How Various Law Enforcement Agencies Could Hack Your Computer Via YouTube Videos

from the it's-all-fun-and-games-until-someone-rickrolls dept

When we recently wrote about Google starting to make use of SSL for search rankings, one of our commenters noted that not every site really "needs" HTTPS. While I used to agree, I've been increasingly leaning in the other direction, and I may have been pushed over the edge entirely by a new research report from the Citizen Lab by Morgan Marquis-Boire (perhaps better known as Morgan Mayhem), entitled Schrodinger’s Cat Video and the Death of Clear-Text. He's also written about it at the Intercept (where he now works), explaining how watching a cat video on YouTube could get you hacked (though not any more).

The key point was this: companies producing so-called "lawful intercept" technology, that was generally (but not always) sold to governments and law enforcement agencies had created hacking tools that took advantage of non-SSL'd sites to use a basic man-in-the-middle attack to hack into targeted computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’s login.live.com web site in the same manner.

Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.

I'd bet pretty good money that both of these companies also target some popular ad networks. For reasons that are still beyond me, many large ad networks still refuse to support SSL -- which is also why so few media sites support SSL. In order to do so, you have to drop most ad networks. Between ad networks and popular media targets, it's likely that there are plenty of opportunities for network injection going on.
Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus, they can be reasonably certain of the success of any attack. While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this. This type of capability obviates the need for spear-phishing or more clumsy attacks provided the target is in the attacker’s domain of influence.

This type of approach also allows for the ‘tasking’ of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream. As such, this could be described as ‘hacking on easy mode’.
The key point made by the new report is not about the ideas behind network injection. That's been well-known for a while, and the NSA's and GCHQ's "Quantum Insert" packet injection system has been talked about recently. The main revelation here is that there are commercial vendors selling this technology to all sorts of law enforcement folks, meaning that it's probably widely used with little oversight or transparency. And that should be a pretty big concern:
These so-called “lawful intercept” products sold by Hacking Team and FinFisher can be purchased for as little as $1 million (or less) by law enforcement and governments around the world. They have been used against political targets including Bahrain Watch, citizen journalists Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a U.S.-based news service focusing on Ethiopia. Both Hacking Team and FinFisher claim that they only sell to governments, but recently leaked documents appear to show that FinFisher has sold to at least one private security company.
With all the attention on NSA/GCHQ surveillance, it's good that people are recognizing just how powerful some of these tools are. But we ought to be quite concerned about how ordinary law enforcement around the globe is making use of these tools as well, often with much less oversight and even less accountability.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 18 Aug 2014 @ 4:30am

    Ad networks don't really concern me, I block them all. But still, there are plenty of sites that don't use ssl or still have non-encrypted portions that could be used to perpetrate such attacks. The fact is encryption must become the standard now. Even if you can trust the site to be unencrypted you can't trust the Government or even corporations (online tracking yeah) to respect your privacy and not meddle into your stuff. It's sad, it's creepy, it's scaring but such is the world we live in now. The funny side is that until it's standard you actually put yourself in evidence if you take steps to enhance your security/privacy because you'll be among the few taking such steps.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2014 @ 6:43am

      Re:

      The problem is, taken from the Security world...

      you have to block ALL of the ad networks

      they only have to make one that you don't recognize

      make a rule for the browser that says that only Same Domain content is allowed, and you will still only block a portion since some sites will proxy the ad networks.

      reply to this | link to this | view in chronology ]

      • identicon
        Bengie, 18 Aug 2014 @ 7:34am

        Re: Re:

        It's common practice to host static content on separate domains to reduce cookie traffic and load on the web servers to extract cookie data.

        By having static data on separate domains, session information is not passed to those web servers, making it cheaper to host.

        reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 18 Aug 2014 @ 8:45am

        Re: Re:

        Blocking all Javascript (I recommend NoScript) goes a long way to addressing that problem.

        reply to this | link to this | view in chronology ]

        • icon
          RonKaminsky (profile), 20 Aug 2014 @ 10:04am

          Re: Re: Re:

          I agree that that mainly works, but it's a pain to start to temporarily enable domains/subdomains one by one hoping that you manage to enable the serving of the media you're interested in, while still blocking the ad networks.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 6 Jul 2015 @ 1:24pm

            Re: Re: Re: Re:

            usually the site name's followed by cdn is all you need to allow. Although I unblock Disqus. Yeah. But I login from a bullshit email address made on a free russian email server.

            reply to this | link to this | view in chronology ]

    • identicon
      Michael, 18 Aug 2014 @ 7:17am

      Re:

      The problem with the ad networks is (besides them being insecure) they make it impossible to go full ssl for the sites that use them.

