just run it in WINE then.
haha.. yea exactly.. You can't install anything in Linux via a browser popup. The only way to install software is using the package managers. Its actually kind o f irritating having to execute 'sudo apt-get update' all the damn time... ;)
Back in the early CIA days, we had Operation Mockingbird, MK-ULTRA & Operation CHAOS. On the FBI side, we have COINTELPRO.
We have few to no avenues to find out how many of these programs still exist under different designations.
Add to that the suspicious circumstances in which some investigative journalists have died in recent years, and we have a potentially very scary situation on our hands.
If you have nothing to hide, you have nothing to fear.
however, linux users like to download and compile code...
when was the last time you really read through the linux kernel to make sure there wasn't an backdoor in it?
i supposed you can hope someone else has...isn't that the theory of open source security?
though what about that stupid library that you had to compile to make your GNU Widgets program work? now did you read that? it may not be as popular as something like the linux kernal, so does that really have enough eyes on it to ensure the NSA didn't insert some obfuscated malicious code?
links to the underhanded C or obfuscated C contests seems somewhat relevant here.
here is at least one example of the NSA trying to push a backdoor into software. this one may have been caught, but can we be sure we caught all of their attempts?
I really really hope you're wrong.
yes and the parent to this comment ignores the fact that those governments also spy on the USA.
And you ignore the fact that they're not bugging the phones of our highest elected officials. But its 'OK' for the US to do it to them.
American Exceptionalism is largely about treating even your allies like vassal states.
except they are bugging or attempting to bug the phones of our highest elected officials, they just haven't yet been caught doing it or if they have they haven't been outed publicly for it.
you are naive if you don't think they are at least trying.
what about Five Eyes? or Echelon? there are at least 4 other countries doing the same.
NSA = National Security Agency, not National Surveilance Agency. If this shit was coming out of the CIA, I would be wholly unsurprised and a little less concerned. The NSA was supposed to be limited in scope to protecting American territory from organized terrorism. The reason all these espionage programs are under the NSA's jurisdiction now, is because of the Patriot Act's funding, and Executive Orders giving them carte blanch to circumvent the law.
I think it's time for are computers so I have the open-source bias software. At least with the open source software we have a chance of ensuring that there is no hacked code to usurp our privacy.
I am more concerned about hacking the Intel or AMP CPU.
Leslie Satenstein Montreal Quebec Canada
"If you have nothing to hide you have nothing to fear".
If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details.
I could go on. Yes I have something to hide. We all do.
What I legitimately have to fear is unauthorized access to the notes I keep for my needs, such as bank account numbers, insurance policies, driver permit info, etc. Data that I suppose should not reside within a cellphone.
Here is something I would like to address about security. Since I believe that there is no stopping government invasion of privacy.
We should be able to get an open-source computer bios. A bios that is trimmed down severely, and where the major half of the bios is open source code residing within your USB flash drive, cellphone, tablet or desktop boot partition.
But my major fear is the introduction of the backdoor into the Intel and AMD cpu's. Yes, as each release of a CPU eventually gets a microcode update, that backdoor is required. Currently it is used as a microcode update to correct a faulty instruction that needs a tweak. There is enough space within the CPU to in fact add a few extra instructions -- instructions that are currently NO-OPS but can be revised to work around any data or program security that is normally installed. If the government sends Intel the patch, it gets into your operating system as a kernel microcode update, and voila, your system is contaminated without your finding any extra software software clandestinely.
That is also why foreign countries (China, Russia, India)are justifying the design and marketing of their own cpu chips.
All I can forecast is that in the future, it will be easier to hack your computer chip in each appliance that you own.
Leslie Satenstein Montreal Quebec Canada
Of course we, the honest citizens have nothing to worry about from software like this.
People who believe that monitoring occurs in the manner shown in this video are the same people who think we have nothing to worry about regarding mass surveillance. Those who are aware are concerned about something else. This is not how we lose our freedoms on mass.