How Various Law Enforcement Agencies Could Hack Your Computer Via YouTube Videos

from the it's-all-fun-and-games-until-someone-rickrolls dept

When we recently wrote about Google starting to make use of SSL for search rankings, one of our commenters noted that not every site really “needs” HTTPS. While I used to agree, I’ve been increasingly leaning in the other direction, and I may have been pushed over the edge entirely by a new research report from the Citizen Lab by Morgan Marquis-Boire (perhaps better known as Morgan Mayhem), entitled Schrodinger?s Cat Video and the Death of Clear-Text. He’s also written about it at the Intercept (where he now works), explaining how watching a cat video on YouTube could get you hacked (though not any more).

The key point was this: companies producing so-called “lawful intercept” technology, that was generally (but not always) sold to governments and law enforcement agencies had created hacking tools that took advantage of non-SSL’d sites to use a basic man-in-the-middle attack to hack into targeted computers.

Companies such as Hacking Team and FinFisher sell devices called ?network injection appliances.? These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people?s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target?s computer without his or her knowledge. The machine also exploits Microsoft?s login.live.com web site in the same manner.

Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.

I’d bet pretty good money that both of these companies also target some popular ad networks. For reasons that are still beyond me, many large ad networks still refuse to support SSL — which is also why so few media sites support SSL. In order to do so, you have to drop most ad networks. Between ad networks and popular media targets, it’s likely that there are plenty of opportunities for network injection going on.

Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus, they can be reasonably certain of the success of any attack. While an attacker would still need an exploit to escape from the context of the target?s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this. This type of capability obviates the need for spear-phishing or more clumsy attacks provided the target is in the attacker?s domain of influence.

This type of approach also allows for the ?tasking? of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream. As such, this could be described as ?hacking on easy mode?.

The key point made by the new report is not about the ideas behind network injection. That’s been well-known for a while, and the NSA’s and GCHQ’s “Quantum Insert” packet injection system has been talked about recently. The main revelation here is that there are commercial vendors selling this technology to all sorts of law enforcement folks, meaning that it’s probably widely used with little oversight or transparency. And that should be a pretty big concern:

These so-called ?lawful intercept? products sold by Hacking Team and FinFisher can be purchased for as little as $1 million (or less) by law enforcement and governments around the world. They have been used against political targets including Bahrain Watch, citizen journalists Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a U.S.-based news service focusing on Ethiopia. Both Hacking Team and FinFisher claim that they only sell to governments, but recently leaked documents appear to show that FinFisher has sold to at least one private security company.

With all the attention on NSA/GCHQ surveillance, it’s good that people are recognizing just how powerful some of these tools are. But we ought to be quite concerned about how ordinary law enforcement around the globe is making use of these tools as well, often with much less oversight and even less accountability.

Filed Under: , , , , , , ,
Companies: finfisher, hacking team

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How Various Law Enforcement Agencies Could Hack Your Computer Via YouTube Videos”

Subscribe: RSS Leave a comment
35 Comments
Ninja (profile) says:

Ad networks don’t really concern me, I block them all. But still, there are plenty of sites that don’t use ssl or still have non-encrypted portions that could be used to perpetrate such attacks. The fact is encryption must become the standard now. Even if you can trust the site to be unencrypted you can’t trust the Government or even corporations (online tracking yeah) to respect your privacy and not meddle into your stuff. It’s sad, it’s creepy, it’s scaring but such is the world we live in now. The funny side is that until it’s standard you actually put yourself in evidence if you take steps to enhance your security/privacy because you’ll be among the few taking such steps.

Anonymous Coward says:

Re: Re:

The problem is, taken from the Security world…

you have to block ALL of the ad networks

they only have to make one that you don’t recognize

make a rule for the browser that says that only Same Domain content is allowed, and you will still only block a portion since some sites will proxy the ad networks.

That One Guy (profile) says:

Here’s the part that confuses me:

Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus

How do you even begin that conversation? ‘Hello, I’m from a group that sells hacking tools to various agencies around the world, and I’m here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

Now yes, this may or may not open you up to a massive amount of negative PR, or even lawsuits should this ever be discovered, but we assure you, due to the incredibly restrictive NDA we’d like you to sign, all of the blame will be placed solely on your head, as you will be forbidden to even mention our name at any point. So, do we have a deal?’

Or I suppose they could just cut straight to the chase. ‘Here’s a check for a couple million, here’s an NDA that you need to sign to get the check, and you don’t need to know why we’re paying you so much money, so don’t ask, and don’t look into it.’

Somehow I imagine it’s closer to the second possibility than the first.

