Clear-text must die

The Citizen Lab “hackers” at University of Toronto’s Munk School of Global Affairs have released a report which reveals the use of network injection by law enforcement as a method to undermine internet security - and it makes for frightening reading.

Network injection is a dream come true for state-sponsored hackers as it does not rely on users being fooled by social engineering attacks and clicking on malicious attachments in emails to implant spyware.

Instead, network injection allows spy agencies to “infect targets on-the-fly by injecting malicious code into the traffic streams of popular websites,” writes Morgan Marquis-Boire of Citizen Lab.

This means that tactics such as fake software updates served to unsuspecting users, or supplying infected executables downloaded with malicious code, are employed.

According to Snowden’s leaked National Security Agency (NSA) documents, the United States’ main spy agency uses network injection with its QUANTUMINSERT methodology, and may have compromised up to 100,000 systems already.

Once again, law enforcement malware vendors Gamma International and The Hacking Group are involved with these carrier-scale solutions that can manipulate data traffic with ease.

FinFly promotional video provides a guide to network injection.

This method is used by some pretty nasty regimes around the world and internet traces point to widespread use in more friendly regimes too, possibly including the Australian Federal Police, although there is no official confirmation.

Microsoft and Google web properties were vulnerable to network injection attacks.

Microsoft has luckily addressed the problem, but logins to its popular Live service were vulnerable for a long time. When an attacker has your Microsoft account details, they have the key to the entire range of Redmond supplied services, not to mention others that you've used like Outlook.com or Hotmail as the credentials for a password reset email.

Likewise, Google is now rushing to fix its network injection vulnerable web properties which can be abused with rewritten data streams to serve malware including popular sites YouTube, Google Maps and Google Earth.

What’s the fix? Secure Sockets Layer/Transport Layer Security (SSL/TLS) is now mandatory for everything.

If the site you visit doesn’t include HTTPS in the URL and a green padlocked icon then it's to be avoided, regardless of how innocuous the site appears to be.

Also consider how applications are updated as many fetch material via HTTP. That data stream can be hijacked and replaced with something else that you might not want to have on your computer.

Application updates are often automatic, and there’s no sign that they’re being downloaded in the clear, often with no encryption.

The growing number of examples at the HTTP Shaming Tumblr site demonstrates that a growing number of popular and enterprise applications are updated in the clear, and therefore vulnerable to attacks.

Application developers of any size should take note and ensure that updates are delivered securely.

Clear-text data transmissions are unfortunately everywhere. My esteemed friend Chris Williams who edits the US section of an online trade publication of repute noted that ad networks serve their wares over HTTP mostly and not HTTPS:

One major barrier I see to publishers using HTTPS over HTTP: Adverts. It's one thing for a pub to use SSL, another to persuade ad networks

— Chris Williams (@diodesign) August 18, 2014

At the risk of biting the hand that feeds us at iTnews, who would have thought that ad blockers serve as security measures?

Ultimately, the message is clear: nobody, not businesses, governments, or individual users should ever use non-encrypted communications over the internet for any purpose be it web browsing, service or social media logins or webmail.

And users should take precautions urgently.