Slashdot Mirror

← Back to Stories (view on slashdot.org)

Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen Lab (www.cbc.ca)

Posted by msmash on from the security-woes dept.

Matthew Braga, reporting for CBC: Since last fall, Turkish internet users attempting to download one of a handful of popular apps may have been the unwitting targets of a wide-reaching computer surveillance campaign. And in Egypt, users across the country have, seemingly at random, had their browsing activity mysteriously redirected to online money-making schemes. Internet filtering equipment sold by technology company Sandvine -- founded in Waterloo, Ont. -- is believed to have played a significant part in both.

That's according to new research from the University of Toronto's Citizen Lab, which has examined misuse of similar equipment from other companies in the past. The researchers say it's likely that Sandvine devices are not only being used to block the websites of news, political and human rights organizations, but are also surreptitiously redirecting users toward spyware and unwanted ads. Using network-filtering devices to sneak spyware onto targets' computers "has long been the stuff of legends" according to the report -- a practice previously documented in leaked NSA documents and spyware company brochures, the researchers say, but never before publicly observed. Citizen Lab notes that targeted users in Turkey and Syria who attempted to download Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects. It adds: This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted users in Turkey and Syria who downloaded a wide range of applications from CBS Interactive's Download.com (a platform featured by CNET to download software) were instead redirected to versions containing spyware. Download.com does not appear to support HTTPS despite purporting to offer "secure download" links.

29 comments

  1. The many joys... by SciCom+Luke · · Score: 4, Informative

    ... of living in a dictatorship. Well one of them anyway.

    1. Re:The many joys... by anomalous3 · · Score: 2

      What's the point of having an oppressed populace if you can't monetize their clicks?

    2. Re:The many joys... by SciCom+Luke · · Score: 1

      'scuseme? Who is an American?

    3. Re:The many joys... by Anonymous Coward · · Score: 0

      AC is!

    4. Re:The many joys... by SuricouRaven · · Score: 3

      It's not a binary. America certainly isn't the utopia of freedom and democracy that many citizens claim it to be - but it's still far, far better than Turkey. In America, questioning the whims of the ruling class probably isn't going to achieve much - but it isn't going to result in your mysteriously disappearing one day either. There have been a number of reports in the last year of that happening in Turkey.

  2. Re:Turkey by Anonymous Coward · · Score: 0

    But are you Hungary for more? Government corruption makes me always more Hungary.

  3. My mates think me daft... by Anonymous Coward · · Score: 1, Insightful

    however, I never download anything without vetting what I've downloaded, either by dint of checking the checksum or emailing the developer should I think something is dodgy. Having worked in IT security for many years, I know what dangers lurk out there. I do the same for my iPhone. I have never found myself wanting an app that Apple has not included. I don't do my banking on my mobile. Ever. I live close enough to the city centre where I can simply visit my bank should I need to do so. And, what with the telemetry of Windows 10, it's constantly refreshing to use a very locked down version of Fedora Linux with SELinux and Tripwire keeping the evil at bay. I also run a Raspberry Pi/Pi-hole combo as well as uBlock Origin, Decentraleyes, Privacy Badger, Referer Control, JS Control, and No Coin. I take additional steps as well like using a VPN. I routinely keep track of my log files and have software to detect random redirects and block as required. The web has become a dangerous place with evil actors. It's a wonder we don't hear about more breaches and people getting owned.

    1. Re:My mates think me daft... by plover · · Score: 1

      I take many similar precautions, but not all. (I have some utilities on my iPhone and will purchase on my credit card through it, but i don't do banking on it.)

      One thing I also do is distrust certain certificates; generally those I recognize as having been issued by countries run by despots. For example, I'll personally never have a need to a secure connection to any site in Turkey. So why should I trust their national issuer, when their government could theoretically abuse it to issue certs valid for any domain name? While widespread issuance of fraudulent certificates would certainly result in their removal from the browser and OS trusted root certificate lists, if they abuse their power to issue very specifically targeted certificates for spying purposes, they probably wouldn't get caught.

