How Various Law Enforcement Agencies Could Hack Your Computer Via YouTube Videos

from the it's-all-fun-and-games-until-someone-rickrolls dept

When we recently wrote about Google starting to make use of SSL for search rankings, one of our commenters noted that not every site really "needs" HTTPS. While I used to agree, I've been increasingly leaning in the other direction, and I may have been pushed over the edge entirely by a new research report from the Citizen Lab by Morgan Marquis-Boire (perhaps better known as Morgan Mayhem), entitled Schrodinger’s Cat Video and the Death of Clear-Text. He's also written about it at the Intercept (where he now works), explaining how watching a cat video on YouTube could get you hacked (though not any more).

The key point was this: companies producing so-called "lawful intercept" technology, that was generally (but not always) sold to governments and law enforcement agencies had created hacking tools that took advantage of non-SSL'd sites to use a basic man-in-the-middle attack to hack into targeted computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’s login.live.com web site in the same manner.

Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.

I'd bet pretty good money that both of these companies also target some popular ad networks. For reasons that are still beyond me, many large ad networks still refuse to support SSL -- which is also why so few media sites support SSL. In order to do so, you have to drop most ad networks. Between ad networks and popular media targets, it's likely that there are plenty of opportunities for network injection going on.
Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus, they can be reasonably certain of the success of any attack. While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this. This type of capability obviates the need for spear-phishing or more clumsy attacks provided the target is in the attacker’s domain of influence.

This type of approach also allows for the ‘tasking’ of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream. As such, this could be described as ‘hacking on easy mode’.
The key point made by the new report is not about the ideas behind network injection. That's been well-known for a while, and the NSA's and GCHQ's "Quantum Insert" packet injection system has been talked about recently. The main revelation here is that there are commercial vendors selling this technology to all sorts of law enforcement folks, meaning that it's probably widely used with little oversight or transparency. And that should be a pretty big concern:
These so-called “lawful intercept” products sold by Hacking Team and FinFisher can be purchased for as little as $1 million (or less) by law enforcement and governments around the world. They have been used against political targets including Bahrain Watch, citizen journalists Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a U.S.-based news service focusing on Ethiopia. Both Hacking Team and FinFisher claim that they only sell to governments, but recently leaked documents appear to show that FinFisher has sold to at least one private security company.
With all the attention on NSA/GCHQ surveillance, it's good that people are recognizing just how powerful some of these tools are. But we ought to be quite concerned about how ordinary law enforcement around the globe is making use of these tools as well, often with much less oversight and even less accountability.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ninja (profile), Aug 18th, 2014 @ 4:30am

    Ad networks don't really concern me, I block them all. But still, there are plenty of sites that don't use ssl or still have non-encrypted portions that could be used to perpetrate such attacks. The fact is encryption must become the standard now. Even if you can trust the site to be unencrypted you can't trust the Government or even corporations (online tracking yeah) to respect your privacy and not meddle into your stuff. It's sad, it's creepy, it's scaring but such is the world we live in now. The funny side is that until it's standard you actually put yourself in evidence if you take steps to enhance your security/privacy because you'll be among the few taking such steps.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    That One Guy (profile), Aug 18th, 2014 @ 4:31am

    Here's the part that confuses me:

    Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus

    How do you even begin that conversation? 'Hello, I'm from a group that sells hacking tools to various agencies around the world, and I'm here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

    Now yes, this may or may not open you up to a massive amount of negative PR, or even lawsuits should this ever be discovered, but we assure you, due to the incredibly restrictive NDA we'd like you to sign, all of the blame will be placed solely on your head, as you will be forbidden to even mention our name at any point. So, do we have a deal?'

    Or I suppose they could just cut straight to the chase. 'Here's a check for a couple million, here's an NDA that you need to sign to get the check, and you don't need to know why we're paying you so much money, so don't ask, and don't look into it.'

    Somehow I imagine it's closer to the second possibility than the first.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 5:56am

    Re:

    I imagine the conversation would start with a large bag of money.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 6:01am

    Can anyone explain how this is legal?

    Well, on second thought, guess I'm not really interested in all the mumbo jumbo lip service - how do they rationalize this within commonly accepted ethical standards? Obviously they can not and simply fall back upon the premise that they above the law, because reasons.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Violynne (profile), Aug 18th, 2014 @ 6:21am

    "While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this."
    I would say this is more the point than requiring more sites go SSL.

    SSL won't protect anyone from malicious attacks as long as third parties refuse to update their software to prevent the injections in the first place.

    I remember the days when browsers prohibited any third party sources from activating.

    How far we've come for a little convenience.

    Rule of thumb: any time third party sources are used to deliver content, vulnerabilities will always exist, and SSL won't change this.

