Slashdot Mirror
Leaked Demo Video Shows How Government Spyware Infects a Computer (vice.com)
An anonymous reader quotes a report from Motherboard: Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man, including a tutorial on how to use the spyware's control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website. RCS Lab's spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select "inject HTML" to force the malicious popup to appear, according to the video. Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard. The company's employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware. A direct link to the YouTube video can be found here.
Sir, your stupidity is pegged off, scale high.
In the video it shows that the fake flash installation is to avoid the certificate warnings about the mitm attack. Yet how is the mitm set up? Have they gained access to network devices or another section of this network
it relies on popups to work?
That's probably because a lot of people say the exact same thing without being sarcastic at all.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
All i see is a supposed "hacker" that doesn't even know that by clicking "Advanced" link button on the Chrome security warning page you can proceed, don't know how they set up the MITM attack on the users PC, and Avira is off as you can clearly see the umbrella is closed.
If it weren't for the abuses we've already seen (look up LOVEINT for just a simple example), if it weren't for secret courts that approve warrants and perform trials with hidden evidence, then maybe you would have a point.
We've already seen too many abuses of these powers.
"First they came for the slanderers and i said nothing."
"Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware"
The article forgot to mention the malware only 'infects' Microsoft Windows desktops.
Hmm just did some testing on my own server and even with HSTS and HPKP I was able to MITM a secure connection using fiddler as long as the forged certificate's root CA was in my browsers trusted key store. I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.
"a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware."
The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page. Heck flash would probably not work from a random web page.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Unless you're clearly up to no good, you don't have to worry about spyware like this.
You mean up to no good like Angela Merkel, Chirac, Sarkozy and Hollande the last three French presidents, and 35 world leaders?
But of course you don't need to be a celebrity or a politician to be up to no good. You could be trying to help people through a humanitarian organization like the Red Cross, Doctors Without Borders, , or you could just have said something bad about the government of a minor island, etc.
And even if you're not one of the above 'bad people', you could simply be one of the 90% of people who are collateral surveillance victims. So no, you don't need to be up to no good to be under surveillance and that's something to be concerned about.
Linux has a built-in security feature in that things like flash hardly ever work correctly, so it's less likely to be installed.
How dare the government...be a small Italian company.
"If you have nothing to hide you have nothing to fear". If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details. I could go on. Yes I have something to hide. We all do.
I reject the premise that there was an excuse for the surveillance in the first place. People were stupid enough to buy into the idea that it would protect them from terrorism, but how many terrorist attacks in the US in the last 8 years....something like 8 or so last time I looked. "Well the numbers of dead are small" isn't an argument. The fact that the attacks happened invalidates the justification for the surveillance and the Patriot Act. If people are going to die anyway, most would prefer to be free from government surveillance.
The sad part is that once you lose a freedom, getting it back has a price in blood. The retards who cheered on the Patriot Act failed to think about this.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
yes and the parent to this comment ignores the fact that those governments also spy on the USA.
And you ignore the fact that they're not bugging the phones of our highest elected officials. But its 'OK' for the US to do it to them.
American Exceptionalism is largely about treating even your allies like vassal states.
HSTS isn't relevant in this case (HTTPS using the Fiddler certificate is still HTTPS), but it does seem like HPKP isn't working correctly there. Assuming you'd previously visited your site without Fiddler interpositioning, within the pinning max-age interval.
Oh, wait: I should have checked the docs first. Mozilla says:
(https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning, emphasis in original)
The Fiddler root certificate was installed by you, so it's a user-defined trust anchor, so any chain that terminates in it is ignored for HPKP.
I understand this is convenient for developers and web admins, but it is something of a hole in HPKP. Just use a little of the ol' social engineering to get the victim to install your certificate, and you can bypass HPKP entirely. Still, HPKP prunes some significant branches of the attack tree, so it remains useful.