
Targeted Attacks Against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114 - kevcampb
https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/
======
joe_the_user
"This campaign, 'Detach from Attachments,' urges users to avoid sending or
opening email attachments, and to use cloud-based storage to send files like
Google Drive as an alternative."

\-- Seems an entirely wrong-headed approach - easily defeated as this exploit
showed (even a conventional virus could spread download links or even upload
more files). Shouldn't the campaign involve avoid insecure files in insecure
format from unknown or unverified sources?

~~~
andreyf
> Shouldn't the campaign involve avoid insecure files in insecure format from
> unknown or unverified sources?

That's an interesting question. I think answering in the affirmative is
infeasible.

Slightly smarter user behavior is part of the solution, sure, but users should
not bear much if any of the burden of determining whether a file is secure (in
this case, by remembering what file formats can include an OLE object and
whether those are secure to open yet) and whether the many links of
authentication all hold.

Oh, I got this message via <channel> from <person>, how do I know <person>
actually sent it, or not? Well, <several entities> were involved in <system
that delivered it>, do I trust all of them? Oh, I don't need to, because
<other systems> authenticated the message. But what's the probability that
<person> is either trying to infect me, or has an infected machine that's
infecting any <format> files they send me? What other attack vectors are
there? The rabbit hole runs deep.

Computers should just work. When a user thinks he got a message from <person>
but it's not actually from <person>, that's not the user's fault, but the
system's. When a message that the user expects to show him a bunch of pictures
(slides from a presentation) actually contains executable code that takes
control of his machine, that's not the user's fault for not knowing the latest
CVEs are.

~~~
gbog
Yes, certainly, computers should be safe. But they aren't. So another less
idealistic defense is to teach fear to users. Just as I have to induce fear of
cars to my kids (annoyingly necessary), I will tell them to not trust anything
coming from computers.

I'm old now and I'm in computers since I was maybe 14, and, believe me or not,
I've never told my name to my computer.

------
stephengillie
I think this is the OLE vulnerability we were discussing last week:

[https://news.ycombinator.com/item?id=9821405](https://news.ycombinator.com/item?id=9821405)

~~~
stephengillie
I'm sorry for posting this; I didn't realize I was detracting from the
conversation. And since it's too late to delete, I must suffer additional
downvotes.

------
reiichiroh
The CVE entry dates it as going way back to 2014 though?

~~~
stephengillie
Apparently it was discovered and raised as an exploit, never patched, and
never used until today? It makes me wonder how many other known unpatched
exploits like this are out in the tall grass.

~~~
cpncrunch
It looks like it was patched (as far as I can tell):
[https://technet.microsoft.com/en-
us/library/security/ms14-06...](https://technet.microsoft.com/en-
us/library/security/ms14-060.aspx)

Is the problem that many people in China are using XP, or pirated versions of
windows that don't get updates?

------
notsony
If this post is being upvoted because of "Tibet" please remember that the US,
UK and every other EU member state officially recognizes Tibet as part of the
sovereign territory of China.

~~~
rosser
When you're dealing with a state that has the economic clout that China has,
and the kinds of hyper-reactive sensitivities that China has about Tibet [1],
you tend to defer for sake of a smoothly functioning global economy, whether
you agree with their position or not.

[1] For example, barring people from getting a Chinese visa _for life_ for
publicly making pro-Tibet statements.

Another: you need an "internal" visa, issued from within China, to get into
Tibet [2]. If you mention on your visa application to get into China in the
first place, however, that you want to visit Tibet, your Chinese visa is
automatically denied. Essentially, you have to _lie_ to the state about the
purpose of your trip, if you want to visit Tibet. No, they don't have any
issues there at all...

[2] Unless you're flying into Lhasa from Kathmandu, where you can get a
direct-entry visa.

EDIT: footnotes.

