Tuesday, August 19, 2014

How your cat video addiction could be used to hack you

What timing! A few minutes before I read this, I got a warning that I needed to update Flash. It looked fishy, so I didn't do it.

http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/15/how-your-cat-video-addiction-could-be-used-to-hack-you/

By Andrea Peterson and Barton Gellman August 15, 2014

A new report from the digital human rights watchdogs at The Citizen Lab at the University of Toronto's Munk School of Global Affairs reveals that "network injection appliances" sold by commercial surveillance vendors are actively exploiting common consumer services, like YouTube, to install malicious software around the world. All of which means, in short, that your love of cat videos might be putting you at risk of being hacked.

In the report, security researcher Morgan Marquis-Boire describes how a network injection attack works. The attacker first gets access to a network, whether that's your Internet Service Provider or local network connection to your computer. From there, he taps into unencrypted network traffic — known as clear-text — and implants a piece of malicious code, or payload, which then travels on to the user's computer.

These sorts of attacks have their selling point and weaknesses. Their advantage over other types of attacks, like so-called spear-phishing or watering-hole attacks, is that those sorts of attacks require that the target do something wrong, such as opening an infected file. Network injection attacks don't require that slip-up. Simply streaming an unencrypted video of a cat sitting in a coffee mug or engaging in other typical browsing behavior is enough. The limit, though, is that once on a user's computer, the attack launched via network injection is quarantined to the users' browser.

But, Marquis-Boire explains, the modern Internet provides plenty of ways out. Everything from advertising networks to browser plugins like advertising networks, Flash, Java, and Quicktime offer clever attackers a "low cost" avenue for an attacker to transit from a user's browser to the rest of their machine. "While this infection method requires user interaction to accept the fake Flash update, it is also possible to bundle the payload with an exploit in order to silently install the surveillance agent," Marquis-Boire writes — so a user might not have any idea that something malicious is happening.


•••••

No comments:

Post a Comment