      Just because Turkey convinced Mozilla or Microsoft to trust their issuers, doesn't mean I have to.

      --
      John
  4. HTTPS all the things! by TheDarkener · · Score: 4, Insightful

    Even seemingly irrelevant content. This day in (the WWW's) age gives no excuses beyond being too lazy to update legacy websites and platforms. It should be the default everywhere and there should be a GOOD reason to transfer anything unencrypted.

    --
    It is pitch black. You are likely to be eaten by a grue.
    1. Re:HTTPS all the things! by Anonymous Coward · · Score: 0

      Funny, these days I see more and more people complaining about wasting CPU cycles on encrypting low value traffic like above. It's gotten worse since LetsEncrypt came out.

    2. Re:HTTPS all the things! by Anonymous Coward · · Score: 0

      There's still no way to verify what wi-fi connections on proprietary mobile devices are actually doing without a plaintext HTTP redirect.

      Try connecting to a weird wi-fi access point, that accepts your connection, but refuses wider internet connectivity. Chances are, they expect you to ask for http://google.com, so they can redirect you to their EULA cookie ad billboard authenticator, AND THEN, after you accept the terms, they let Google take over and perform the standard HTTP/HTTPS redirect to actual Google.

    3. Re: HTTPS all the things! by Anonymous Coward · · Score: 0

      True.

      But I don't think you read the article fully. The users were redirected by force, essentially. All with the help of a Canadian firm. I respect Canada, but anything they do they do with a kind of smug moral superiority. Helping a dictatorship screw its people? No problem. As an American, I know when we fuck people we are not so smug about it.

    4. Re:HTTPS all the things! by Anonymous Coward · · Score: 0

      Nice idea. Might want to :

      - Tell Google to disable HTTP portal detection in Android
      - Tell Mozilla to disable HTTP portal detection
      - Tell Valve to move the Steam Store entirely to HTTPS
      - Tell Valve to get a clue and enforce HTTPS everywhere else
      - Tell the many vendors whom offer services and hardware to Enterprises, to get the hell off HTTP.

      Etc.

      There certainly are different levels of interception from full blown proxy MITM on a +NATIONAL+ level, to network acceleration. (think one to one NAT where the device acts as a buffer). CISCO for example calls theirs "WAN Optimisation"

      Ironically enough there was a patch backed out from the 4.16(?) kernel because it triggered these devices.

      https://github.com/torvalds/linux/commit/d4131f09770d9b7471c9da65e6ecd2477746ac5c

      tcp: revert F-RTO middle-box workaround
      This reverts commit cc663f4. While fixing
      some broken middle-boxes that modifies receive window fields, it does not
      address middle-boxes that strip off SACK options. The best solution is
      to fully revert this patch and the root F-RTO enhancement.

      Fixes: cc663f4 ("tcp: restrict F-RTO to work-around broken middle-boxes")
      Reported-by: Teodor Milkov
      Signed-off-by: Yuchung Cheng
      Signed-off-by: Neal Cardwell
      Signed-off-by: David S. Miller

    5. Re:HTTPS all the things! by Anonymous Coward · · Score: 0

      OK, I'll bite.

      Question: We've HTTPs All the Thingz!!!!?!! What you gonna do now govberment?!?!?

      Answer: We'll get a bunch of certs that say "Google", "Microsoft", "Amazon", "Apple", etc. on them signed by the same certificate authorities that sign the real certs, then force software developers to include them in their products with a NSL. If you idiots think that you'll get around that by disabling / deleting our certs, then we'll NSL that ability away too. Remember, we don't care about the implications of backdooring encryption, or the implications of us talking about doing so in broad daylight. We'll happily mandate it if you keep this crap up, so shut up and sit down. Remember, we're the government and we're here to rule over you.

