Leaked Demo Video Shows How Government Spyware Infects a Computer

An anonymous reader quotes a report from Motherboard: Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man, including a tutorial on how to use the spyware's control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website. RCS Lab's spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select "inject HTML" to force the malicious popup to appear, according to the video. Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard. The company's employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware. A direct link to the YouTube video can be found here.

ONE WORD!

ZIKA!

Why are you people so worried about this?

The government doesn't have time to investigate most people. Unless you're clearly up to no good, you don't have to worry about spyware like this. I've never understood why Slashdot users are so paranoid about this type of surveillance. What exactly are you hiding? Terrorism? Illegal porn? Money laundering with Bitcoins? If you weren't breaking the law, you wouldn't have anything to be concerned about.

Re: Why are you people so worried about this?

Sir, your stupidity is pegged off, scale high.

Re: Why are you people so worried about this?

[tal_mud]

Ah, I think you missed the sarcasm in the parent post.

Re: Why are you people so worried about this?

[mwvdlee]

That's probably because a lot of people say the exact same thing without being sarcastic at all.

Re:Why are you people so worried about this?

So no one has ever used or would ever use their position/knowledge for person gain or personal reasons? Would you trust your neighbor with this or anyone you went to highschool with this? The government is made of people and people make mistakes... a lot of mistakes.

Re: Why are you people so worried about this?

[Godwin+O'Hitler]

An excellent illustration of Poe's Law in fact. https://en.wikipedia.org/wiki/...

Re:Why are you people so worried about this?

I've never understood why Slashdot users are so paranoid about this type of surveillance.

It is because many Slashdot users are Americans and in America, innovation is encouraged even in the government activities like law enforcement. Can't have authorities following laws, or stifle their innovation in catching the bad people by writing laws. Because America, the land of innovation.

Re:Why are you people so worried about this?

How about revealing the identity of the group of people who have taken over our societies and are running them as giant gulags? (For people like you, of course, this is news... because you can't be bothered to investigate things for yourself, or to question anything.)

i.e. wouldn't it be a GOOD thing if somebody proved that 6 million Jews weren't killed in the 'Holocaust'? So wouldn't it be better that Jews were shown to be liars, than for 6 million of them to have been killed? Yet people are imprisoned for YEARS for merely PROVING that it didn't happen.

Re:Why are you people so worried about this?

[Opportunist]

Mmm.... 5/10 on the troll scale. Good effort, lots of triggers, but overused.

Re:Why are you people so worried about this?

[phantomfive]

If it weren't for the abuses we've already seen (look up LOVEINT for just a simple example), if it weren't for secret courts that approve warrants and perform trials with hidden evidence, then maybe you would have a point.

We've already seen too many abuses of these powers.

Re:Why are you people so worried about this?

You seem quite worked up over this, why is that? Receiving a govt check from a 3 letter organization as you type? Pent up virgin anger? It would be best to investigate your life as something clearly isn't right.

Re:Why are you people so worried about this?

"How about revealing the identity of the group of people who have taken over our societies and are running them as giant gulags? "
you mean the bilderberg group? their memberlist is public

Re:Why are you people so worried about this?

[fgouget]

Unless you're clearly up to no good, you don't have to worry about spyware like this.

You mean up to no good like Angela Merkel, Chirac, Sarkozy and Hollande the last three French presidents, and 35 world leaders?

But of course you don't need to be a celebrity or a politician to be up to no good. You could be trying to help people through a humanitarian organization like the Red Cross, Doctors Without Borders, , or you could just have said something bad about the government of a minor island, etc.

And even if you're not one of the above 'bad people', you could simply be one of the 90% of people who are collateral surveillance victims. So no, you don't need to be up to no good to be under surveillance and that's something to be concerned about.

Re:Why are you people so worried about this?

[cs96and]

"If you have nothing to hide you have nothing to fear". If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details. I could go on. Yes I have something to hide. We all do.

Re:Why are you people so worried about this?

[HBI]

I reject the premise that there was an excuse for the surveillance in the first place. People were stupid enough to buy into the idea that it would protect them from terrorism, but how many terrorist attacks in the US in the last 8 years....something like 8 or so last time I looked. "Well the numbers of dead are small" isn't an argument. The fact that the attacks happened invalidates the justification for the surveillance and the Patriot Act. If people are going to die anyway, most would prefer to be free from government surveillance.

The sad part is that once you lose a freedom, getting it back has a price in blood. The retards who cheered on the Patriot Act failed to think about this.

