Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Soulskill posted about 2 months ago | from the internet-doomed dept.

Security 166

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

cancel ×

166 comments

Sorry! There are no comments related to the filter you selected.

This is just evil. (2)

sabri (584428) | about 2 months ago | (#47681105)

And evil doesn't cover it.

This is just evil. (0)

Anonymous Coward | about 2 months ago | (#47681491)

So how does this work? Do you get a black box with the words "Please type 'Windows-R, cmd[enter], net user nsa foobar /add, net localgroup administrators nsa /add' before you can watch your cat video."? In other words, there has to be a bug on the client that lets the web page run arbitrary code, in which case the solution is to patch your damn system.

Re:This is just evil. (1)

Lazere (2809091) | about 2 months ago | (#47681571)

In other words, there has to be a bug on the client that lets the web page run arbitrary code

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is. This is the exact reason driveby malware via ad networks still happens. If you have ISP level access and can inject malicious code in unencrypted pages, you win. The solution to this, from a web hosts view, is to encrypt everything.

Re:This is just evil. (4, Informative)

mythosaz (572040) | about 2 months ago | (#47681633)

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

Re:This is just evil. (3, Insightful)

Noah Haders (3621429) | about 2 months ago | (#47681759)

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

"I disagree" -- hackers.

Re:This is just evil. (4, Insightful)

LordLimecat (1103839) | about 2 months ago | (#47682341)

Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

"Executing structured code" perhaps?

Re:This is just evil. (0)

Anonymous Coward | about 2 months ago | (#47682243)

Would those who are claiming something can't be done please get out of the way of those doing it.

Thank you.

Re:This is just evil. (0)

Anonymous Coward | about 2 months ago | (#47682643)

I'm not claiming it can't be done. I'm just saying there's no difference between this problem and the one where a malicious banner ad or web page exploits a known bug in your client. In either case, the solution is to keep your system patched. Unless you think the "state actors" know about vulnerabilities or backdoors that the general scum don't, of course.

Re:This is just evil. (1)

BancBoy (578080) | about 2 months ago | (#47681781)

Whew! I thought you were going to say hosts file. Thank heavens for that. Uh oh...

Re:This is just evil. (5, Insightful)

mysidia (191772) | about 2 months ago | (#47681795)

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

Re:This is just evil. (-1)

Anonymous Coward | about 2 months ago | (#47682315)

I don't see the CPU being the problem, unless the CPU is in charge of deciding what files you can read/write, what devices you can access, and what APIs you can call. For example, if the browser is allowed to make network connections then it can run a spam-bot.

In other words, security is hard. Just filtering CPU instructions seems naive to me.

Re:This is just evil. (0)

Anonymous Coward | about 2 months ago | (#47682635)

You could theoretically sandbox the CPU in its own user mode process so it can't do anything more malicious than get into an infinite loop. I think I recall Google playing around with that idea for Chrome a couple of years back, in fact. That said, the status quo today is that if you can run arbitrary CPU instructions you can pwn the system.

Re:This is just evil. (0)

Anonymous Coward | about 2 months ago | (#47681921)

Cats are cool. [filldisk.com]

Totally safe, honest!

https is useless (5, Insightful)

bbn (172659) | about 2 months ago | (#47681107)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Re:https is useless (0)

Anonymous Coward | about 2 months ago | (#47681251)

The keys that verisign uses are there to sign the certificate. The actual encryption is handled by the keys on your server. The private portions should never be sent to any one for signing.

Re:https is useless (5, Insightful)

gameboyhippo (827141) | about 2 months ago | (#47681269)

Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

Re:https is useless (1)

Anonymous Coward | about 2 months ago | (#47681671)

Eve? Is Bob cheating on Alice?

Re:https is useless (1)

grcumb (781340) | about 2 months ago | (#47681805)

Eve? Is Bob cheating on Alice?

Ah, she told you her name was Alice?

You poor naive thing....

Re: https is useless (1)

Anonymous Coward | about 2 months ago | (#47681969)

Eve is Bob, cheating on Alice.

FTFY. This is how man in the middle works.

Re:https is useless (0)

Anonymous Coward | about 2 months ago | (#47681957)

Sounds like your average mmorpg.

Re:https is useless (0)

Anonymous Coward | about 2 months ago | (#47681357)

The keys that verisign uses are there to sign the certificate. The actual encryption is handled by the keys on your server. The private portions should never be sent to any one for signing.

