You Can Get Hacked Just By Watching This Cat Video on YouTube

Holysmoke

Level 2
Thread author
Verified
Jul 31, 2014
82
https://firstlook.org/theintercept/2014/08/15/cat-video-hack/

Many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites. People also think that the NSA and its international partners are the only ones who have turned the internet into a militarized zone. But according to research I am releasing today at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, many of these commonly held beliefs are not necessarily true. The only thing you need to do to render your computer’s secrets—your private conversations, banking information, photographs—transparent to prying eyes is watch a cute cat video on YouTube, and catch the interest of a nation-state or law enforcement agency that has $1 million or so to spare.

To understand why, you have to realize that even in today’s increasingly security-conscious internet, much of the traffic is still unencrypted. You might be surprised to learn that even popular sites that advertise their use of encryption frequently still serve some unencrypted content or advertisements. While people now recognize that unencrypted traffic can be monitored, they may not recognize that it also serves as a direct path into compromising their computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’s login.live.com web site in the same manner.

Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.

In today’s internet, there are few excuses for any company to serve content unencrypted. Any unencrypted traffic can be maliciously tampered with in a manner that is invisible to the average user. The only way to solve this problem is for web providers to offer fully encrypted services.

Last year, my colleagues at the Citizen Lab and I released a paper on the commercialization of digital spying and the burgeoning third-party online-surveillance market. Historically, this technology has been the province of nation-states with the capacity to develop their own boutique capability. Targeted online surveillance typically involves a software “implant” surreptitiously installed on a user’s machine allowing complete control of, for instance, a mobile device or laptop. Intelligence agencies in the U.S., U.K., Russia, Israel, China, etc. have developed their own custom versions of these. But over the last five years, Hacking Team and other players have begun selling this type of capability for what could be considered “dictator pocket change.” Nations who lack the ability to create their own tools can now accelerate their online targeted surveillance programs relatively cheaply.

These so-called “lawful intercept” products sold by Hacking Team and FinFisher can be purchased for as little as $1 million (or less) by law enforcement and governments around the world. They have been used against political targets including Bahrain Watch, citizen journalists Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a U.S.-based news service focusing on Ethiopia. Both Hacking Team and FinFisher claim that they only sell to governments, but recently leaked documents appear to show that FinFisher has sold to at least one private security company.

It is important to note what I’m describing today is not massive intercept technology (although it can be used at scale). Unlike the NSA’s metadata collection, these tools are not used to target entire nations. Nevertheless, we need to have an open discussion about how we want law enforcement using this type of technology. Is it being used to catch child pornographers? Kidnappers? Drug dealers? Tax cheats? Journalists who receive leaked documents?

In the digital age, a search through the contents of your laptop, online accounts, and digital communications is just as invasive as a search of your bedroom. Historically, being privy to someone’s most intimate moments and conversations would once have required placing bugging devices inside their home, not to mention the time and manpower to listen to what was being captured. The cost of such an operation required the target to be someone of reasonable interest. Now, it’s possible to watch someone through the lens of their laptop’s camera, to listen to them through the microphone of their cell phone, and to read through online correspondence cheaply and remotely. The canonical surveillance van full of bored government employees (being paid overtime) deployed 24 hours a day is increasingly a thing of the past.

We simply don’t know how often this type of surveillance occurs. While the Snowden revelations of the last year have revealed much about the character of surveillance by the intelligence community, the use of hacking for law enforcement surveillance is less well understood. There is widespread agreement that law enforcement techniques should be held to a high standard of transparency. Indeed, in the U.S., law enforcement agencies publish records detailing the number of wiretaps they deploy each year. But there is almost no public information on law enforcement hacking.

As the costs of deploying this type of technology decrease, and the tools become commercialized, their use is growing much faster than is commonly understood. The research I am publishing today tries to move our understanding forward, but ultimately the answers as to how to respond are going to come from informed dialogue. Each country needs to have an open discussion about which law enforcement agencies should be authorized to use this technology, under what circumstances, and how oversight should to be updated to accommodate this new capability.
 

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Disable scripts, flash, java etc (use the html5 player) and still you could be caught out by a phishing attack (for example, Youtube video won't play and says "Click here to update your flash player", how many of us even seasoned professionals would click it? . . . The site takes you to adobe.com which is returned as HTTPS of course, believing it to be the official site (which it is, even though modified maliciously) the download link you request is instead replaced by a fake flash updater and you become victim no. 2776.

The only realistic defence is to use an ISP that is highly privacy aware and would actively resist any attempt to host a man in the middle attack, along with encrypted traffic. Software wise you should be using a customised operating system for which no public documentation or code exists, in order to make developing attack vectors harder, this should be thoroughly pen-tested regularly and adhere to core security concepts. Don't forget the hardware as well, you need to examine the firmware on any electronic devices capable of storing it, examine the firmware not only for rogue code but for vulnerabilities. You may choose to write your own firmware based off the functions available from the device hardware, removing or blocking any functionality that you consider a security risk or that is unnecessary.

Physical examination of all the hardware as well, including analysis of the circuits for normal behaviour. Most obviously perhaps, you might notice there is an additional resistor, why is that? What modifications have been made to that chip that might warrant an additional component. Compare voltage on the pin outs against the manufacturers published guidelines and against other boards which are known safe (or if none are known to be safe, test several identical boards to look for anomalies, if yours is different to the others, you might have a problem).

Obviously I'm just theorising and there is much more to it and more practical implications to consider etc, but you know, long story short, if you want a job done securely, you're probably better doing it yourself (trust nobody)... ;)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top