Re:Why are you people so worried about this?

Angela Merkel

Well clearly germans are bad people. they have been the bad guys in at least 2 world wars.

last three french presidents

i think that says it all, can we really trust the french anyway?

35 world leaders

ok, so all kidding aside isn't it the NSA's job to...spy on foreign countries? the only issue here is that they were caught. i would expect those countries to also be trying to spy on our leaders as well. and it is also partly the NSA's job's to try to counter that, and/or provide them with false info or at the very least be aware of the capabilities and extent of the other countries spying efforts.

now as for some of these others you list, should they have been spied on? probably not. i don't fully trust the NSA, but spying on foreigners is sort of their job. i have a problem when they spy domestically on their own citizens. and getting the British intelligence to spy on your own citizens and then reporting what they find to you, in exchange for you doing the same for them, isn't much different than if you spied on your own citizens yourself.

Re:Why are you people so worried about this?

[Impy+the+Impiuos+Imp]

The government doesn't have time to investigate most people. Unless you're clearly up to no good, you don't have to worry about spyware like this. I've never understood why Slashdot users are so paranoid about this type of surveillance. What exactly are you hiding? Terrorism? Illegal porn? Money laundering with Bitcoins? If you weren't breaking the law, you wouldn't have anything to be concerned about.

You assume the only thing it might be used for is terrorism or crime. What if it is a political faction listening in to another one?

That is what happens in most of the world, and why the bulk of the US Constitution was formulated around not giving the king the tools to root through the stuff of their political opponents.

With no tracking or logging, and little more than a checkbox for getting a warrant, it is trivial to bypass this. That is the problem.

And even if the US didn't have this problem with 100% honest officials, what about Putin or China or that newborn dictator in Turkey? Or the entire mideast?

We need to stop building these tools.

Re:Why are you people so worried about this?

yes and the parent to this comment ignores the fact that those governments also spy on the USA.

Re:Why are you people so worried about this?

[Nemyst]

While it is arguable that yes, the NSA's job is to spy on other countries, it still invalidates the claim that "Unless you're clearly up to no good, you don't have to worry about spyware like this."

All you have to do to be the target of spyware like this is "be interesting", or an unfortunate collateral in the quest towards someone who is interesting. "Interesting" here is rather loosely defined and can basically encompass most of the world population.

Re: Why are you people so worried about this?

Quoting pithy but meaningless "laws"... Yup, you're a neckbeard.

Re: Why are you people so worried about this?

I find your post interesting. You are under arrest, you have the right to remain silent...

Heyyyy wait a minute...

Re:Why are you people so worried about this?

You could also be one of those suspicious people who visits Linux Journal or uses VPNs.

Re:Why are you people so worried about this?

Have you bothered to look at the targets of most government actions these days utilizing warrantless surveillance/records access? Beyond the few token "terrorists" (mostly mentally/financially destitute individuals conned by paid government informants into "planning attacks" with no real chance/intention of committing them) mostly it is used to go after low level drug dealers, copyright infringers and people who run afoul of some random official with access to the information. There was a case not long back where Secret Service agents used records of some politicians attempt to become an agent in an effort to discredit him. And before you say "oh well as long as I don't break the law" you are suggesting an impossibility, the legal system is so convoluted these days that it is believe that your average person is "guilty" of multiple felonies per day. People have literally been arrested for standing on a sidewalk or asking for the basis of an officers authority to disperse a group of grandmas discussing funeral arrangements. That is even before you get to the people who have committed minor crimes ("stealing" publicly funded research papers) who face decades of prison time on trumped up charges.

Re: Why are you people so worried about this?

"Mistakes"

Re: Why are you people so worried about this?

Back in the early CIA days, we had Operation Mockingbird, MK-ULTRA & Operation CHAOS. On the FBI side, we have COINTELPRO.

We have few to no avenues to find out how many of these programs still exist under different designations.

Add to that the suspicious circumstances in which some investigative journalists have died in recent years, and we have a potentially very scary situation on our hands.

If you have nothing to hide, you have nothing to fear.

Re:Why are you people so worried about this?

[Burz]

yes and the parent to this comment ignores the fact that those governments also spy on the USA.

And you ignore the fact that they're not bugging the phones of our highest elected officials. But its 'OK' for the US to do it to them.

American Exceptionalism is largely about treating even your allies like vassal states.