That's a nice history lesson. You can shove that shit right back in your magic hat, along with with the Constitution, Democracy, Santa Claus, and the rest of the imaginary shit kids still play make-believe with these days.

Re:https is useless (1)

AaronLS (1804210) | about 2 months ago | (#47681403)

Your response doesn't invalidate how cryptography works. It's solid math and there's no magic about it.

Re:https is useless (4, Informative)

TechyImmigrant (175943) | about 2 months ago | (#47681437)

If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with. Your own private keys will not protect you.

This is one of the many reasons why the public PKI is broken.

Re:https is useless (0)

mi (197448) | about 2 months ago | (#47681561)

If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with.

And that is, how things ought to be — unless we want to strip the state off their power to search us (and trail us).

Yes, the state ought to need a proper warrant to exercise that power. But, without the described capabilities, police would not be able to do, what the warrant allows (and their job demands!) them to do.

Re:https is useless (1)

PopeRatzo (965947) | about 2 months ago | (#47681687)

And that is, how things ought to be — unless we want to strip the state off their power to search us (and trail us).

That is a discussion we should have. "Searching" and "trailing" have come to mean something very different than they did when the US Constitution was written.

Yes, we should be having that discussion right now. A power to "search us (and trail us)" might very well not be something we want to have by default. They should first be required to meet a much higher standard than currently, and that standard should be applied by someone besides a secret court that interprets secret laws, and operates secretly.

Re:https is useless (1)

mi (197448) | about 2 months ago | (#47682707)

That is a discussion we should have.

We should. But, unless you are going to suggest, the government ought not to have such powers at all (as pla argues below) — ever — then this is not the place for this discussion.

Because if, in your opinion, sometimes they do legitimately need this capability, then they ought to remain able to circumvent https — without spooking the subject.

Re:https is useless (1)

PopeRatzo (965947) | about 2 months ago | (#47682793)

But, unless you are going to suggest, the government ought not to have such powers at all

I'm suggesting that it should not be an inherent power of government. It's one they are granted when evidence is presented to a court for a warrant. In a public hearing.

I'm pretty sure that the past decade has taught us that government does not respect this constitutional requirement. So, they should get a time out from those powers until they can demonstrate that they know how to behave. I would rather take my chances with the armies of terrorists and child molesters that we are constantly being told are invading our shores from Canada, or something, than with a government that believes they have the power to search (and tail) every single citizen because they think that's the most efficient way to catch a bad guy.

So no, they should not be able to circumvent https until they've shown they can act responsibly.

Re:https is useless (3, Interesting)

pla (258480) | about 2 months ago | (#47681879)

unless we want to strip the state off their power to search us (and trail us).

Dingdingding! We have a winner!

Two and a half centuries ago we allowed the government those powers, under certain strict conditions, for the good of society as a whole. The government has repeatedly shown itself incapable of acting up to its side of that bargain. We The People therefore need to strip them of that power entirely. Can't find physical evidence of a crime without making my computer tell on me? Then It didn't happen.

"But we need the government to have those powers to preserve the public order", you say? No. The sort of crimes the NSA catches (heh, I typed that as "commits" and had to correct it) have nothing to do with you and I in our daily lives. They protect megacorps and the government itself, and nothing else.

Re:https is useless (-1)

mi (197448) | about 2 months ago | (#47682737)

Two and a half centuries ago we allowed the government those powers

No, actually. All governments before that have always asserted the right to search anyone and everywhere. We didn't "allow our government" to do this or that — we explicitly disallowed everything else. This may seem like hairsplitting, but it is historical truth — and you seem like you need refreshing of your perspective...

The sort of crimes the NSA catches have nothing to do with you and I in our daily lives.

NSA is not going to ask for a warrant any more than Alan Turing was asking for one, when he monitored all radio traffic he could — in an attempt to catch the enemy's transmissions. That organization's activities are beside the point, really — as long as they don't prosecute in US courts.

There are, unfortunately, a large number of other crimes, which the bad old eavesdropping helps solve/prevent — whenever the bad guys need to communicate, law enforcement has a legitimate need to be able to listen. Few of these crimes are Internet-specific — the same things we are discussing with regards to the Internet have been said back and forth decades ago about telephone.

They protect megacorps [...]

Oh, sorry, I didn't notice, you are an "anticorp" sort — I wouldn't have bothered with such an idiot. One percent much?

But now that I typed most of the answer anyway, you may as well have it. Remember to logout and, please, don't hate.

Re:https is useless (1)

Noah Haders (3621429) | about 2 months ago | (#47681555)

naïve. the NSA influenced the RSA standards board to introduce a cryptography algorithm that they had already hacked.

