so this was a linked comment from a thread 3 years ago....
Some areas of IT are in guarded rooms, with walls of a certain thickness, filtered power, external RF signals killed, and airgapped except for specific patterns for transfering between external systems.
You probably just want to buy a yubikey and accept a lot of computing is built on a house of cards with respects to trust.
If instead of a password field it's a text field with a custom font, no such warning will be presented.
 https://blog.mozilla.org/security/2017/01/20/communicating-t... http://http-password.badssl.com/
"Ah, okay, it's not so secure, whatever that means... but I still want to login and do what I set out to do."
Do you see any warnings in your browser? I see no warnings in Chrome.
Maybe you have a browser extension, or setting turned on that I'm missing?
This happens regardless of extension (i.e. in an incognito window).
While major websites already were on SSL, a lot of websites didn't and there were no browser warnings yet.
The only defense is HSTS/certificate-pinning, for sites previously visited with that browser & device (it’s a TOFU security model).
HN has HSTS, but not Reddit, or my credit union, or my local pizza place, or Kaiser Permanente, etc. etc. etc.
EDIT: I believe e.g. Chrome and Firefox bake in some major certificates, which would also likely flag MITM attacks, for those sites.
EDIT II: Someone responded below (since deleted) that you’d also need that cert to be signed by a CA your browser trusts, which is true. My explanation is faulty/poor. Better informed discussion of attacks further down the thread!
Most browsers stopped even looking at CN or only do so for people's crappy home grown private CAs
Anyway, what makes certs trustworthy isn't the CN, it's a chain of two or more digital signatures leading to a trusted root. And the CN in that root, while it had to be truthful when written, may be twenty years old, so it's nonsense now.
But I wasn't talking about leaf certificates, I expressly mentioned this for the CN in _root_ certificates and it's pretty common for those to have a lifetime of ten, fifteen even twenty five years.
Here's an easy to remember example, https://crt.sh/?id=1 the first entry in the crt.sh database.
The Common Name on that certificate is "AddTrust External CA Root". So... who are AddTrust? I actually have no idea. This root is today controlled by Comodo, a CA in the United Kingdom but you'd never guess that from the certificate.
If you're dumb enough to install one of these boxes on your network, you might also be dumb enough to install an attacker-provided root certificate on your PC.
Is it to circumvent antivirus?
People need to calm the hell down here. If you’re connecting HTTPS to most of the web, the only thing this thing is going to do is collect worthless packet traffic. Woot woot.
It’s not meant to collect data, it’s meant to act as an agent to a larger network of these things to collectively impact something or another in whatever way. But they could give 2 poops about the traffic on your local network.
Yes, everything SHOULD be like this. I should be able to trust my neighbors and leave my doors unlocked as well, and I should be able to have faith in my elected officials. And yet...
The other issue is that you can connect to a website that implements HTTPS correctly, and still be borked if that site doesn't implement HSTS properly - there are tools that implement HTTPS downgrading on Kali.
>I still don't understand how this device could steal login details...Whenever I visit a website with an expired certificate, for example, Chrome gives me a big red warning banner before allowing me to continue to the site.
The problem comes when your corrupted router messes with DNS and sends you to https://evil.chase.com, which has a pixel perfect mock up of a chase bank login screen, and a perfectly valid cert.
And requires that if the user had visited chase.com, that chase.com not have includeSubdomains in their HSTS header.
In reality the "evil" page would look something like "https://www.login.chase/login?id=DEADBEEF/.evil.com". For a non-trivial number of users, that's enough - "I see the nice green lock, I see chase, and some crazy web address characters that are always there".
Unless you're doing something super clever with characters that I'm not understand, that's not how urls work. ".evil.com" is clearly part of the query parameter.
If you think is rare, I can tell you some fortune 500 FX and stocks trading have this vulnerability a year ago (didn't checked again).
HSTS is useless in this case isn't it?