Re:Why are you people so worried about this?

except they are bugging or attempting to bug the phones of our highest elected officials, they just haven't yet been caught doing it or if they have they haven't been outed publicly for it.

you are naive if you don't think they are at least trying.

what about Five Eyes? or Echelon? there are at least 4 other countries doing the same.

Re: Why are you people so worried about this?

[interstellarsurfer]

NSA = National Security Agency, not National Surveilance Agency. If this shit was coming out of the CIA, I would be wholly unsurprised and a little less concerned. The NSA was supposed to be limited in scope to protecting American territory from organized terrorism. The reason all these espionage programs are under the NSA's jurisdiction now, is because of the Patriot Act's funding, and Executive Orders giving them carte blanch to circumvent the law.

Re: Why are you people so worried about this?

[lsatenstein]

I think it's time for are computers so I have the open-source bias software. At least with the open source software we have a chance of ensuring that there is no hacked code to usurp our privacy.
I am more concerned about hacking the Intel or AMP CPU.

Re:Why are you people so worried about this?

[lsatenstein]

"If you have nothing to hide you have nothing to fear".

If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details.

I could go on. Yes I have something to hide. We all do.

What I legitimately have to fear is unauthorized access to the notes I keep for my needs, such as bank account numbers, insurance policies, driver permit info, etc. Data that I suppose should not reside within a cellphone.

Here is something I would like to address about security. Since I believe that there is no stopping government invasion of privacy.

We should be able to get an open-source computer bios. A bios that is trimmed down severely, and where the major half of the bios is open source code residing within your USB flash drive, cellphone, tablet or desktop boot partition.

But my major fear is the introduction of the backdoor into the Intel and AMD cpu's. Yes, as each release of a CPU eventually gets a microcode update, that backdoor is required. Currently it is used as a microcode update to correct a faulty instruction that needs a tweak. There is enough space within the CPU to in fact add a few extra instructions -- instructions that are currently NO-OPS but can be revised to work around any data or program security that is normally installed. If the government sends Intel the patch, it gets into your operating system as a kernel microcode update, and voila, your system is contaminated without your finding any extra software software clandestinely.
That is also why foreign countries (China, Russia, India)are justifying the design and marketing of their own cpu chips.
All I can forecast is that in the future, it will be easier to hack your computer chip in each appliance that you own.

Re:Why are you people so worried about this?

[peawormsworth]

Of course we, the honest citizens have nothing to worry about from software like this.

People who believe that monitoring occurs in the manner shown in this video are the same people who think we have nothing to worry about regarding mass surveillance. Those who are aware are concerned about something else. This is not how we lose our freedoms on mass.

Authenticity?

Why should the purported "spyware" be able to do anything real, when tax payer money is easier to grab than ever before?

Re: Authenticity?

You just dont get it, son

Info on how access is obtained?

In the video it shows that the fake flash installation is to avoid the certificate warnings about the mitm attack. Yet how is the mitm set up? Have they gained access to network devices or another section of this network

Re:Info on how access is obtained?

[110010001000]

They probably do, or they have a MITM proxy setup that all the traffic is redirected to. This is trivial to do, and there are lots of companies that do this for other reasons (like performance monitoring). This is only shocking if you don't understand how networks actually work. They aren't secure, period.

Re:Info on how access is obtained?

[freeze128]

It seems like a lot of trouble to go through just to hope that the computer user is dumb enough to click on your adobe update link. They would probably have better luck if they just joined an advertising network and delivered their malware through an ad.... or sent an email with a spearfishing attack. Heck, if you have a warrant for this through a FISA court, why not then just sneak into the target's house and plant the malware directly?

Re:Info on how access is obtained?

This is trivial to do,

Uh-huh. Yeah. Trivial. How come people who say "This is trivial to do" always skip over the steps on how to do it? Why is it you want me to blindly accept that the difficult bits are easy? Is it because you really are talking out of your ass?

Re:Info on how access is obtained?

Thats adorable.

I'm glad there are still people around that think courts and warrants and things like that are still relevant to whatever a government wants to do.

Re:Info on how access is obtained?

For possibly the first time ever, 110010001000 isn't talking out his ass. How do you think 3rd party firewalls work on Windows?

Re:Info on how access is obtained?

It actually is pretty trivial if you are able to get on the target's network or just about any network in between. You can do it locally with great ease using ARP poisoning, for which very very few networks and no default OS configurations I'm aware of implement any kind of defense. In the vast majority of networks I've seen, you can get a device on their network by simply walking in the front door with a laptop bag and a polo, finding an ethernet jack, and plugging it in. In a location with slightly better physical security, just ask the receptionist to print something for your meeting from your USB drive. And of course there are plenty of phishing games you can play if you don't have physical access to the target network.