Re:https is useless (4, Interesting)

HaeMaker (221642) | about 2 months ago | (#47681263)

Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?

Re:https is useless (2, Interesting)

grcumb (781340) | about 2 months ago | (#47681953)

Going to slashdot is safe? No SSL here.

GCHQ has already spoofed Slashdot [techdirt.com] in the past. So no, going to Slash dot is not safe.

If they want you, they can't get you?

All right then. Let's all just roll over and die, why don't we?

Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:

  • - Stop making it easy on them. Stop using Windows. Seriously [imagicity.com] . Understand that what's convenient for you is often convenient for them.
  • - Stop using proprietary software at all. Yes, yes, HeartBleed nothing is safe bla bla bla. I'm not talking about safe, though; I'm talking about safer. And FOSS is, objectively, a safer environment, and will remain so even after it becomes popular.
  • - Start building and using federated, encrypted, decentralised, peer-to-peer systems. I honestly don't know why geeks didn't do this years ago, but why the fuck is Facebook the state of the art in social media? I mean, seriously. It's not only a privacy disaster area, it's a badly polished piece of shit to boot. We know that They don't like TOR because it's harder for Them. We know That they don't like bittorrent because it's harder for Them. So why the fuck are we not taking a clue from that and creating a UseNET we can go back to? I mean, I get why the peons don't, but we're geeks, for fuck sake. That used to mean something.
  • - Start re-imagining an internet whose physical characteristics resemble its protocols. At the outset, we thought it would be cool to have generic protocols that ran more or less transparently on any old network at all. What we didn't realise was that just because stupid networks [rageboy.com] were possible, that didn't mean they were inevitable. The whole ICANN/ITU fiasco is all the evidence we need to see that the world's telcos have begun to realise how much ground they've lost and they want it back. But that doesn't mean we have to give it to them. Mesh topologies using low-power devices are the only we we cut them back down to size.

You can get all fatalistic if you like, but if your only response to the encroachments of authority is to run further and faster, then (apologies to Scotsmen everywhere) you're not a real geek.

Re:https is useless (3, Insightful)

Altrag (195300) | about 2 months ago | (#47682461)

What's inconvenient for them is often impossible for us. Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac. Indie games tend to be somewhat better for this but most casual gamers just want the big name games.

And it gets even worse in a business environment where you often have software restrictions imposed on you by corporate policy and frequently by the fact that you need to interact with vendors/customers who use Windows-only products.

"Just stop using Windows" is a stupid catchphrase. Its like trying to end starvation by saying "just give them food." Actually its worse because food is a pretty good solution to starvation whereas its pretty unproven that FOSS software is "objectively" safer than closed software (I mean its probably true, but until Linux becomes a significant hacking target, we can't say definitively that the lack of exploits is due to better software rather than due to fewer people attempting to exploit it.)

Similarly with Facebook. Its the "state of the art" in social media because of absolutely nothing to do with privacy protection. In fact a lot of its popularity was initially based on its _lack_ of privacy considerations -- "Facebook stalking" and such activities. I mean that probably wasn't the main driving factor (being fresh and simple right around the time that Myspace was bloating itself out of existing is likely the biggest contributing factor. I doubt FB would have gotten as big as it did if Myspace had stuck to being a site people actually enjoyed using rather than letting themselves be overrun by commercial interests.)

And lastly protocols. Protocols are king. If TOR or similar ever comes out with a product that you can just install and "it works," then we might be getting somewhere. I mean "it works" as in it starts up with Windows, and immediately funnels all traffic through its own pipes and doesn't significantly impact the speed of watching a cat video on Youtube and basically in all ways stays the fuck out of the way. If it can get to that level, we might see some better adoption. As long as its something you have to consciously connect and disconnect and slows down your connection by 50% and whatever else, it won't pick up widespread adoption. Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider! (Disclaimer: I haven't used TOR myself in a few years so I don't know how close to this ideal its gotten.)

At the end of the day, the real problem isn't Windows or lack of encryption or any other technical issue -- the problem is that 90% of the population doesn't care. Or I should say, doesn't care _enough_. We care enough to sign online petitions and shit that's easy to do in the hopes that someone who has more time on their hands will be able to make a difference (openmedia.ca up here in Canada is a great example of an organization that has taken the "enough" qualifier to heart and used online petitions to make significant changes in the way our government treats privacy and other online issues.)