Technically, if the domain had DNSSEC enabled, it might prevent this kind of attack, but no regular consumer is using a validating stub resolver, so even DNSSEC wouldn't work.
Now that browsers are saying "Not Secure" by default for HTTP pages, users are apparently expected to notice this popping up where it didn't before and realizing they're on a phishing site.
If you can get a foothold on client computers you can also do things like inject trusted CA's to allow yourself to act as MITM without any cert issues raised.
DNS can be mutated.
Auto update software that does not check the cert chain and hash of the deliverable can be used to inject and run code.
Hundreds (if not thousands) of repeatable attack vectors given physical access to the network like this.
Which is why everyone is moving to HTTPS.
> If you can get a foothold on client computers you can also do things like inject trusted CA's to allow yourself to act as MITM without any cert issues raised.
If you get access to the client computer all bets are off. You can just force all their traffic through a MITM proxy, no router hacking needed.
> DNS can be mutated.
Which won't allow you to MITM HTTPS sites.
> Auto update software that does not check the cert chain and hash of the deliverable can be used to inject and run code.
Any auto update software which doesn't verify certificates has a major security vulnerability.
Yes, but a MiTM can block or hamper conversion to https and mutate the content. HPKP and HSTS are not widely used yet (and even if they are the first request can be bypassed given this topology). Given current "end user" level protections having a device such as this on your network basically ensures you can be hijacked if even one request made is over https or not currently pinned to HTTPS.
>If you get access to the client computer all bets are off. You can just force all their traffic through a MITM proxy, no router hacking needed.
FFS, the point is the MITM gives a huge amount of attack surface to breach the client -- which yes, after that is done you lose all bets. Everything from injecting code intip zips/exec/etc downloaded over http to using 0day browser exploits and mutating requests. The device itself is physical access to your network which makes access to the clients 1000x 9if not more) easier.
There are other protocols besides HTTPS.
>Any auto update software which doesn't verify certificates has a major security vulnerability.
Given, Yes. That does not make it rare or unusual. look at the CVS. There are many developers that write (or enable) auto updaters that should not be responsible for that given their understanding of security.
However, there are a lot of products sold that perform selected tasks that run on preconfigured raspis with the consumer none the wiser. Kodi boxes, emulation kits, scientific plug-and-go kits, and much more.
I have been offered or asked about things running on raspi hardware on many occasions by people who were none the wiser to what platform they were using, and we recently had an event where we gave out around a hundred of them preloaded with run-once synchronized software for an event. How many of those people knew for certain they were holding Raspberry Pi Zero W boards with pared down Linux kernels? None.
They're a lot more commercial and common than a handful of snarks with downvotes realize, and OP doesn't deserve to be punished for that.
I find it much more likely that these are being used for what they say they are (basically a proxy so they can buy ads from a residential IP) than some crazy MITM device. The "Attacker" is basically renting an IP connection or paying a co-location fee for their little server.
Plugging a device into your network doesn't make it magically see all the traffic. It would have to be doing ARP spoofing, DHCP hijacking, or hacking the router config/firmware. Is it possible that it is doing some or all of those things -- sure. But why? That could all be done via a malicious client executable that would give you access to the network and much more and is much more discrete than a physical box, so why would someone go through the trouble of shipping out a box + paying the recipient? The more simple explanation is the sender of the device is doing nefarious actions on the internet and needs a bunch of IPs for cheap so when they get blocked they can just move on to the next IP.
Would I put one of these on my home network - hell no. But if one of my friends tells me they had one plugged into their network I wouldn't immediately assume that their entire digital life was compromised. I would tell them to unplug it though.
"Plugging in the device on your network doesn't make it magically see all of the traffic" ... Assuming it has not been constructed to do all of the things you list (or more) does not magically make it not see all of your traffic either. There is no magic involved, it is either constructed to capture/inject or not -- the only way to know is to review the actual bits and firmware.
What TOS? Facebooks? Why would they be bound by it?
I suspect this device is far more likely a broadband speed testing agency trying to get speed test results from different consumer ISP's, taking WiFi and the customers device out of the picture.
