How Various Law Enforcement Agencies Could Hack Your Computer Via YouTube Videos

from the it's-all-fun-and-games-until-someone-rickrolls dept

Mon, Aug 18th 2014 5:46am — Mike Masnick

When we recently wrote about Google starting to make use of SSL for search rankings, one of our commenters noted that not every site really "needs" HTTPS. While I used to agree, I've been increasingly leaning in the other direction, and I may have been pushed over the edge entirely by a new research report from the Citizen Lab by Morgan Marquis-Boire (perhaps better known as Morgan Mayhem), entitled Schrodinger’s Cat Video and the Death of Clear-Text. He's also written about it at the Intercept (where he now works), explaining how watching a cat video on YouTube could get you hacked (though not any more).

The key point was this: companies producing so-called "lawful intercept" technology, that was generally (but not always) sold to governments and law enforcement agencies had created hacking tools that took advantage of non-SSL'd sites to use a basic man-in-the-middle attack to hack into targeted computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’s login.live.com web site in the same manner.

Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.

I'd bet pretty good money that both of these companies also target some popular ad networks. For reasons that are still beyond me, many large ad networks still refuse to support SSL -- which is also why so few media sites support SSL. In order to do so, you have to drop most ad networks. Between ad networks and popular media targets, it's likely that there are plenty of opportunities for network injection going on.

Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus, they can be reasonably certain of the success of any attack. While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this. This type of capability obviates the need for spear-phishing or more clumsy attacks provided the target is in the attacker’s domain of influence.

This type of approach also allows for the ‘tasking’ of a specific target. Rather than performing a manual operation, a target can be entered into the system which will wait for them to browse to an appropriate website and then perform the required injection of malicious code into their traffic stream. As such, this could be described as ‘hacking on easy mode’.

The key point made by the new report is not about the ideas behind network injection. That's been well-known for a while, and the NSA's and GCHQ's "Quantum Insert" packet injection system has been talked about recently. The main revelation here is that there are commercial vendors selling this technology to all sorts of law enforcement folks, meaning that it's probably widely used with little oversight or transparency. And that should be a pretty big concern:

These so-called “lawful intercept” products sold by Hacking Team and FinFisher can be purchased for as little as $1 million (or less) by law enforcement and governments around the world. They have been used against political targets including Bahrain Watch, citizen journalists Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a U.S.-based news service focusing on Ethiopia. Both Hacking Team and FinFisher claim that they only sell to governments, but recently leaked documents appear to show that FinFisher has sold to at least one private security company.

With all the attention on NSA/GCHQ surveillance, it's good that people are recognizing just how powerful some of these tools are. But we ought to be quite concerned about how ordinary law enforcement around the globe is making use of these tools as well, often with much less oversight and even less accountability.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, https, law enforcement, legal intercept, network injection, packet injection, quantum insert, ssl
Companies: finfisher, hacking team

35 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 18 Aug 2014 @ 4:30am

Ad networks don't really concern me, I block them all. But still, there are plenty of sites that don't use ssl or still have non-encrypted portions that could be used to perpetrate such attacks. The fact is encryption must become the standard now. Even if you can trust the site to be unencrypted you can't trust the Government or even corporations (online tracking yeah) to respect your privacy and not meddle into your stuff. It's sad, it's creepy, it's scaring but such is the world we live in now. The funny side is that until it's standard you actually put yourself in evidence if you take steps to enhance your security/privacy because you'll be among the few taking such steps.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 6:43am
  
  Re:
  The problem is, taken from the Security world...
  
  you have to block ALL of the ad networks
  
  they only have to make one that you don't recognize
  
  make a rule for the browser that says that only Same Domain content is allowed, and you will still only block a portion since some sites will proxy the ad networks.
  [ link to this | view in chronology ]
  - Bengie, 18 Aug 2014 @ 7:34am
    
    Re: Re:
    It's common practice to host static content on separate domains to reduce cookie traffic and load on the web servers to extract cookie data.
    