But on their own? Most people are too busy to worry about things that have a very low chance of ever impacting them directly. Its one thing for the NSA to tap a billion email accounts. Its another for them to filter through that data and pick targets. Yes everyone gets uppity when they pick a target wrong, but unless that target happens to be "me", most people have jobs and families and other things to do than worry about it for longer than it takes to exclaim "damned go'ment!"

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Re:https is useless (1)

grcumb (781340) | about 2 months ago | (#47682539)

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Okay, so go back to the top of my post and read it again for my response to 'It's too hard.' :-)

If you think that 'just fix everything' is what I'm saying, then you haven't even done me the justice of thinking about what I'm suggesting. I am saying that we geeks should know better, that we should do what we did in the 80s and 90s and turn our collective back on the well-trodden path and build our own internet, only this time with hookers and blackjack. Then I offered a few key suggestions about things we as geeks could fairly easily work on to move us in that direction.

To assume that I simply want to snap my fingers and effortlessly get all that and a pony is to fundamentally misunderstand what it is to be a geek. We build things for ourselves. When things don't work the way they should, we change them.

Now, I'm not suggesting you're not a True Geek (or Scotsman, for that matter). I'm just saying that if you're going to say 'too hard' about a situation such as this...

... No, fuck it. I am saying you're not a Real Geek :-)

Re:https is useless (4, Informative)

heypete (60671) | about 2 months ago | (#47681287)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

Re:https is useless (0)

Anonymous Coward | about 2 months ago | (#47681479)

>If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

HAHAHAHAno. Thanks to the demon that is backwards compatibility browser vendors have implicitly or explicitly confirmed that they cannot actually revoke root certs. Or, more specifically, that many websites rely on that particular root to verify their identity and would break horribly if a root cert got revoked. i.e. revoking a misbehaving root will break the web.

A better solution would be the ability to provide multiple root certs, which is not technically feasible today, and won't be for a while - even things like SSL vhosts are considered unreliable due to the prevalence of legacy browsers that don't know how to use the proper TLS extensions for hostname identification. So maybe in 10 years we can start telling site operators that they can turn on multiple certs, and 10 years after that browser vendors will have enough data to determine if it's safe to actually revoke a root cert or not. In the meantime you will have to convince HTTPS services that it's worth paying n times as much in certification costs to avoid a hypothetical root revocation.

Re:https is useless (1)

heypete (60671) | about 2 months ago | (#47681699)

>If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

HAHAHAHAno. Thanks to the demon that is backwards compatibility browser vendors have implicitly or explicitly confirmed that they cannot actually revoke root certs. Or, more specifically, that many websites rely on that particular root to verify their identity and would break horribly if a root cert got revoked. i.e. revoking a misbehaving root will break the web.

Why not? There have been roots that have been revoked due to being compromised and which have issued bogus certs (e.g. DigiNotar). That's caused some chaos, but people adapted.

Sure, VeriSign is large and commands (either directly or through its subsidiaries) a substantial fraction of the CA market. Nuking it would be a Very Big Deal that browsers wouldn't take lightly, but I have no doubt that if it were shown that VeriSign (or Comodo, or other CAs) were found to be issuing bogus certs for the government to compromise people, they'd get their roots pulled by browsers. That's a death sentence for a CA, hence my skepticism in response to the proposal that they're actively assisting governments.

A better solution would be the ability to provide multiple root certs, which is not technically feasible today, and won't be for a while - even things like SSL vhosts are considered unreliable due to the prevalence of legacy browsers that don't know how to use the proper TLS extensions for hostname identification. So maybe in 10 years we can start telling site operators that they can turn on multiple certs, and 10 years after that browser vendors will have enough data to determine if it's safe to actually revoke a root cert or not. In the meantime you will have to convince HTTPS services that it's worth paying n times as much in certification costs to avoid a hypothetical root revocation.

Agreed. That would be nice.

Re:https is useless (1)

mysidia (191772) | about 2 months ago | (#47681871)

were found to be issuing bogus certs for the government to compromise people, they'd get their roots pulled by browsers. That's a death sentence for a CA, hence my skepticism in response to the proposal that they're actively assisting governments.

They might engage in this indirectly by CROSS-SIGNING an intermediate CA which the government would have control over.

Verisign would then have plausible deniability, since the government agency produced all the required "audit papers" indicating compliance with the required policies.

Nothing bad would happen to verisign --- at most some browsers would add the rogue government CA to the "Untrusted certificates list", and maybe some other root CAs would add the intermediate CA to their CRLs in order to invalidate the CA.