      Don't believe me? Did you check your certs recently while you were at work posting to /.? I'm willing to bet some of you probably have a filter cert installed. Can you identify it vs. the real one?


      if ((device_manufacuter_trusted() == TRUE) &&
              (os_manufacuter_trusted() == TRUE) &&
      /* TODO: Get rid of this once Trusted Computing roll out is complete. */
              (system_administrator_trusted() == TRUE)) {
      /* (end_user_trusted() == TRUE)) { */
                secure = true;
      } else {
                secure = false;
      }

      return secure;

      Remember that.

    6. Re:HTTPS all the things! by Anonymous Coward · · Score: 0

      I love you wackos that think HTTPS automatically means "secure." All it means is "encryption was used to transfer the data, at least in the last hop to the browser client."

      Most enterprises (and a hell of a lot of governments and ISPs) use re-encrypting SSL/TLS proxy servers. Unless you have some out-of-band mechanism to verify the SHA thumbprint of the origin server's SSL/TLS certificate you have no way of knowing that you're receiving legitimate content.

  5. Scumbags by VeryFluffyBunny · · Score: 4, Insightful

    So Sandvine are a bunch of scumbags who sell surveillance and malware tech to oppressive regimes that endangers journalists, political activists, and anyone associated with them, eh?

    --
    Debate is a form of harassment. Do not question my truth.
    1. Re:Scumbags by Anonymous Coward · · Score: 1

      To be fair, these devices were actually made by Procera (another Francisco Partners acquisition). They just very recently acquired Sandvine and slapped the Sandvine brand on a bunch of legacy products.

    2. Re:Scumbags by isj · · Score: 4, Informative

      Possibly.

      Many of the newer DPI and PCEF engines are quite flexible, and can be configured by the customer (ISP/MNO/MVNO). The functionality is neutral and can be used for benign purposes (eg. redirect to top-up pages) or malign purposes (replacing a download). Sandvine is not the only vendor of such equipment - there's also Cisco, Allot, Huawei, ZTE, Procera, Alcatel, ...

      The article doesn't indicate if Sandvine helped with it or if it was done by the Turkish telco themselves. Given Sandvine's history with the Comcast bittorrent connection reset years ago, I wouldn't be surprised if Sandvine helped, or implemented specific features to facilitate the stuff in Turkey.

    3. Re:Scumbags by whoever57 · · Score: 1

      So Sandvine are a bunch of scumbags who sell surveillance and malware tech to oppressive regimes that endangers journalists, political activists, and anyone associated with them, eh?

      The Capitalists Will Sell Us the Rope with Which We Will Hang Them

      --
      The real "Libtards" are the Libertarians!
    4. Re:Scumbags by Anonymous Coward · · Score: 0

      Been saying this for years but YES. As per their own sales , the devices are installed on many providers networks including those in North America. Sandvine made some pretty damning statements during their presentations at the CRTC (Canadian version of the FCC), over Net Neutrality. Specifically they were able to provide usage of applications for example that was captured from their devices.

      Fuck this company and Bluecoat (now Symantic)

  6. Re:Turkey by Anonymous Coward · · Score: 0

    Was Hungary and ate Turkey, but slipped on Greece and broke China, then shitted into Israel.

  7. European Union by Anonymous Coward · · Score: 3

    It's becoming increasingly clear that no turk living today will ever see their dream of someday joining the EU realized in their lifetime.

    Turkey is another perfect example of collective gullibility, where a majority democratically and freely chose a leader because they were clueless enough to actually believe him when he told them he would respect democracy and freedom once in power.

    Frankly, I'm getting sick and tired of seeing country after country falling for the same old crap that's been going on for millenia time and time again. A supposedly intelligent species that simply cannot learn from the mistakes of its past and repeats them again and again and again is a textbook example of an evolutionary dead-end.

  8. HTTPS everywhere by Anonymous Coward · · Score: 0

    This add on no longer causes problems and will avoid http injection attacks

  9. Re:Turkey by Anonymous Coward · · Score: 0

    I am Finnished reading this subthread. The whole thing was Russian towards silliness.