    By having static data on separate domains, session information is not passed to those web servers, making it cheaper to host.
    [ link to this | view in chronology ]
  - John Fenderson (profile), 18 Aug 2014 @ 8:45am
    
    Re: Re:
    Blocking all Javascript (I recommend NoScript) goes a long way to addressing that problem.
    [ link to this | view in chronology ]
    - RonKaminsky (profile), 20 Aug 2014 @ 10:04am
      
      Re: Re: Re:
      I agree that that mainly works, but it's a pain to start to temporarily enable domains/subdomains one by one hoping that you manage to enable the serving of the media you're interested in, while still blocking the ad networks.
      [ link to this | view in chronology ]
      - Anonymous Coward, 6 Jul 2015 @ 1:24pm
        
        Re: Re: Re: Re:
        usually the site name's followed by cdn is all you need to allow. Although I unblock Disqus. Yeah. But I login from a bullshit email address made on a free russian email server.
        [ link to this | view in chronology ]
- Michael, 18 Aug 2014 @ 7:17am
  
  Re:
  The problem with the ad networks is (besides them being insecure) they make it impossible to go full ssl for the sites that use them.
  
  To go full ssl, you have to tell ad networks that don't support to it to to hell and that costs the site money. TechDirt list ad revenue to go ssl and many sites cannot or will not do the same.
  [ link to this | view in chronology ]
That One Guy (profile), 18 Aug 2014 @ 4:31am

Here's the part that confuses me:

Provided that the attacker can persuade a sufficiently large carrier to install a network injection apparatus

How do you even begin that conversation? 'Hello, I'm from a group that sells hacking tools to various agencies around the world, and I'm here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.

Now yes, this may or may not open you up to a massive amount of negative PR, or even lawsuits should this ever be discovered, but we assure you, due to the incredibly restrictive NDA we'd like you to sign, all of the blame will be placed solely on your head, as you will be forbidden to even mention our name at any point. So, do we have a deal?'

Or I suppose they could just cut straight to the chase. 'Here's a check for a couple million, here's an NDA that you need to sign to get the check, and you don't need to know why we're paying you so much money, so don't ask, and don't look into it.'

Somehow I imagine it's closer to the second possibility than the first.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 5:56am
  
  Re:
  I imagine the conversation would start with a large bag of money.
  [ link to this | view in chronology ]
  - Anonymous Coward, 18 Aug 2014 @ 6:36am
    
    Re: Re:
    A briefcase full of money in one hand, and a "National Security Letter" (or an arrest warrant depending on the locale) in the other.
    [ link to this | view in chronology ]
- Mike Masnick (profile), 18 Aug 2014 @ 6:47am
  
  Re:
  How do you even begin that conversation? 'Hello, I'm from a group that sells hacking tools to various agencies around the world, and I'm here today to talk to you about perhaps adding some hardware to your systems that will allow easy access to the computers or electronics of people using your services.
  
  It's not the company that has the conversation. It's the government who bought the technology that shows up at the telco with the equipment in one hand... and a legal order (or guns) in the other...
  [ link to this | view in chronology ]
  - Michael, 18 Aug 2014 @ 7:20am
    
    Re: Re:
    and a legal order (or guns) in the other...
    
    Why not both? In fact, my patent=pending technology allows us to actually print legal orders on guns and even on bullets! Just think how much more efficient it would be!
    [ link to this | view in chronology ]
  - Anonymous Coward, 18 Aug 2014 @ 12:19pm
    
    Re: Re:
    "It's not the company that has the conversation. It's the government who bought the technology that shows up at the telco with the equipment in one hand... and a legal order (or guns) in the other..."
    
    Major U.S telcos are such gov't boot-lickers that they don't even need legal orders (or guns). They're eager to help subvert the Constitution any time they can and are then generously rewarded.
    [ link to this | view in chronology ]
  - That One Guy (profile), 18 Aug 2014 @ 4:09pm
    
    Re: Re:
    Ah, so it's less persuade, and more 'persuade'.
    [ link to this | view in chronology ]
- Bergman (profile), 18 Aug 2014 @ 6:24pm
  
  Re:
  More likely it involves an FBI SWAT team parked outside the CEO's house, pictures of the SWAT team posing with the CEO's wife and kids, and a number of MIBs in the CEO's office explaining the concept of a 'deal you can't refuse' to him.
  [ link to this | view in chronology ]
  - nasch (profile), 18 Aug 2014 @ 8:54pm
    
    Re: Re:
    More likely it involves an FBI SWAT team parked outside the CEO's house, pictures of the SWAT team posing with the CEO's wife and kids, and a number of MIBs in the CEO's office explaining the concept of a 'deal you can't refuse' to him.
    