Re:https is useless (0)

Anonymous Coward | about 2 months ago | (#47681485)

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

I wouldn't be too sure of that.

Of all the companies that have aided the NSA, how many are out of business or even really hurting?

Re:https is useless (1)

heypete (60671) | about 2 months ago | (#47681719)

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

I wouldn't be too sure of that.

Of all the companies that have aided the NSA, how many are out of business or even really hurting?

Companies like what? The ones making network-tapping hardware and whatnot cater toward a limited market, not the general public. Certificate authorities directly transact with server administrators, but their primary audience are end-users and they have wide public exposure. If a CA was found to be doing shady things, browsers would remove their roots. That'd basically kill off the offending CA.

Re:https is useless (4, Insightful)

PopeRatzo (965947) | about 2 months ago | (#47681721)

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

Re:https is useless (1)

Charliemopps (1157495) | about 2 months ago | (#47681321)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

That's not how it works. But of course, if they are inside Google, and Microsoft (and they are) then you're screwed. But, in my experience with keys, these sorts of attacks have to be very directed. You can't just "Hack everyone" it's an exploit you'd have to hack on an individual basis. Usually because most sites, and client computers are such unique devices. Most corporate websites have been developed over decades and are a mess of hundreds of different programmers over years. I'm involved peripherally in maintaining a couple of different large(ish) sites and the code makes me cry at times. But on the other hand, good luck hacking that without bringing the whole site down, we can barely maintain it ourselves! :-p

Re:https is useless (2)

jedidiah (1196) | about 2 months ago | (#47681785)

Security is fine if you are no one of interest. It doesn't matter if it's physical security or computer security. Once you are important enough for anyone to be interested in, most security measures are completely meaningless. This is just the harsh reality.

For most of us, security measures just dissuade the opportunitistic idiot trying for an easy score with no particular interest in you as an individual.

Once you've managed to attract unwanted attention, you will have to engage more serious security measures (in general).

Re:https is useless (0)

Anonymous Coward | about 2 months ago | (#47681371)

Of course, more than just a state can pull MITMs. Remember when a significant chunk of traffic passed through Iceland for some reason?

Re:https is useless (3, Informative)

AmiMoJo (196126) | about 2 months ago | (#47681553)

Chrome pins Google's certs, so if anyone did try to make new fake ones the browser would flag it up. I believe there is a plug-in for Firefox that alerts you when certs change too.

This vulnerability has been known for a long time.

Certificate Patrol (2)

DrYak (748999) | about 2 months ago | (#47682721)

I believe there is a plug-in for Firefox that alerts you when certs change too.

Certificate Patrol [mozilla.org] is an example of such extension.

It does detect strange changes in certificate authority (for exemple when a Man-In-Middle attacker is using a bogus certificate signed by rogue CA or by stolen keys from some CA).
It also detect un-called-for changes in certificate (for exemple, the actual authority has been coerced by the government to sign their spy-server keys, and thus you get a new legit-looking certificate, even if the old hasn't been revoked and and is still well within its validity range)

Re:https is useless (1)

drolli (522659) | about 2 months ago | (#47681583)

They dont have to hand over the keys. Just get another certificate from another vendor using fake identities.

Reduced rights (2)

SQLGuru (980662) | about 2 months ago | (#47681111)

This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.

Re:Reduced rights (2)

vux984 (928602) | about 2 months ago | (#47681195)

This is one of the reasons that I don't use an admin/root level account for normal activity.

A good practice to be sure.

While that also won't prevent all hacks, it drastically reduces my exposure.

Well, at least your device drivers are safe, and its a little harder for you to join a bot net.

But pretty much everything you have of value can be accessed from user space, including all your documents. That's generally what identity and data thief hackers (and state actors) want.

Re:Reduced rights (1)

SQLGuru (980662) | about 2 months ago | (#47681239)

They also have a harder time installing executable code.....if my browsing user can't install code, then they've only got memory to play with.

Re:Reduced rights (1)

vux984 (928602) | about 2 months ago | (#47681295)

not entirely true. It just can't install it in c:\program files or your platforms equivalent. It can drop executables in folders you DO have access to though, and run them from there. And even get them to auto run if it puts the start command in a settings file you can edit as that user.

Re:Reduced rights (1)

MightyMartian (840721) | about 2 months ago | (#47681319)

Well, there have been a whole host of attacks associated with vulnerable versions of Flash and Java that could at least cripple a profile. I ran up against one of them around 2010. One of the staff at one of our remote locations suddenly had all their files supposedly disappear, desktop wiped out and the like, and a notification about a ransom if they wanted the files back. The user had no admin privileges, so I checked, and sure enough, the other profiles were untouched. What had happened is the auto updater for the workstation had failed.