>Facebook has several mechanisms in place to protect your account. We make every attempt to work within the these constraints. In order to keep your account from being locked we use a small device called a Raspberry Pi. This device allows us to connect to Facebook advertising APIs from your home network and avoids the hassle of your account being locked due to unfamiliar activity. Learn more about the Raspberry Pi below.
This is meant to be an agent to a network of these things. Not sure what the total point really is, but I can pretty much guarantee it has absolutely no cares about the local traffic.
Isn't that exactly what Wireshark's "promiscuous mode" does?
You have to use ARP poisoning or some other trick to get other network devices to send ethernet frames to your mac address in order for the switch to forward them out your port.
Which is clever, but given the current level of small scale integration you could just as easily hide the same exploits inside of a charging cable, a USB fan, or really any other small-form factor USB-pluggable gadget. The problem isn't them discriminating between "hacked" and "non-hacked" devices -- it's them plugging _anything_ non work related or issued into their USB ports.
(I'm genuinely surprised that the standard DELL and HP corporate workstation doesn't have its front USB ports deleted and its rear port access covered by a lockable metal cowl.)
So you'll have to replace all of your intentionally-broken computers with good ones, which will cost a fortune on top of all the employees' lost work time and no one will want to buy the broken computers from you so you'll have to pay to have them scrapped.
The person with the accounting data on a USB stick will get a formal reprimand for breaking the security policy.
At work, we keep a couple of power-socket-to-USB chargers around, if people want to charge their smartphone they can grab one. But simply disabling the USB ports on our users machines is not a realistic option at this point.
Surely by now all corporate desktops should be configured to not respond to any USB devices other than the generic HID for mouse and keyboard, plus a whitelist of approved devices (e.g. fingerprint readers, Yubikeys). Inserting a USB mass storage device into a corporate workstation should result in nothing. Plug-and-play shouldn't be triggered. The mass storage driver should not load.
Conducting that test produced something tangible for whoever made the purchasing decision: It clearly illustrated a need for the services rendered, did it in a way that offered job security to management by giving them license to assert the position over their subordinates, and established a metric by which to evaluate the security company's performance which can be easily, repeatably, and predictably improved over time.
It also checked a lot of boxes that will be useful in court if they ever need to prove that they weren't negligent on privacy and security, which is a form of insurance that has real measurable value when it comes to legal claims.
I'd say it's 40% paranoid arse-covering by IT department heads, 35% whatever middle management incorrectly assumes to be current best practices, 20% ego-stroking by the CIO, and 5% sensible context-driven decision-making by IT front-line staff.
* A ban on mail attachments of certain types (excel, zip files...)
* mailbox limits from the 1990’s (100MB or so)
* a ban on Dropbox, Gdrive or any other file sharing service
* No public facing sftp or similar
* A web site so mired in red tape that it takes 6 months and a dozen approvals to get anything uploaded.
Often the USB drive or something similar is the only way for employees to actually do their jobs.
I have seen this kind of situation, too. It sucks, but if you play by the corporate rulebook and lobby for better rules, you will be either worn out or retired by the time those rules get updated.
Sorry for mixing windows and Linux but conceptually something like this should work on windows if you don't require password in your UAC prompts.
Hm, perhaps.. is anything like that available already?
Bonus points: don't mount the drive directly, instead connect it to a centralised server on the corporate network that scans for threats and mounts a sanitised version of the drive's contents as a network share.
Triple word score: audit everything contained on every drive and everything that is copied on and off.
Sell that for $200 per unit to Fortune 500 companies and paranoid government agencies worldwide... and you'll retire early.
I expect someone sells hardened ultra-secure corporate NAS boxes, but I've never seen any in the wild.
Whoops, my tin-foil hat appears to have slipped.
We are dragging people to a corporate cloud solution, however we are finding that the drive to cloud has severely underestimated the volume of data that people will sync across the network, and how much work is done outside official corporate systems and in Excel instead.