    Not even close. These telcos will do anything the government asks, and require nothing more formal than a post-it note. Literally*.
    
    * and I am using that word literally
    [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 6:01am

Can anyone explain how this is legal?

Well, on second thought, guess I'm not really interested in all the mumbo jumbo lip service - how do they rationalize this within commonly accepted ethical standards? Obviously they can not and simply fall back upon the premise that they above the law, because reasons.
[ link to this | view in chronology ]
- Eldakka (profile), 18 Aug 2014 @ 8:03pm
  
  Re:
  Most governments around the world, including 'western democracies' like UK, US, AU, CA as well as less 'free' nations like North Korea, China, Saudi Arabia, Russia have laws that require what they call "lawful intercept capability". Most telco's are required to provide this. And one way or another, most internet data passes through a telco.
  
  Once a device such as this is installed inside the telco to provide this lawful intercept capability, then it will get used. Especially if it's a case where the Government Agency (Police, intelligence, SEC, IRS etc) has direct access to the device rather than having to go through the telco each time it wants to gather data.
  [ link to this | view in chronology ]
  - Anonymous Coward, 6 Jul 2015 @ 1:35pm
    
    Re: Re:
    I don't think anyone can seriously pack Russia with these other countries. (and also Malaysia in the article...Malaysia is a very tolerant multi-ethnic multi-religion country.
    
    The whole anti-russia sentiment coming back is already simmering down, as the, may I say, illegal, sanctions put on it since a couple years are complete nonsense.
    [ link to this | view in chronology ]
Violynne (profile), 18 Aug 2014 @ 6:21am

"While an attacker would still need an exploit to escape from the context of the target’s browser, one of the browser plugins (such as flash, java, quicktime, etc.) or similar is likely to provide a low cost avenue for this."
I would say this is more the point than requiring more sites go SSL.

SSL won't protect anyone from malicious attacks as long as third parties refuse to update their software to prevent the injections in the first place.

I remember the days when browsers prohibited any third party sources from activating.

How far we've come for a little convenience.

Rule of thumb: any time third party sources are used to deliver content, vulnerabilities will always exist, and SSL won't change this.

Most third party sources always start with the user, the second they click the install button.
[ link to this | view in chronology ]
- Bergman (profile), 18 Aug 2014 @ 6:28pm
  
  Re:
  You can get addons for your browser that block third party stuff. I use them myself, and while they sometimes cause certain websites to fail in odd ways, knowing who is using your RAM is definitely nice. Being able to tell them no and making it stick is priceless.
  [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 6:43am

Law Enforcement's new motto
Never gonna give you up
Never gonna let you
Gonna track your history
from your Youtube

Never gonna let you cry
Never gonna say goodbye
We've got a flash cookie
via Bluetooth.
[ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 6:53am

SSL will work as protection until they serve a national security letter on Google et Al. Basically when the state goes rogue, it is very difficult to avoid their exploitation of technology, except by using battery powered off-line machines inside Faraday cages to deal with encryption and decryption. Also a safe way of transferring data, like an old fashioned floppy drive is also needed to avoid the problem that USB devices can be compromised, or reading and writing USB devices through a USB controller implemented in an FPGA so that the thumb drives cannot compromise your main machines.
[ link to this | view in chronology ]
- nasch (profile), 18 Aug 2014 @ 7:09am
  
  Re:
  SSL will work as protection until they serve a national security letter on Google et Al.
  