Now, while it's true that the operating system itself was not compromised, and no other systems or users on the network were compromised, certainly there was enough control to potentially view confidential data on shared drives. While this was relatively unsophisticated ransomware, it did teach me than merely obsessing about privilege escalation does not lead to a secure system. User profiles and directories can still potentially be vulnerable even if the malware can't root the system.

Re:Reduced rights (1)

sqlrob (173498) | about 2 months ago | (#47681495)

A shell / powershell script is plain text.

Re:Reduced rights (1)

AmiMoJo (196126) | about 2 months ago | (#47681607)

Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine. Then at least only your browser data is vulnerable.

Re:Reduced rights (0)

Anonymous Coward | about 2 months ago | (#47681711)

Until they break into the virtualization software . . .

Re:Reduced rights (1)

SigmundFloyd (994648) | about 2 months ago | (#47682035)

Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine.

Simply chroot the browser, no?

Re:Reduced rights (0)

Anonymous Coward | about 2 months ago | (#47681267)

The attacks are designed to hack non-privileged accounts and escalate them into root level access which is the norm. I'm sure the malicious code doesn't even care if the account is an admin/root level to begin with. If anything you're probably increasing your exposure by using a non-privileged account.

Re:Reduced rights (0)

Anonymous Coward | about 2 months ago | (#47681311)

There are thousands of privilege escalation exploits for Linux. Nobody needs root anymore.

Re:Reduced rights (0)

Anonymous Coward | about 2 months ago | (#47681377)

So why is no one actually exploiting them?

Re:Reduced rights (1)

TechyImmigrant (175943) | about 2 months ago | (#47681463)

What makes you think that they aren't?

Re:Reduced rights (0)

Anonymous Coward | about 2 months ago | (#47681525)

In that same principle, you should do all your work on an iOS or unrooted Android device, where sandboxing is mandatory and applications have no access to other applications' data outside of very restrictive sharing channels. Privilege separation on modern operating systems was designed to isolate users in a multi-user environment, not to isolate a user from potentially malicious software. The latter requires ubiquitous sandboxing.

In the crypt (1)

Impy the Impiuos Imp (442658) | about 2 months ago | (#47681117)

Interesting. Unencrypted command-and-control channels embedded in the commnications of custom application communication.

Next up: Buffer overruns and similar by violating the same stream or data stream.

I'd love to use https! (5, Interesting)

XanC (644172) | about 2 months ago | (#47681121)

...So why does Slashdot redirect HTTPS back to HTTP??

Re:I'd love to use https! (5, Informative)

Anonymous Coward | about 2 months ago | (#47681219)

because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

Re:I'd love to use https! (0)

Anonymous Coward | about 2 months ago | (#47681231)

So they can ignore your nobeta=1 url.

Re:I'd love to use https! (2, Interesting)

Anonymous Coward | about 2 months ago | (#47681241)

Simplicity and overhead.

HTTPS has overhead in encrypting all content. This can be mitigated by processors with AES instruction set, but it still impacts the scalability for the site. Most content on slashdot can probably be cached and thus CPU usage is kept to a minimum as users scale.

Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

No one with the know-how and resources to capture your slashdot HTTP cares what inane comments you are making or what you're reading. I'm sure some kooks think otherwise, but the government has bigger fish to fry. The HTTPS is used for critical steps, such as logging in to prevent accounts from being compromised.

Re:I'd love to use https! (0)

Anonymous Coward | about 2 months ago | (#47681505)

After logging in, your browser tells the website who you are via cookies which can be intercepted over an unencrypted connection to impersonate you and steal your data and probably change your account password and email address. The truth is that what protects you is people's lack of interest. Using HTTPS exclusively for logging in is a useless practice.

Re:I'd love to use https! (1)

AvitarX (172628) | about 2 months ago | (#47681787)

It protects from password re-use attacks.

Re:I'd love to use https! (1)

choprboy (155926) | about 2 months ago | (#47682483)

Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

I think that is the real crux... I was stunned to recently see that, in a completely clean browser, just going to the Slashdot root page loads 45 third-party domain cookies. That is excluding slashdot.org and dice.com properties....

Re:I'd love to use https! (0)

Anonymous Coward | about 2 months ago | (#47681331)

Well, because this is how they can use "network injection appliances" to target and intercept your unencrypted /. traffic and replace it with malicious /. beta code that makes ... well, I seriously don't know why somebody would do something this bad.