Re:Info on how access is obtained?

Comments on youtube say:

1. Avira is installed but turned off
2. You can avoid this attack by:
* If you're prompted to update Adobe Flash, go to the Adobe flash website and install it manually. don't use the handy prompt. Make sure the address starts with https when you download from the Adobe website. (If you're prompted to update Flash in Chrome, it's a fake. Chrome has Flash built in.)
* If Chrome mentions that a well-known installer (such as Flash) is signed by Unknown Publisher, don't fucking run it.
* Never use Internet Explorer.
* If every https site you go to gives you a certificate error (and your computer's date and time are correct), use a different internet connection or a vpn.
* Don't disable UAC on Windows 7.

Re:Info on how access is obtained?

How come people who say "This is trivial to do" always skip over the steps on how to do it? Why is it you want me to blindly accept that the difficult bits are easy?

Good question, and a valid one.

But if you want an eye-opener than you could do worse than to look up a piece of sofware named "SSLStrip", written by a bloke named "moxi marlinspike".

On a DEFCON gathering he spoke about how the SSL protocol and certificates contain a number of ... problems making mitm rather easy (you can find a recording of it on Youtube)

The above is of a few years back though, so it is possible that that approach has been patched in the mean time.

Re:Info on how access is obtained?

Right. The exploit has already been setup. It's script kiddie shit to do a secondary infection after the host is already compromised.

Show us how he was initially compromised *remotely*, *without* his own stupidity (like clicking on a link from a "friend") and then I'll sit up and take notice. Otherwise, hitting the snooze button. Nothing to see here folks, move along.

Re:Info on how access is obtained?

No it's extremely trivial. All you need to do is put a device between your computer and the remote server. Most of the time, this is done at the ISP gateway (in the case of government spying). Another effective way to do it is to hack the squid proxy server for an organization. Most companies centralize Internet access through the company proxy and if they're using Squid then you just need to infect the Squid. There are so many ways to inject HTML into an HTTP request... hell you can even inject HTML on the workstation itself by intercepting the HTTP/1.1 response before it gets to the browser (this is how the F12 debugger tools in all the browsers work).

Re:Info on how access is obtained?

[nitehawk214]

On my computer? Not bloody well.

Re:Info on how access is obtained?

[AHuxley]

The smarter version that gets all people using that site would attract too much attention.
All kinds of heuristic and behaviour tests are sold by different AV brands globally. So its best to just attempt to look like random expected malware and go after one silly click happy user.
If the AV detects the intrusion, its just random malware. No other AV detection is escalated, nobody starts looking as the AV brands know.
Often the users must be ready to click or it would not be offered as is?
Re 'sneak into the target's house and plant the malware directly?"
Thats getting hard in Western nations as the traditional closed communities that need that kind of 24/7 watch are very inward looking and would see a strange van, car, people at a door, down the side of a home or entering a home. The contractor or ex mil people with the skills are kind of stand out in most nations vs a closed society that is on watch for just such gov intrusions.
Sneak and peak works well if a lot of people are making deliveries, working on a renovation, selling, renting, new renters next door...
Most people would recall the first fake and second real arrival of a tradesperson over a few hours walking around their home.
That can be hard to arrange or induce for the security services given staffing and skill sets needed to blend into a community packed with very well protected interesting people.
So contractors sell govs on renting malware and remote server grade solutions.

really?

it relies on popups to work?

Re:really?

[Opportunist]

Why not? People are stupid and click everything.

Re:really?

click

Re:really?

it didn't work.

*clicks again*

Re:really?

You only think it didn't work. I now own your computer and all your pr0n.

YFN super secret spyware == social engineering

Slick tricks to trick user to downloading and installing malware.

Re:YFN super secret spyware == social engineering

[Opportunist]

Aka Redneck-Virus. Please click here for infection.

Re:YFN super secret spyware == social engineering

Redneck here. I clicked where indicated but instead of expected virus, nothing happened. A------- would not click again.

Government?

[hyperar]

All i see is a supposed "hacker" that doesn't even know that by clicking "Advanced" link button on the Chrome security warning page you can proceed, don't know how they set up the MITM attack on the users PC, and Avira is off as you can clearly see the umbrella is closed.

Re:Government?