  We want to make it as much trouble to spy as possible. Even if it's still possible, if it's harder to do, then they'll be able to do less of it. And if we can push the issue from a few utterly subservient ISPs to more contentious (and numerous) companies like Google, that's better too.
  [ link to this | view in chronology ]
Peter (profile), 18 Aug 2014 @ 7:40am

Is there any protection other than using https?
Chrome Sandbox? Noscript?
[ link to this | view in chronology ]
- ahow628 (profile), 18 Aug 2014 @ 10:32am
  
  Re: Is there any protection other than using https?
  I was curious about the same. I use Chrome on Ubuntu and wondered if that added any protection. At least I would not be vulnerable to all the Windows exploits.
  
  Do these have to do with the OS at all?
  [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 7:50am

SSL cert problems on TD still exist
Actually speaking of Ad Networks, CDNs, and redirects, my mobile browser (NEXT) constantly, and for every action on TD pops-up with a cert warning for Akamai. It makes browsing TD very hard! I love what you're doing with SSL everything, but it seems that there are still holes!
[ link to this | view in chronology ]
Rekrul, 18 Aug 2014 @ 9:00am

Can someone help me? I removed my front door to make it more convenient to enter the house, but I keep getting robbed. Does anyone know how I can keep the bad guys out?
[ link to this | view in chronology ]
- Michael, 18 Aug 2014 @ 10:47am
  
  Re:
  You should lobby for harsher penalties for burglary. If the penalties are stronger, it will make them think twice before stealing from you.
  [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 10:52am

If they're going the route of forcing companies to cooperate, the easy way to do this would be to compromise Windows Update. Bam, you don't even need an exploit, you've just done whatever you like to their computer.

Of course, if such a program were exposed, it would permanently reduce the online security of everyone, since people would avoid getting security updates. But I wouldn't assume they care about that when they've got a computer they want to compromise.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2014 @ 2:02pm
  
  Re:
  But what if someone does not have Windows Update turned on? I have Windows Update turned off. I find it really hogs system resources, especially on older machines.
  
  You don't NEED Windows Update if you have a good firewall and good anti-virus software.
  [ link to this | view in chronology ]
  - Anonymous Coward, 18 Sep 2014 @ 9:38am
    
    Re: Re:
    They already do use Windows Updates to get in, and once they get in they use UEFI/BIOS rootkits to maintain a foothold (they modify ntokrnl as it's loaded into memory).
    [ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 2:03pm

Just use a VPN when running YouTube. It does not have to even be a commercial VPN. With a VPN, they don't know whose computer is connected, they only know there is a connection coming from a VPN.
[ link to this | view in chronology ]
Anonymous Coward, 18 Aug 2014 @ 5:22pm

Let apply it the other way around
Once the government share's any information with a third party, it can no longer be considered classified. And should be freely available to any citizen upon request so they can perform the essential government oversight that is not only there right, but there duty, as a citizen!
[ link to this | view in chronology ]
Hardwired, 19 Aug 2014 @ 3:00am

Internet Surfing Security
For Firefox:

Must have security related add-on's
(Click tools/Add-ons - on the menu bar of Firefox)

type in the following names on the add-on's page to find:

Noscript,
Better Privacy
Adblock Plus,

or visit:
https://addons.mozilla.org/en-US/firefox/

Learn to use Noscript and keep all scripts disabled except the one's you must enable. Others only temporary enable when one must do so. The rest, never enable them. Practice and soon you will be a noscript pro and it's fast after that.

Just as important as Noscript is:
https://www.eff.org/https-everywhere

And a good VPN service - beware of "honeypots"
----------------------------------------------------
https://torrentfreak.com/which-vpn-pr oviders-really-take-anonymity-seriously-111007/

Much of the advice here is misinformation and very inaccurate/wrong.

Leave Windows Updates ON. Not doing so is seriously stupid. As is the other horrible advice from other replies here. IF your older computer can't handle Win Updates then it's past time to run 32 bit GNU/Linux Mint or Ubuntu, and also with the above Firefox add-on's there as well.

Everything stated here is 100% accurate. But many other replies are absolutely horrible advice.

note: all my links above are https (secure ssl) sites. For your safety.

Don't forget the VPN Service. $30 to $40 per year, for up to 5 PC's.

Beware of others offering horrible advice on the internet. Always verify everything.
[ link to this | view in chronology ]