Mike Masnick (profile) says:

Re: Re:

How do you even begin that conversation? ‘Hello, I’m from a group that sells hacking tools to various agencies around the world, and I’m here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

It’s not the company that has the conversation. It’s the government who bought the technology that shows up at the telco with the equipment in one hand… and a legal order (or guns) in the other…

Anonymous Coward says:

Re: Re: Re:

“It’s not the company that has the conversation. It’s the government who bought the technology that shows up at the telco with the equipment in one hand… and a legal order (or guns) in the other…”

Major U.S telcos are such gov’t boot-lickers that they don’t even need legal orders (or guns). They’re eager to help subvert the Constitution any time they can and are then generously rewarded.

nasch (profile) says:

Re: Re: Re:

More likely it involves an FBI SWAT team parked outside the CEO’s house, pictures of the SWAT team posing with the CEO’s wife and kids, and a number of MIBs in the CEO’s office explaining the concept of a ‘deal you can’t refuse’ to him.

Not even close. These telcos will do anything the government asks, and require nothing more formal than a post-it note. Literally*.

* and I am using that word literally

Anonymous Coward says:

Can anyone explain how this is legal?

Well, on second thought, guess I’m not really interested in all the mumbo jumbo lip service – how do they rationalize this within commonly accepted ethical standards? Obviously they can not and simply fall back upon the premise that they above the law, because reasons.

Eldakka (profile) says:

Re: Re:

Most governments around the world, including ‘western democracies’ like UK, US, AU, CA as well as less ‘free’ nations like North Korea, China, Saudi Arabia, Russia have laws that require what they call “lawful intercept capability”. Most telco’s are required to provide this. And one way or another, most internet data passes through a telco.

Once a device such as this is installed inside the telco to provide this lawful intercept capability, then it will get used. Especially if it’s a case where the Government Agency (Police, intelligence, SEC, IRS etc) has direct access to the device rather than having to go through the telco each time it wants to gather data.

Anonymous Coward says:

Re: Re: Re:

I don’t think anyone can seriously pack Russia with these other countries. (and also Malaysia in the article…Malaysia is a very tolerant multi-ethnic multi-religion country.

The whole anti-russia sentiment coming back is already simmering down, as the, may I say, illegal, sanctions put on it since a couple years are complete nonsense.

Violynne (profile) says:

“While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this.”
I would say this is more the point than requiring more sites go SSL.

SSL won’t protect anyone from malicious attacks as long as third parties refuse to update their software to prevent the injections in the first place.

I remember the days when browsers prohibited any third party sources from activating.

How far we’ve come for a little convenience.

Rule of thumb: any time third party sources are used to deliver content, vulnerabilities will always exist, and SSL won’t change this.

Most third party sources always start with the user, the second they click the install button.

Anonymous Coward says:

SSL will work as protection until they serve a national security letter on Google et Al. Basically when the state goes rogue, it is very difficult to avoid their exploitation of technology, except by using battery powered off-line machines inside Faraday cages to deal with encryption and decryption. Also a safe way of transferring data, like an old fashioned floppy drive is also needed to avoid the problem that USB devices can be compromised, or reading and writing USB devices through a USB controller implemented in an FPGA so that the thumb drives cannot compromise your main machines.

nasch (profile) says:

Re: Re:

SSL will work as protection until they serve a national security letter on Google et Al.

We want to make it as much trouble to spy as possible. Even if it’s still possible, if it’s harder to do, then they’ll be able to do less of it. And if we can push the issue from a few utterly subservient ISPs to more contentious (and numerous) companies like Google, that’s better too.

Anonymous Coward says:

If they’re going the route of forcing companies to cooperate, the easy way to do this would be to compromise Windows Update. Bam, you don’t even need an exploit, you’ve just done whatever you like to their computer.

Of course, if such a program were exposed, it would permanently reduce the online security of everyone, since people would avoid getting security updates. But I wouldn’t assume they care about that when they’ve got a computer they want to compromise.

Hardwired says:

Internet Surfing Security

For Firefox:

Must have security related add-on’s
(Click tools/Add-ons – on the menu bar of Firefox)

type in the following names on the add-on’s page to find:

Noscript,
Better Privacy
Adblock Plus,

or visit:
https://addons.mozilla.org/en-US/firefox/

Learn to use Noscript and keep all scripts disabled except the one’s you must enable. Others only temporary enable when one must do so. The rest, never enable them. Practice and soon you will be a noscript pro and it’s fast after that.

Just as important as Noscript is:
https://www.eff.org/https-everywhere

And a good VPN service – beware of “honeypots”
—————————————————-
https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

Much of the advice here is misinformation and very inaccurate/wrong.

Leave Windows Updates ON. Not doing so is seriously stupid. As is the other horrible advice from other replies here. IF your older computer can’t handle Win Updates then it’s past time to run 32 bit GNU/Linux Mint or Ubuntu, and also with the above Firefox add-on’s there as well.

Everything stated here is 100% accurate. But many other replies are absolutely horrible advice.

note: all my links above are https (secure ssl) sites. For your safety.

Don’t forget the VPN Service. $30 to $40 per year, for up to 5 PC’s.

Beware of others offering horrible advice on the internet. Always verify everything.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...