This was intentionally leaked. People who watch this video are going to think the govt hackers are some retards. They aren't showing you the Microsoft backdoor that NSA uses to access Microsoft's CEIP data, or the one to access any windows PC. MS has in the legal fine print they are allowed to enter your computer remotely and even run programs. This would also include anyone MS wishes to also give access to.

Re:Government?

Is that the same reason why they needed a third party to come in to disconnect a circuit on an iphone?

Re: Government?

What the fuck do iPhones have to do with Microsoft?

Re:Government?

MS has in the legal fine print they are allowed to enter your computer remotely and even run programs. This would also include anyone MS wishes to also give access to.

Can you provide a link or photo or any proof at all that demonstrates this? I'm not doubting you, it's just that this would be a good tool for showing people that MS operating systems can be a very bad choice.

Re:Government?

Can you provide a link or photo or any proof at all that demonstrates this? I'm not doubting you, it's just that this would be a good tool for showing people that MS operating systems can be a very bad choice.

I'm not the GP, but:

Feedback, diagnostics, and privacy in Windows 10

- Basic (mandatory): all the hardware connected to your computer, all the software you use and when you use it, all the networks you connect to and details about these connections.

- Enhanced (default): what you do on your software ("how often you use certain features").

- Full (recommended, in bold): memory state in case of crash ("which may unintentionally include parts of a document you were using when a problem occurred"), "to gather the data needed to diagnose and fix the problem (including user content that may have triggered the issue)".

There was a more complete document about these settings, for enterprise clients, that I read around September 2015, on Microsoft.com. In it, they were saying that with the 'Full' setting, they were authorizing themselves to remotely connect to your computer, "to help diagnose issues". Considering the context, it clearly wasn't linked to any support requests, but simply "if there are issues with your computer or software"... I think I remember that is this paragraph, they weren't even talking about crashes anymore, just "issues"... (but who never has had a crash anyway...? I installed Windows 10 just to get the free upgrade, before removing it all, in case I really need it later, and it crashed twice during setup because I hadn't disabled my secondary HDD with GNU/Linux on it...).

Well anyway, in this document at least, you sure could partially avoid the most intrusive parts (random MS tech guys reading your electronic diary or watching photos of your wife and kids), but anyone following the 'recommendations' is pretty much allowing MS to do everything they want with their computer and personal files. And even the mandatory 'Basic' level is pretty scary in some cases.

And then there is Cortana and the general Microsoft Customer Experience Improvement Program, which by default authorize Microsoft to "gather voice and text samples"...

There are tons of settings everywhere, and many things you cannot disable, particularly if you're not an enterprise client... You just cannot trust such a system... They clearly want you to miss and leave some doors open... And well, it's Microsoft, they never can be trusted anyway...

Re:Government?

[war4peace]

Yeah, I was looking for that too.
It's a standard malware app (badly) arranged to look good.

Re:Government?

That doesn't say what you claim it says. I'm no fan of the overboard diagnostic collection but nothing in there allows for the kind of remote connections you are claiming it does.

Re:Government?

Don't forget the Intel Management Engine, another entire backdoor-capable system recently upgraded with Skylake Gen 6 chips, designed in Haifa.

Between OS and even hardware level backdoor control it illustrates that they have several ways in to the common use scenarios of average PC users.

The only protection is to shun the average environment entirely. For most people this is impossible.

Mom always said: "don't flash".

When I was a little kid, I learnt to not stuff into my mouth everything I found on the streets (sometimes I disregarded that advice and got what I deserved: let me assure you: fresh goat shit is round and shiny and looks somewhat like chocolate but tastes... like shit).

Why browsing people download executable content (real or fake Flash players, but Javascript counts in my book too) and execute it on their computers just escapes me.

Social Engineering?

"You computer may be infected with Spyware! Download the cleaner to fix it now"..

Soooooo elite, and beyond 0day

Re:Social Engineering?

[degantyll]

I never thought this actually worked, then a week ago I got a concerned call from an old time customer that her computer was BSODing. Turns out, the AV license ran out and she got one of this ads and promptly downloaded the "Fix program". Cleaned the program away and the computer ran with no problem. Damn

What does RCS stand for?

"Italian surveillance contractor called RCS Lab"

Rat Cunt Shits because those are the people who work there. These douchebags take money from government to spy on fellow citizens and inflict human rights abuses. They are human trash.

Re:What does RCS stand for?

More like a PR firm trying to downplay the govt's level of hacking ability.

Remember, it was just recently the Shadow Brokers appeared. This is just part of the govt response.

So you're saying...

[Afty0r]

Once the user downloads the fake update, he or she is infected with the spyware.