Fans of "Lol-cats" deserve malware (-1)

Anonymous Coward | about 2 months ago | (#47681133)

Title says it all

Since when using a computer is wrong and stupid? (-1)

Anonymous Coward | about 2 months ago | (#47681151)

> wrong, or stupid, or insecure to get hacked -
> - like clicking on the wrong attachments,
> or browsing malicious websites

Since when it is "wrong, stupid or insecure" to use a computer?
Oh, you are a microsoft corporation's 'windows' product user?
That explains a lot.
Well, in fact you are wrong and stupid, and the only insecure thing is your operating system and programs you use.
Think about it before posting bullshit again.

Problem solved. (1)

nimbius (983462) | about 2 months ago | (#47681271)

https everywhere. https://www.eff.org/https-ever... [eff.org]
and for those of you wondering why slashdot redirects to http, it could be any number of conspiracy theories but the most obvious: a BigIP appliance controls ssl handoff and they dont have the licenses for every freaking connection.

Flash vulnerability? (3, Interesting)

Animats (122034) | about 2 months ago | (#47681273)

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Re:Flash vulnerability? (0)

Anonymous Coward | about 2 months ago | (#47681407)

Whoa, hang on a second...youtube has changed back to Flash?

WTF, when did this happen?

Why did they change from HTML5?

I need to check this out......

*comes back from youtube*

You sir, are incredibly misinformed.

Re:Flash vulnerability? (2)

Animats (122034) | about 2 months ago | (#47681569)

Didn't look at the source of a Youtube page, did you? Look for "http://s.ytimg.com/yts/swfbin/player-vflZsDuOu/watch_as3.swf". Videos can also play with "HTML5 video", but there's Flash code there to be executed.

Re:Flash vulnerability? (4, Informative)

timeOday (582209) | about 2 months ago | (#47681803)

No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

Re:Flash vulnerability? (1)

Animats (122034) | about 2 months ago | (#47681893)

It is awfully obscured in the article by general hand-waving...

Agreed. Anyone know what kind of exploit this is?

Re:Flash vulnerability? (5, Informative)

onproton (3434437) | about 2 months ago | (#47682205)

From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."

HTTPS may not be secure either (1)

Anonymous Coward | about 2 months ago | (#47681297)

I've seen a lot of web tracking bugs inserted into https traffic coming from unencrypted sources.

This is in major US companies too. Ebay, Paypal, Microsoft, etc. So, either these companies are dropping it in, or the https is being proxied somewhere.

Re:HTTPS may not be secure either (1)

The MAZZTer (911996) | about 2 months ago | (#47681685)

This is why your browser will NOT display the green lock if a HTTPS pages references HTTP resources.

Re:HTTPS may not be secure either (1)

zlives (2009072) | about 2 months ago | (#47681987)

the article talks about state actors with physical access to ISP's... i don't think https is going to protect anyone that is target in such a manner.

Re:HTTPS may not be secure either (1)

ArcadeMan (2766669) | about 2 months ago | (#47681817)

That's why I only use HTTPSOS.

All the more reason-- (2)

wierd_w (1375923) | about 2 months ago | (#47681383)

Really, revelations like this are all the more reason to run a fully rom based OS for anything touching the internet.

Before somebody says something absurd, this is basically what a thin client does anyway. The difference is that you keep the system image inside the thin client itself, rather than pulling it from the network. A modified chromebook would work just fine. An sdcard slot that is hardware designed to be electronically incapable of raising its line voltages to write-enable levels, while still being physically accessible by the owner, would round out the package for where to store the system image.

Everything else is stored exclusively in RAM, and blanks completely on power off.

If the user WANTS persistent data, they can use external media. it comes in quite acceptable sizes these days.

This could very easily be done with a chromebook with some simple modifications. Instead of doing google chrome, pack it with a squashfs knoppix image.

watch all the seditious cat videos you want.

Simpler way: virtualization + snapshot (2)

raymorris (2726007) | about 2 months ago | (#47681531)

You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.

Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.

Re:Simpler way: virtualization + snapshot (1)

Anonymous Coward | about 2 months ago | (#47681975)

Set the virtualized image read-only, except when installing new software on it.

And hope you don't have to do a page swap, or have any applications that need to write temporary files. You'll also have to be okay with the performance hit from downloading *everything* from every site you visit every time you visit, since the browser cache won't exist. To get around that, I suppose one could set up a set of RAM disks mapped to the appropriate paths if there is enough memory available in the VM, but those would only exist for the current session and would get wiped out each time the VM was shut down.