    Most third party sources always start with the user, the second they click the install button.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 6:36am

    Re: Re:

    A briefcase full of money in one hand, and a "National Security Letter" (or an arrest warrant depending on the locale) in the other.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 6:43am

    Law Enforcement's new motto

    Never gonna give you up
    Never gonna let you
    Gonna track your history
    from your Youtube

    Never gonna let you cry
    Never gonna say goodbye
    We've got a flash cookie
    via Bluetooth.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 6:43am

    Re:

    The problem is, taken from the Security world...

    you have to block ALL of the ad networks

    they only have to make one that you don't recognize

    make a rule for the browser that says that only Same Domain content is allowed, and you will still only block a portion since some sites will proxy the ad networks.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Mike Masnick (profile), Aug 18th, 2014 @ 6:47am

    Re:

    How do you even begin that conversation? 'Hello, I'm from a group that sells hacking tools to various agencies around the world, and I'm here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

    It's not the company that has the conversation. It's the government who bought the technology that shows up at the telco with the equipment in one hand... and a legal order (or guns) in the other...

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 6:53am

    SSL will work as protection until they serve a national security letter on Google et Al. Basically when the state goes rogue, it is very difficult to avoid their exploitation of technology, except by using battery powered off-line machines inside Faraday cages to deal with encryption and decryption. Also a safe way of transferring data, like an old fashioned floppy drive is also needed to avoid the problem that USB devices can be compromised, or reading and writing USB devices through a USB controller implemented in an FPGA so that the thumb drives cannot compromise your main machines.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    nasch (profile), Aug 18th, 2014 @ 7:09am

    Re:

    SSL will work as protection until they serve a national security letter on Google et Al.

    We want to make it as much trouble to spy as possible. Even if it's still possible, if it's harder to do, then they'll be able to do less of it. And if we can push the issue from a few utterly subservient ISPs to more contentious (and numerous) companies like Google, that's better too.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Michael, Aug 18th, 2014 @ 7:17am

    Re:

    The problem with the ad networks is (besides them being insecure) they make it impossible to go full ssl for the sites that use them.

    To go full ssl, you have to tell ad networks that don't support to it to to hell and that costs the site money. TechDirt list ad revenue to go ssl and many sites cannot or will not do the same.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Michael, Aug 18th, 2014 @ 7:20am

    Re: Re:

    and a legal order (or guns) in the other...

    Why not both? In fact, my patent=pending technology allows us to actually print legal orders on guns and even on bullets! Just think how much more efficient it would be!

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Bengie, Aug 18th, 2014 @ 7:34am

    Re: Re:

    It's common practice to host static content on separate domains to reduce cookie traffic and load on the web servers to extract cookie data.

    By having static data on separate domains, session information is not passed to those web servers, making it cheaper to host.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Peter (profile), Aug 18th, 2014 @ 7:40am

    Is there any protection other than using https?

    Chrome Sandbox? Noscript?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 7:50am

    SSL cert problems on TD still exist

    Actually speaking of Ad Networks, CDNs, and redirects, my mobile browser (NEXT) constantly, and for every action on TD pops-up with a cert warning for Akamai. It makes browsing TD very hard! I love what you're doing with SSL everything, but it seems that there are still holes!

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    John Fenderson (profile), Aug 18th, 2014 @ 8:45am

    Re: Re:

    Blocking all Javascript (I recommend NoScript) goes a long way to addressing that problem.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Rekrul, Aug 18th, 2014 @ 9:00am

    Can someone help me? I removed my front door to make it more convenient to enter the house, but I keep getting robbed. Does anyone know how I can keep the bad guys out?

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    ahow628 (profile), Aug 18th, 2014 @ 10:32am

    Re: Is there any protection other than using https?

    I was curious about the same. I use Chrome on Ubuntu and wondered if that added any protection. At least I would not be vulnerable to all the Windows exploits.

    Do these have to do with the OS at all?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Michael, Aug 18th, 2014 @ 10:47am

    Re:

    You should lobby for harsher penalties for burglary. If the penalties are stronger, it will make them think twice before stealing from you.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 10:52am

    If they're going the route of forcing companies to cooperate, the easy way to do this would be to compromise Windows Update. Bam, you don't even need an exploit, you've just done whatever you like to their computer.

    Of course, if such a program were exposed, it would permanently reduce the online security of everyone, since people would avoid getting security updates. But I wouldn't assume they care about that when they've got a computer they want to compromise.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 12:19pm

    Re: Re:

    "It's not the company that has the conversation. It's the government who bought the technology that shows up at the telco with the equipment in one hand... and a legal order (or guns) in the other..."

    Major U.S telcos are such gov't boot-lickers that they don't even need legal orders (or guns). They're eager to help subvert the Constitution any time they can and are then generously rewarded.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 2:02pm

    Re:

    But what if someone does not have Windows Update turned on? I have Windows Update turned off. I find it really hogs system resources, especially on older machines.