...That this won't affect me. Or anyone that matters?

Re:So you're saying...

Consider that the normie horde who gets infected by this also have their machines turned into a botnet which can perform actions such as:

- distributed portscans against large portions of the internet
- attacks utilizing vulns if they find something after portscanning you
- ddos attacks against you or nodes upstream of you
- attacks utilizing vulns against infrastructure in your ISP to engage in hostile action against you

Re:So you're saying...

You bit the bait.

How Government Spyware Infects Microsoft Windows

[khz6955]

"Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware"

The article forgot to mention the malware only 'infects' Microsoft Windows desktops.

Total bullshit

That video is pure bullshit. Even the Avira AV software has been disabled for the "demonstration".

Defendable

[KClaisse]

Someone correct me if I'm wrong, but if a website uses both SSL and HSTS this attack becomes much more difficult, if not impossible (depending on how your browser handles HSTS) as long as its not your first time visiting the website. If you have visited the website before and HSTS is enabled on the site a forged certificate will not work and the victim will not be able to continue. Still scary but its just further reason that more sites, even those that don't transmit critical information, should use HTTPS and HSTS.

Re:Defendable

AFAIK, the latest HTTPS-Everywhere plugin lets you disable all non-SSL browsing (H-E Icon - 'Block all unencrypted requests'). Obviously its usefulness in RL is somewhat limited, but is perhaps a step in the right direction.

Re:Defendable

[KClaisse]

Hmm just did some testing on my own server and even with HSTS and HPKP I was able to MITM a secure connection using fiddler as long as the forged certificate's root CA was in my browsers trusted key store. I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

Re:Defendable

[strikethree]

I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

This is the comment that deserves +6 Informative this year. Thank you.

Re:Defendable

[michael_wojcik]

HSTS isn't relevant in this case (HTTPS using the Fiddler certificate is still HTTPS), but it does seem like HPKP isn't working correctly there. Assuming you'd previously visited your site without Fiddler interpositioning, within the pinning max-age interval.

Oh, wait: I should have checked the docs first. Mozilla says:

Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.

(https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning, emphasis in original)

The Fiddler root certificate was installed by you, so it's a user-defined trust anchor, so any chain that terminates in it is ignored for HPKP.

I understand this is convenient for developers and web admins, but it is something of a hole in HPKP. Just use a little of the ol' social engineering to get the victim to install your certificate, and you can bypass HPKP entirely. Still, HPKP prunes some significant branches of the attack tree, so it remains useful.

Even fake Adobe Flash is dangerous

It's a wonder that even normal computer users haven't yet associated the word 'Adobe' with the software equivalent of nuclear waste.

Re:How Government Spyware Infects Microsoft Window

If you think it couldn't be done on browsers running on Linux/OSX too you're kidding yourself.

mod 0P

the wind appeAred ThFis post brought

As usual the attacks should not work

[aepervius]

"a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware."

The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page. Heck flash would probably not work from a random web page.

Re:As usual the attacks should not work

It wouldn't help if the user is educated in security, at an average level.
Instead of an Adobe Flash update, it would be presented as an AVG anti-virus update, or a Microsoft Edge update.
And they'll just keep trying until you click one of them.
Even seasoned experts can be fooled.

Re:As usual the attacks should not work

[Zontar_Thing_From_Ve]

The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page.

You'd hope, but most of my friends and all of my family are not IT people and they cover the spectrum from "skeptical about random popups" to "likely to click on anything that pops up with a dire warning telling them they need to click on it immediately". In general people that don't work in IT just don't care about security on their PCs and they grossly underestimate the danger. My brother is a pretty smart guy but he works in sales and over a decade ago he ran an old Win 98 PC at home that he made no attempt to protect with a firewall because he said it was so old that nobody would want to hack it. That's a lot more typical of the non-IT person's thinking than "Wow. I need to be careful because bad people are out there."

Re:As usual the attacks should not work

I don't think the problem is education. Everyone knows by now that they shouldn't open email attachments from unknown sources, shouldn't blindly click "ok", shouldn't install programs they didn't seek out themselves, etc, etc.

I think the real problem is that they simply don't care. They don't want to be bothered with thinking about these annoyances, and therefore they don't.

Re:As usual the attacks should not work

Who the hell arbitrarily installs flash updates these days? That's like being handed a half empty drink with a burnt cigarette butt floating in it and told to drink it.

Re:As usual the attacks should not work

[bill_mcgonigle]

The problem as usual is that people are not educated in security.