      To go full ssl, you have to tell ad networks that don't support to it to to hell and that costs the site money. TechDirt list ad revenue to go ssl and many sites cannot or will not do the same.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 18 Aug 2014 @ 4:31am

    Here's the part that confuses me:

    Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus

    How do you even begin that conversation? 'Hello, I'm from a group that sells hacking tools to various agencies around the world, and I'm here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

    Now yes, this may or may not open you up to a massive amount of negative PR, or even lawsuits should this ever be discovered, but we assure you, due to the incredibly restrictive NDA we'd like you to sign, all of the blame will be placed solely on your head, as you will be forbidden to even mention our name at any point. So, do we have a deal?'

    Or I suppose they could just cut straight to the chase. 'Here's a check for a couple million, here's an NDA that you need to sign to get the check, and you don't need to know why we're paying you so much money, so don't ask, and don't look into it.'

    Somehow I imagine it's closer to the second possibility than the first.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2014 @ 5:56am

      Re:

      I imagine the conversation would start with a large bag of money.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Aug 2014 @ 6:36am

        Re: Re:

        A briefcase full of money in one hand, and a "National Security Letter" (or an arrest warrant depending on the locale) in the other.

        reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 18 Aug 2014 @ 6:47am

      Re:

      How do you even begin that conversation? 'Hello, I'm from a group that sells hacking tools to various agencies around the world, and I'm here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

      It's not the company that has the conversation. It's the government who bought the technology that shows up at the telco with the equipment in one hand... and a legal order (or guns) in the other...

      reply to this | link to this | view in chronology ]

      • identicon
        Michael, 18 Aug 2014 @ 7:20am

        Re: Re:

        and a legal order (or guns) in the other...

        Why not both? In fact, my patent=pending technology allows us to actually print legal orders on guns and even on bullets! Just think how much more efficient it would be!

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Aug 2014 @ 12:19pm

        Re: Re:

        "It's not the company that has the conversation. It's the government who bought the technology that shows up at the telco with the equipment in one hand... and a legal order (or guns) in the other..."

        Major U.S telcos are such gov't boot-lickers that they don't even need legal orders (or guns). They're eager to help subvert the Constitution any time they can and are then generously rewarded.

        reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 18 Aug 2014 @ 4:09pm

        Re: Re:

        Ah, so it's less persuade, and more 'persuade'.

        reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 18 Aug 2014 @ 6:24pm

      Re:

      More likely it involves an FBI SWAT team parked outside the CEO's house, pictures of the SWAT team posing with the CEO's wife and kids, and a number of MIBs in the CEO's office explaining the concept of a 'deal you can't refuse' to him.

      reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 18 Aug 2014 @ 8:54pm

        Re: Re:

        More likely it involves an FBI SWAT team parked outside the CEO's house, pictures of the SWAT team posing with the CEO's wife and kids, and a number of MIBs in the CEO's office explaining the concept of a 'deal you can't refuse' to him.

        Not even close. These telcos will do anything the government asks, and require nothing more formal than a post-it note. Literally*.

        * and I am using that word literally

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 6:01am

    Can anyone explain how this is legal?

    Well, on second thought, guess I'm not really interested in all the mumbo jumbo lip service - how do they rationalize this within commonly accepted ethical standards? Obviously they can not and simply fall back upon the premise that they above the law, because reasons.

    reply to this | link to this | view in chronology ]

    • icon
      Eldakka (profile), 18 Aug 2014 @ 8:03pm

      Re:

      Most governments around the world, including 'western democracies' like UK, US, AU, CA as well as less 'free' nations like North Korea, China, Saudi Arabia, Russia have laws that require what they call "lawful intercept capability". Most telco's are required to provide this. And one way or another, most internet data passes through a telco.

      Once a device such as this is installed inside the telco to provide this lawful intercept capability, then it will get used. Especially if it's a case where the Government Agency (Police, intelligence, SEC, IRS etc) has direct access to the device rather than having to go through the telco each time it wants to gather data.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Jul 2015 @ 1:35pm

        Re: Re:

        I don't think anyone can seriously pack Russia with these other countries. (and also Malaysia in the article...Malaysia is a very tolerant multi-ethnic multi-religion country.

        The whole anti-russia sentiment coming back is already simmering down, as the, may I say, illegal, sanctions put on it since a couple years are complete nonsense.

        reply to this | link to this | view in chronology ]

  • icon
    Violynne (profile), 18 Aug 2014 @ 6:21am

    "While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this."
    I would say this is more the point than requiring more sites go SSL.

    SSL won't protect anyone from malicious attacks as long as third parties refuse to update their software to prevent the injections in the first place.

    I remember the days when browsers prohibited any third party sources from activating.

    How far we've come for a little convenience.

    Rule of thumb: any time third party sources are used to deliver content, vulnerabilities will always exist, and SSL won't change this.

    Most third party sources always start with the user, the second they click the install button.

