Quantum Inserts

Various Law Enforcement Agencies Can Hack Your Computer Via YouTube Videos Using Quantum Inserts.


When we recently wrote about Google starting to make use of SSL for search rankings, one of our commenters noted that not every site really "needs" HTTPS. While I used to agree, I've been increasingly leaning in the other direction, and I may have been pushed over the edge entirely by a new research report from the Citizen Lab by Morgan Marquis-Boire (perhaps better known as Morgan Mayhem), entitled Schrodinger’s Cat Video and the Death of Clear-Text. He's also written about it at the Intercept (where he now works), explaining how watching a cat video on YouTube could get you hacked (though not any more).

The key point was this: companies producing so-called "lawful intercept" technology, that was generally (but not always) sold to governments and law enforcement agencies had created hacking tools that took advantage of non-SSL'd sites to use a basic man-in-the-middle attack to hack into targeted computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’s login.live.com web site in the same manner.

Fortunately for their users, both Google and Microsoft were responsive when alerted that commercial tools were being used to exploit their services, and have taken steps to close the vulnerability by encrypting all targeted traffic. There are, however, many other vectors for companies like Hacking Team and FinFisher to exploit.

More Here
[link to www.techdirt.com (secure)]