We could blame the victims, or we actually point the finger at the company making the computer intrusion tools and the government agencies that fail to prosecute them for aiding and abetting crimes.

Hey, Adobe - how about you destroy this company in court for misappropriation of trademark and willful destruction of reputation? It would be small penance for never doing a massive security audit of flash-plugin.

Re:As usual the attacks should not work

I don't think the specific vector (that vector being the flash player) was the main point tbh. Because of the way the system he was using worked, he could have just as easily sent a modified mirc installer that both installed mirc AND a piece of spyware. I think its assumed that any real-world attacks like this would be tailored quite closely to the specific environment the victim is going to be attacked from to the point where only extremely vigilant users would notice any difference. Even the most security conscious of us don't check every single sha256 hash of every single thing we download, and at any rate security-minded individuals only make up a very small proportion of the valuable targets people would be attacking out there.

Re:As usual the attacks should not work

this would not be a random page for the subject of the exercise - it is just one of the higher stages of surveillance - first fishing with big nets, then focusing till you find some suspects and then direct attack with the nice proxy, identification of possible good target web sides and actual attack. For the subject this would be trusted site. Maybe they would click or not but the possibilities are plenty and not all people control own machines - if this is done on office HW/SW you may not notice anything anyway. We live in a world where we have ever smaller chances to hide. They do not even have to spy on you like this - they may decide that discrediting the victim is good enough - planting evidence or just pretension of such. BTW - have there been any legal steps taken against J. Appelbaum?

Bottom line is governments won already. That is why they laughed while collecting laptops from the Guardian. They cannot protect us from terrorism but we cannot do much against them abusing their power and in fact most of our fellow citizens actively wants so.

Would this infect a Chromebook?

[InterGuru]

Would this infect a Chromebook? I am told they are virus proof.

Re:Would this infect a Chromebook?

Would this infect a Chromebook? I am told they are virus proof.

Chromebooks run on top of Linux. They are NOT virus proof. However, their design is highly virus resistant and there aren't any/many known viruses that target them.

This particular infection is Windows specific. It targets Windows with a Windows executable program, but it could be rewritten to target Linux/Chromebooks if that was desired.

This attack does not exploit some vulnerability in the OS, it exploits the user. The attack is a user installed trojan. If you can trick the user into installing your software you pwn, no matter what.

A fake Flash update

I guess this is only supposed to work about people who shouldn't be using a computer with admin rights in the first place.

If I (or most people here, I hope) got a message about a Flash update:

- If it was on Slashdot or Reddit, I would go to flash.com and download the newest version.
- If it was a popup, hit Alt+F4 faster than I can read the actual content. I don't care if there's a Flash update on a non-Adobe site, I won a lottery I didn't enter, or a woman wanting to f**k who lives so close that it can only be two people, neither of whom look anything like the photo...

Re:A fake Flash update

If most people here got a message about a flash update, they'd close the warning window and/or go to a different website.

Fuck flash, it's not even worthy of a capitalized name anymore.

Re:How Government Spyware Infects Microsoft Window

but most of those who use Linux/OSX think long an hard about installing Flash. If they do, they make sure it is the genuine article (or crapware).

Frankly, the sooner Flash dies a nasty horrible death the better for everyone.

mod, up

Ta:lk to one of the

As usual Flash should not work

I've seen the fake flash installer before, at sites that are otherwise respected. I think it gets through their ad network since I started running a blocker I haven't seen it anymore.

False!

Flash updates, that look exactly like that, are notorious for "randomly" popping up and requesting installation when trying to work, whether on a web page or not. These Falsh updates are so frequent that even I would not give much thought to one randomly popping up after I opened a browser.

I've seen many fake Flash install attempts and this one is flawless. The Flash install pop-up looks entirely real. The source URL for the Flash install shows Adobe. This source URL is not quite normal behavior, but only those very familiar with Flash installs would realize that this isn't quite right, otherwise it looks perfectly legit. The installation progress looks perfectly legit, right down to the infuriating and unnecessary slowness of Flash update installs.

I could not blame a user for falling for this trick.

This is a MITM attack. The rest is just fancy window dressing. The important and difficult part, that is not discussed, is how the MITM session was established in the first place. That is the key! The entire rest of it is simply a user installed trojan. Clearly, this attack could also be launched from a compromised website, but that's not what the story is talking about.

Re:False!