This is having 2 effects our network capacity is being drained, and users are reporting performance issues due to latency associated with poorly developed excel applications.
While your final comment is accurate, it is impractical as usb mass storage is still required in many places. Also, you can't effectively block HID, and an attacker can use HID disguised as or in a thumb drive to successfully attack a network.
Second, it can emulate an HID keyboard device and type keystrokes faster than you can react and pull it out, at which point it’s far too late - it’s pulled a secondary payload down or mounted a USB mass storage device and you’re owned.
You know those little desk fans that come with a USB now and also an adapter to plug into the electrical outlet. I don't plug those into my laptops ever - who knows if there's a payload on them.
I will say this. I currently work, and have worked at, a few secret and top secret facilities - and the number of people I see plugging those (and similar) devices into their laptops is scary.
If such a device is able to cause a compromise / incident in a secure facility, well, several different "failures" at several different levels have occurred in order for it to get to that point.
You may want to double check your CentOS desktop's defaults (you might be surprised).
My most critical machines have a file named /etc/modprobe.d/disabled.conf with entries such as these for dozens of filesystems, network protocols, and such:
install usb-storage /bin/false
install vfat /bin/false
It's really not that hard to lock a machine down and yet still have it actually remain usable. With the exceptions of the few security-focused distributions (Qubes OS, Tails, etc.), I can't think of any Linux distribution / desktop environment that even comes remotely close to doing anything like that (OOTB) by default, though.
Aren't you shooting the messenger?
I don't necessarily disagree, but power users often get frustrated by red tape applied to everyone and not just those who consistently misuse their computer privileges.
Simple and effective, although it destroyed any resale value of the PCs.
when they were life expired they were given over to a recycling company, whom I assume would take the time to pick the epoxy out of the USB sockets or probably just replace them. I think buying new USB sockets and connecting ribbons to the motherboards is probably quite cheap these days
Time and time again the technology industry has failed to consider security as a serious issue, never mind develop systems that are robust and transparent.
We don't have botnets, booby-trapped mail attachments, script-hackable servers, USB drives that can carry a viral payload, and all the rest because users are stupid, but because the industry's default culture is to think of security as an esoteric side issue, and not a non-negotiable critical feature in all IT systems.
Thing #1 to remember if you're in infosec is that you must pitch it based on the money saved by not having expensive problems like having to hire outside consultants and auditors after a breach.
It's presumed that the Israelis got a little bit greedy and, even though it was doing it's job, tried to make the virus do it's job a little better. They made it more virulent which made it spread outside of the systems it was only targeted to spread to.
The malware doesn't have to add a new root certificate, either, though that's completely possible. The Zeus trojan  does "man-in-the-browser" to intercept banking information, for example.
And of course the user is going to ignore the untrusted source warning on an executable they intentionally downloaded and are trying to run.
Web security has been improving a lot in recent years, but it's not yet at the point where a man in the middle isn't a relevant threat.
Edit: made HN not mangle the link.
+ It may seem like it is if your organisation gets a bunch of EV certs with the same organisation info under some bulk deal. The issuer only does the expensive manual EV steps once per period, if you're Google in January then (the thinking goes) you are still Google in June. This saves them money so it enables them to offer pretty good deals for lots of EV certs.
+ Good EV providers streamline the manual stuff in countries like the US that have their government records online. A call centre employee can do the searches, pull up contact details and phone your Head Office or whoever to confirm in minutes not hours. However this also means they won't necessarily pick up on subtle clues like why is this outfit named Myba N K ? Oh! That's My Bank but with misleading capitalisation and spacing.
+ White hats toying with EV discovered that outfits like D&B relied on in the business community to verify identity are... Not very reliable. If D&B says the Head Office is at 632 Wall Street that might be because somebody filled out a web form, not because D&B agents even checked 632 Wall Street exists let alone that the company has offices there...
And sadly, a lot of software still doesn't perform certificate pinning.