Re:Simpler way: virtualization + snapshot (1)

raymorris (2726007) | about 2 months ago | (#47682311)

> I suppose one could set up a set of RAM disks mapped to the appropriate paths if there is enough memory available in the VM, but those would only exist for the current session and would get wiped out each time the VM was shut down.

Yep, that's generally how you do it. As the title of my post suggests, you can also use on-disk snapshots for that, so again any altered files are reset on reboot. Reboot can take only seconds because many of the OS disk blocks are cached in host RAM. Live CDs have those paths all worked out and you can customize from that basis. Even simpler, you CAN just run a live CD directly. CD-R is physically read-only after it has been burned, so you can be certain that no malware or hackers have modified your system.

Re:All the more reason-- (1)

El_Oscuro (1022477) | about 2 months ago | (#47681837)

I once had a computer which did that, a Commodore 64. I am pretty sure most others at that time were that way too. The whole "store the O/S on a R/W hard drive" was an IBM PC/Microsoft idea, as were viruses.

A ROM based system with Ubuntu or Knoppix would be pretty sweet for surfing teh Interwebs.

Pure FUD (0)

Anonymous Coward | about 2 months ago | (#47681443)

fear, uncertainty, doubt. that's all this story has to offer.

I must be missing something (1)

K. S. Kyosuke (729550) | about 2 months ago | (#47681473)

How is HTTPS going to protect me against this? It doesn't solve the problem of holey network-facing applications.

Not wrong, or stupid, or insecure, just run Flash (1)

raymorris (2726007) | about 2 months ago | (#47681489)

TFS says:
> many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true. ... [Adobe Flash can be exploited by an ISP].

Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)

Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my default browsers. For many years, there has been precisely one site for which I ever had any interest in having Flash installed, that was Youtube. Not anymore. Youtube no longer requires Flash. https://www.youtube.com/html5 [youtube.com]

Re:Not wrong, or stupid, or insecure, just run Fla (0)

Anonymous Coward | about 2 months ago | (#47681669)

just wait till backdoors get installed in your fancy html5 browsers.... or the network card firmware and OS and something that gets logged as a malformed packet triggers an automatic installation of government spyware... pre loaded in the hardwares memory

netgear doesn't need to advise it's customers and if they manufacture oversease there is plausible deniablity from both our government and the manufacturer.

more likely China gets $$ and trade for pulling shit like that already

Tax Rebate (2)

CanHasDIY (1672858) | about 2 months ago | (#47681665)

state actors involving "network injection appliances" installed at ISPs.

So, since we're being charged by the bit now, and the government is taking my bits (that we pay for) off the pipe and replacing them with their bits (that we also pay for)... wouldn't that imply that these "state actors" should be on the hook for at least part of our ISP usage bills?

Corrected story :) or maybe :( (1)

davidwr (791652) | about 2 months ago | (#47681733)

$FUTURE_DATE: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs and with the possibly-coerced "cooperation" of https: web sites or the companies issuing https: certificates. These devices can target and intercept encrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked - like visiting an unencrypted web site, ...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now - but just one more reminder to not trust the person on the other end to not cooperate with The Man in the middle. It is unknown how long such attacks have been happening but they might date to 2014 or earlier.

weird headline (0)

Anonymous Coward | about 2 months ago | (#47681777)

So... https will protect me while watching cat videos?

Its ok (0)

Anonymous Coward | about 2 months ago | (#47681809)

I don't watch cat videos. :-)

One reason I use.... (0)

Anonymous Coward | about 2 months ago | (#47682107)

...OpenDNS. I bypass my ISP all together when it comes to getting web content using their DNS. Hopefully OpenDNS doesn't ever get hacked of course but since they deal with security, they are better on top of things then most IPSs are when it comes to DNS lookup injection issues. :)

Re:One reason I use.... (0)

Anonymous Coward | about 2 months ago | (#47682557)

Might help more if you don't use your ISP's infrastructure at all.

Just one more reminder to use https? (1)

lippydude (3635849) | about 2 months ago | (#47682391)

"This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https."

Except if the local proxy is designed to intercept https traffic and replace the senders digital signature with its own. ref [secureworks.com]

Targeted exploitation technique? (1)

lippydude (3635849) | about 2 months ago | (#47682397)

Will this targeted exploitation technique work if the target isn't Microsoft Windows ©
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?