Any web browser on Linux or Windows is going to show popups telling you that your version of Flash, Java, Divx, video or audio codec is out of date and needs updating. Even the bash shell window will pop up a message saying that the thumbnail cache has a problem and needs root access to repair the damage.

Re:False!

[innocent_white_lamb]

Thumbnails are stored in your home directory, in a subdirectory named, appropriately enough, .thumbnails.

If you get a popup in bash (whatever that is; bash is text-only terminal so are you talking about some kind of a window made out of text characters) that asks you for root access to deal with some kind of thumbnails, there's something that either nefarious or really unusual happening and I would be giving a lot of thought to how to proceed before entering the root password at that point.

Re:False!

The popup appears underneath the top bar of the window. It's caused by Nemo:

https://github.com/linuxmint/nemo/blob/37328215ccd75d2300c1d127404ac140357f2971/src/nemo-thumbnail-problem-bar.c#L114

http://unix.stackexchange.com/questions/249182/nemo-how-can-i-fix-a-problem-has-been-detected-with-your-thumbnail-cache

http://askubuntu.com/questions/673739/a-problem-has-been-detected-with-your-thumbnail-cache-fixing-it-will-require-ad

Re:How Government Spyware Infects Microsoft Window

You CLEARLY have never tried to install Flash on Linux.....

Flash is reason why I use Chrome...

[cant_get_a_good_nick]

Chrome has a built in Flash player. Always updated.

So when I see a "you must update Flash" i know it's bogus, since I'm already updated. I tell my family this, since they're non-techies and wouldn't be able to tell a legit popup from a fake. (Im not going to be 100% either).

Oh and Chrome sandboxes its built-in flash better than the plugin can.

Re:Flash is reason why I use Chrome...

[110010001000]

Smart. Plus with Chrome the spying is built-in too, and always on.

Re:How Government Spyware Infects Microsoft Window

[nomadic]

Linux has a built-in security feature in that things like flash hardly ever work correctly, so it's less likely to be installed.

government!

[nomadic]

How dare the government...be a small Italian company.

porn?

whats the difference with this shit and the shit that pops up in porno sites? the fancy bot control program? nigga please

Re:How Government Spyware Infects Microsoft Window

Yep. you are correct sir! Flash for Windows hardly EVER works on Linux. Of course, it hardly ever works anywhere, sooo....

I'll be here all week folks. Tip your waitresses.

Re:How Government Spyware Infects Microsoft Window

but most of those who use Linux/OSX think long an hard about installing Flash. If they do, they make sure it is the genuine article (or crapware).

Frankly, the sooner Flash dies a nasty horrible death the better for everyone.

I read an article stating Adobe is reviving Adobe Flash, not merely providing security updates to the existing codebase.

Re:How Government Spyware Infects Microsoft Window

Even as someone who mostly uses Windows at home, I only ever updated Flash from their official website and never through some kind of pop up. I also ditched Flash entirely as soon as *HTML5 showed up on youtube. The same goes for most of my friends. I don't even understand the need of some people to click on whatever popup is thrown at them, even after they've been told that the internet is full of cheaters and scammers.

*Yeah, HTML5 and Flash aren't really comparable, but for most intends and purposes on the internet (media streaming) they are.

A Hack for Darwinism..

[theinfamousgeek]

Would be the best description for this post. Yes I get the overall message. Sadly this his how a low of "end-users" get pwned.

Re:How Government Spyware Infects Microsoft Window

Linux software updates are delivered via signed packages from the distro, not via web popups.

Re:How Government Spyware Infects Microsoft Window

Just run it in WINE then.

Re:How Government Spyware Infects Microsoft Window

haha.. yea exactly.. You can't install anything in Linux via a browser popup. The only way to install software is using the package managers. Its actually kind o f irritating having to execute 'sudo apt-get update' all the damn time... ;)

Re:How Government Spyware Infects Microsoft Window

however, linux users like to download and compile code...

when was the last time you really read through the linux kernel to make sure there wasn't an backdoor in it?
i supposed you can hope someone else has...isn't that the theory of open source security?

though what about that stupid library that you had to compile to make your GNU Widgets program work? now did you read that? it may not be as popular as something like the linux kernal, so does that really have enough eyes on it to ensure the NSA didn't insert some obfuscated malicious code?

links to the underhanded C or obfuscated C contests seems somewhat relevant here.

here is at least one example of the NSA trying to push a backdoor into software. this one may have been caught, but can we be sure we caught all of their attempts?

Re:How Government Spyware Infects Microsoft Window

[degantyll]

I really really hope you're wrong.