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 18 Aug 2014 @ 6:28pm

      Re:

      You can get addons for your browser that block third party stuff. I use them myself, and while they sometimes cause certain websites to fail in odd ways, knowing who is using your RAM is definitely nice. Being able to tell them no and making it stick is priceless.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 6:43am

    Law Enforcement's new motto

    Never gonna give you up
    Never gonna let you
    Gonna track your history
    from your Youtube

    Never gonna let you cry
    Never gonna say goodbye
    We've got a flash cookie
    via Bluetooth.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 6:53am

    SSL will work as protection until they serve a national security letter on Google et Al. Basically when the state goes rogue, it is very difficult to avoid their exploitation of technology, except by using battery powered off-line machines inside Faraday cages to deal with encryption and decryption. Also a safe way of transferring data, like an old fashioned floppy drive is also needed to avoid the problem that USB devices can be compromised, or reading and writing USB devices through a USB controller implemented in an FPGA so that the thumb drives cannot compromise your main machines.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 18 Aug 2014 @ 7:09am

      Re:

      SSL will work as protection until they serve a national security letter on Google et Al.

      We want to make it as much trouble to spy as possible. Even if it's still possible, if it's harder to do, then they'll be able to do less of it. And if we can push the issue from a few utterly subservient ISPs to more contentious (and numerous) companies like Google, that's better too.

      reply to this | link to this | view in chronology ]

  • icon
    Peter (profile), 18 Aug 2014 @ 7:40am

    Is there any protection other than using https?

    Chrome Sandbox? Noscript?

    reply to this | link to this | view in chronology ]

    • icon
      ahow628 (profile), 18 Aug 2014 @ 10:32am

      Re: Is there any protection other than using https?

      I was curious about the same. I use Chrome on Ubuntu and wondered if that added any protection. At least I would not be vulnerable to all the Windows exploits.

      Do these have to do with the OS at all?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 7:50am

    SSL cert problems on TD still exist

    Actually speaking of Ad Networks, CDNs, and redirects, my mobile browser (NEXT) constantly, and for every action on TD pops-up with a cert warning for Akamai. It makes browsing TD very hard! I love what you're doing with SSL everything, but it seems that there are still holes!

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 18 Aug 2014 @ 9:00am

    Can someone help me? I removed my front door to make it more convenient to enter the house, but I keep getting robbed. Does anyone know how I can keep the bad guys out?

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 18 Aug 2014 @ 10:47am

      Re:

      You should lobby for harsher penalties for burglary. If the penalties are stronger, it will make them think twice before stealing from you.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 10:52am

    If they're going the route of forcing companies to cooperate, the easy way to do this would be to compromise Windows Update. Bam, you don't even need an exploit, you've just done whatever you like to their computer.

    Of course, if such a program were exposed, it would permanently reduce the online security of everyone, since people would avoid getting security updates. But I wouldn't assume they care about that when they've got a computer they want to compromise.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2014 @ 2:02pm

      Re:

      But what if someone does not have Windows Update turned on? I have Windows Update turned off. I find it really hogs system resources, especially on older machines.

      You don't NEED Windows Update if you have a good firewall and good anti-virus software.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Sep 2014 @ 9:38am

        Re: Re:

        They already do use Windows Updates to get in, and once they get in they use UEFI/BIOS rootkits to maintain a foothold (they modify ntokrnl as it's loaded into memory).

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 2:03pm

    Just use a VPN when running YouTube. It does not have to even be a commercial VPN. With a VPN, they don't know whose computer is connected, they only know there is a connection coming from a VPN.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2014 @ 5:22pm

    Let apply it the other way around

    Once the government share's any information with a third party, it can no longer be considered classified. And should be freely available to any citizen upon request so they can perform the essential government oversight that is not only there right, but there duty, as a citizen!

    reply to this | link to this | view in chronology ]

  • identicon
    Hardwired, 19 Aug 2014 @ 3:00am

    Internet Surfing Security

    For Firefox:

    Must have security related add-on's
    (Click tools/Add-ons - on the menu bar of Firefox)

    type in the following names on the add-on's page to find:

    Noscript,
    Better Privacy
    Adblock Plus,

    or visit:
    https://addons.mozilla.org/en-US/firefox/

    Learn to use Noscript and keep all scripts disabled except the one's you must enable. Others only temporary enable when one must do so. The rest, never enable them. Practice and soon you will be a noscript pro and it's fast after that.

    Just as important as Noscript is:
    https://www.eff.org/https-everywhere


    And a good VPN service - beware of "honeypots"
    ----------------------------------------------------
    https://torrentfreak.com/which-vpn-pr oviders-really-take-anonymity-seriously-111007/


    Much of the advice here is misinformation and very inaccurate/wrong.

    Leave Windows Updates ON. Not doing so is seriously stupid. As is the other horrible advice from other replies here. IF your older computer can't handle Win Updates then it's past time to run 32 bit GNU/Linux Mint or Ubuntu, and also with the above Firefox add-on's there as well.

    Everything stated here is 100% accurate. But many other replies are absolutely horrible advice.

    note: all my links above are https (secure ssl) sites. For your safety.

    Don't forget the VPN Service. $30 to $40 per year, for up to 5 PC's.

    Beware of others offering horrible advice on the internet. Always verify everything.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.