This will seem like a valid website, especially if the phishing site is done well. Not just non-technical users, I'd wager some tech familiar users would be fooled too.
The focus always being on the lock icon might not always cover it.
Safari will prevent this though.
> Facebook has several mechanisms in place to protect your account. We make every attempt to work within the these constraints. In order to keep your account from being locked we use a small device called a Raspberry Pi. This device allows us to connect to Facebook advertising APIs from your home network and avoids the hassle of your account being locked due to unfamiliar activity. Learn more about the Raspberry Pi below.
Can somebody explain if this makes sense? Why are there limits on account spending?
One wonders how it does that.
Sort of tongue in cheek, since I don't know the range of state of the art acoustic side-channel taps. I guess you'd also probably have power fluctuations and network timing channels to exploit.
Plus, a lot of different points at which to attempt to insert a second stage into the connected devices themselves, using all the tricks everyone else in this thread has mentioned.
It's obviously located "inside" the residential end user's router/NAT, on their wifi, so it'll have something like an openvpn or ipsec daemon on it that initiates a connection to an endpoint elsewhere on the internet, building a tunnel for the botnet operators to control it remotely. Or via tor to a tor hidden service somewhere, like many purely software trojan botnets for win32/win64, but in this case it will have the vpn or tor binaries running on its own dedicated raspberry-pi class device.
If you have a botnet of several thousand devices which can be made to look indistinguishable from legitimate "ordinary non technical user sitting at home on their comcast connection with their laptop or tablet", you can do all sorts of things. Relay http/https traffic for a click farm in Bangladesh where people are upvoting reddit comments en masse to promote a product, sockpuppet facebook account comments for political campaigns and pushing political agendas (russian internet research agency, anyone?), etc. The goal here is to make the traffic look like legit single end user residential internet traffic and not traffic that's coming from netblocks of major colocation/dedicated server/VPS/VM hosting companies, whose ARIN/RIPE/APNIC space is all documented as such.
There's fraud detection systems which will trigger if you're trying to buy something like amazon gift cards from a /20 netblock of an ISP in Bulgaria, but are less "suspicious" if your traffic and useragent, etc, are all coming from a Frontier, Centurylink, Comcast etc netblock in a major American city. Stuff like the maxmind geolocation data correlating closely with the billing zipcode/shipping zip code of what you're trying to buy with a stolen credit card, or other identify theft type scams.
If you're doing some variation on a massive vote manipulation service, there's also fraud/botnet detection systems which will trigger on large volumes of upvotes (or similar manipulation) all coming from the same geographical location and netblocks. Your traffic look more like legitimate end users if it is geographically distributed across many states and provinces, many english-speaking countries (AU, NZ, CA, UK, etc), and across many ISPs and several different common end user browser useragents (edge, chrome, firefox, etc). Imagine if you threw 500 darts at a map of the USA on a wall and distributed all your botnet devices randomly around the map, vs having 300 devices all on the same network in the Chicago metro area, for instance.
This is the first one that came up on google - https://stormproxies.com/ - I'm not saying that specific company is in any way related to this device or tactic (it is just the first on google for 'residential address ip proxy', but I think it is companies similar to this that will pay people for access to their routers and sell that access.
It's a slick html template and some marketing text masquerading in front of a service obviously sold to greyhat/blackhat end users.
(perspective: I work for a legit ISP that has real things that physically exist in many POPs at layer 1 in the OSI model).
> My name is Lior and I lead the SDK partnerships at Luminati. I assume your
> software earns money by charging users for a premium subscription or by showing
> ads - both models do not pay out much and harm the user experience.
> We now offer you a third option.
> Luminati’s monetization SDK for Windows desktop provides your users the option
> to use the software for free, and in exchange we pay you $30,000 USD per month,
> for every 1M daily active users.
> More information is available on http://luminati.io/sdk_win.
I would like to give them an A+ rating for whatever graphic artist drew their artwork and did the CSS/webpage layout, however.
Is it hard to make 3 cents a month from a user?