    You don't NEED Windows Update if you have a good firewall and good anti-virus software.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 2:03pm

    Just use a VPN when running YouTube. It does not have to even be a commercial VPN. With a VPN, they don't know whose computer is connected, they only know there is a connection coming from a VPN.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    That One Guy (profile), Aug 18th, 2014 @ 4:09pm

    Re: Re:

    Ah, so it's less persuade, and more 'persuade'.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 5:22pm

    Let apply it the other way around

    Once the government share's any information with a third party, it can no longer be considered classified. And should be freely available to any citizen upon request so they can perform the essential government oversight that is not only there right, but there duty, as a citizen!

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Bergman (profile), Aug 18th, 2014 @ 6:24pm

    Re:

    More likely it involves an FBI SWAT team parked outside the CEO's house, pictures of the SWAT team posing with the CEO's wife and kids, and a number of MIBs in the CEO's office explaining the concept of a 'deal you can't refuse' to him.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Bergman (profile), Aug 18th, 2014 @ 6:28pm

    Re:

    You can get addons for your browser that block third party stuff. I use them myself, and while they sometimes cause certain websites to fail in odd ways, knowing who is using your RAM is definitely nice. Being able to tell them no and making it stick is priceless.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    Eldakka (profile), Aug 18th, 2014 @ 8:03pm

    Re:

    Most governments around the world, including 'western democracies' like UK, US, AU, CA as well as less 'free' nations like North Korea, China, Saudi Arabia, Russia have laws that require what they call "lawful intercept capability". Most telco's are required to provide this. And one way or another, most internet data passes through a telco.

    Once a device such as this is installed inside the telco to provide this lawful intercept capability, then it will get used. Especially if it's a case where the Government Agency (Police, intelligence, SEC, IRS etc) has direct access to the device rather than having to go through the telco each time it wants to gather data.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    nasch (profile), Aug 18th, 2014 @ 8:54pm

    Re: Re:

    More likely it involves an FBI SWAT team parked outside the CEO's house, pictures of the SWAT team posing with the CEO's wife and kids, and a number of MIBs in the CEO's office explaining the concept of a 'deal you can't refuse' to him.

    Not even close. These telcos will do anything the government asks, and require nothing more formal than a post-it note. Literally*.

    * and I am using that word literally

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Hardwired, Aug 19th, 2014 @ 3:00am

    Internet Surfing Security

    For Firefox:

    Must have security related add-on's
    (Click tools/Add-ons - on the menu bar of Firefox)

    type in the following names on the add-on's page to find:

    Noscript,
    Better Privacy
    Adblock Plus,

    or visit:
    https://addons.mozilla.org/en-US/firefox/

    Learn to use Noscript and keep all scripts disabled except the one's you must enable. Others only temporary enable when one must do so. The rest, never enable them. Practice and soon you will be a noscript pro and it's fast after that.

    Just as important as Noscript is:
    https://www.eff.org/https-everywhere


    And a good VPN service - beware of "honeypots"
    ----------------------------------------------------
    https://torrentfreak.com/which-vpn-pr oviders-really-take-anonymity-seriously-111007/


    Much of the advice here is misinformation and very inaccurate/wrong.

    Leave Windows Updates ON. Not doing so is seriously stupid. As is the other horrible advice from other replies here. IF your older computer can't handle Win Updates then it's past time to run 32 bit GNU/Linux Mint or Ubuntu, and also with the above Firefox add-on's there as well.

    Everything stated here is 100% accurate. But many other replies are absolutely horrible advice.

    note: all my links above are https (secure ssl) sites. For your safety.

    Don't forget the VPN Service. $30 to $40 per year, for up to 5 PC's.

    Beware of others offering horrible advice on the internet. Always verify everything.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    RonKaminsky (profile), Aug 20th, 2014 @ 10:04am

    Re: Re: Re:

    I agree that that mainly works, but it's a pain to start to temporarily enable domains/subdomains one by one hoping that you manage to enable the serving of the media you're interested in, while still blocking the ad networks.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Sep 18th, 2014 @ 9:38am

    Re: Re:

    They already do use Windows Updates to get in, and once they get in they use UEFI/BIOS rootkits to maintain a foothold (they modify ntokrnl as it's loaded into memory).

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Jul 6th, 2015 @ 1:24pm

    Re: Re: Re: Re:

    usually the site name's followed by cdn is all you need to allow. Although I unblock Disqus. Yeah. But I login from a bullshit email address made on a free russian email server.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Jul 6th, 2015 @ 1:35pm

    Re: Re:

    I don't think anyone can seriously pack Russia with these other countries. (and also Malaysia in the article...Malaysia is a very tolerant multi-ethnic multi-religion country.

    The whole anti-russia sentiment coming back is already simmering down, as the, may I say, illegal, sanctions put on it since a couple years are complete nonsense.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.