Hacker News new | past | comments | ask | show | jobs | submit login
U.N., Unicef, Red Cross Under Ongoing Mobile Attack (threatpost.com)
167 points by danso on Oct 27, 2019 | hide | past | favorite | 46 comments



If anybody has doubts how bad this could end for aid workers, here's an article about their current situation in Syria[0].

Summary: they are somewhat certain to die when Assad's army takes over northern Syria and manages to identify them as aid workers, even remotely connected to anything we would consider "good". The agencies are trying to burn all their local paperwork to protect their employees' identities.

[0]: https://www.theatlantic.com/international/archive/2019/10/am...


The Atlantic article serves as a great reminder of why alternative media picks up more and more steam, and why "fake news" is a problem that isn't just limited to smaller groups.

Let me present an alternative outcome: when the SyGov enters into joint-control of Northern Syria, nothing will change. And the bulk of the SDF will be incorporated into the Syrian military... exactly as the same as what has happened every single time this has happened in the last 8 years.

There is not a single reason to suspect otherwise, and propagandists like Hassan Hassan and co. will just find a new talking point next week.

It's actually ridiculous that the inner-circle of Twitter MENA propagandists, led by Henry Jackson Society notables like Michael Weiss, are still the go-to "experts" people depend on and still have a platform to spread their poison in 2019.


> Throughout eight years of civil war, Syrians who tied their fortunes to the changing whims of American policy have been systematically arrested, killed, and driven from the country.

> First it was protesters chanting for democracy—many took encouragement from Barack Obama’s statement in the summer of 2011 that the country’s dictator, Bashar al-Assad, should step down. But the U.S. government looked on as protesters were killed or disappeared into the regime’s teeming prisons.

It’s as though the US government is on a mission to prove they should not be trusted. I hope most can get out of there somehow, this is very unfortunate


> It’s as though the US government is on a mission to prove they should not be trusted.

I would consider that mission solidly accomplished at this point.


Seriously, does anyone in the US or outside the US, in government or outside of government, anywhere in the world trust the US government? I seriously doubt it.


Yes, of course people usually trust the US government. We do so every time we get on a plane, keep money in USD, or run Windows, MacOS, etc.

That doesn't mean the US was flawless before Trump. It had its flaws, just like any other government. But generally, they were trusted in scenarios like above, but also, for example, by diplomats to at least try to keep their word even across administrations, or by travellers not to be asked for bribes at the border.

People have become rather cynical and won't believe me, but still it is worth mentioning: before Trump, politicians, including the presidents, almost never lied. On occasion, they would try but fail to make good on a promise. Or they would err, or go to great lengths to avoid answering a question.

But actual lying, as in saying something wrong and repeating it even after it was pointed out to be wrong? It barely ever happened.


> Yes, of course people usually trust the US government. We do so every time we get on a plane, keep money in USD, or run Windows, MacOS, etc.

Trust isn't binary, nor does it exist on a single dimension. I might use the products and services of US companies, I might conditionally trust the judgement of some US government bodies, but there's always a heavy set of caveats.

I wouldn't trust a drug that had been approved by the FDA until it had also been approved by the European Medicines Agency. I would trust a NIST standard for metrology, but I certainly wouldn't trust a NIST standard for cryptography. I wouldn't ever allow a European customer's data to be stored in the US, or to transit US networks in plaintext. I trust US-made hardware and software about as much as Chinese-made hardware and software, which is to say I assume it's heavily backdoored. I haven't ever trusted the words of a US administration, red or blue; I do broadly trust that Merkel or Macron will mostly keep their word and mostly honour international law.


How about "I did not have sexual relations with that woman."

Or Watergate.


I can't imagine why I would place a lot of trust in any government. It takes a special kind of cunning, controlling person to even want to be a politician. Let alone become successful enough to attain a high position in a government. So I don't trust any government really. All I can do is guess which politician's incentives could be the most aligned with mine.


Because things always go super well when we act as the world police. Knock out Assad, ISIS takes over. Help out a rebel group, they later radicalize and declare the west their enemy. Seriously, I think after several failed attempts to establish "peace" in a region and the insane amount spent on military operations mortgaged against our children, you'd realize that's not possible and cut our losses. Why does it have to be the US? Can't the EU step up if it's such a tragedy. If UNICEF is involved the rest of the EU can send troops if they truly feel they need to be there.

You have a very short memory, the cognitive dissonance is beyond me unless you also supported the invasion of Iraq too? The indefinite nature of that should be a point that this can go on forever and it will. If we're going to stop being the world police, we have to actually stop getting involved and back away as we've been doing slowly over the past decade. This isn't a big surprise.


It is not so simple, these are proxy wars. We already saw Russia take over part of Ukraine, and Putin is hungry for more.


I mean, with everything that's happened since Snowden, it more or less started with ordinary US citizens losing trust in them before it carried over via other circumstances to nations like Syria. The root cause is elsewhere; what's happened in Syria is merely symptomatic.


> They noted that mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to vet the legitimacy of the pages.

JFC... I never understood why that "improvement" was necessary in the first place. Now its causing real harm out in the world. Kind of infuriating.


It’s the same with email and email phishing. They should show the full email address.

I think it’s MS Outlook that only shows the name in email chain when forwarding. So once the first person tricked forwards the email, info is lost and prevents future readers noticing the phishing email address


>I think it’s MS Outlook that only shows the name in email chain when forwarding.

I complained to support about Outlook iOS doing this, not just for forwarding... but all received emails display only the name. I receive AppleID phishing attacks constantly to my old hotmail account, Microsoft helpfully sends all them to my inbox and Outlook shows them as from 'Apple' unless I click the sender name and then it shows something like totallynotlegit@paypalappleidscams.tk. Their link scanner is effective around 50% of the time. It's not good enough.

Microsoft does not consider this a bug or a threat in any way. I have been active about this on social media and have had my screenshots and complaints picked up by largish accounts like @swiftonsecurity.

At this point Microsoft is complicit with the phishers. Oh well, not the first time an entire industry thrived off their lack of security.


They do this on desktop Outlook as well. It's really great when you work at a company where two people have the same name, and you have to click seven buttons to see who sent the mail. Or you get added to a forward chain and you really can't tell.


I really don't understand this either. I feel like once upon a time email clients used to go so far as to show you the full header by default; but UI trends made it important to hide anything too technical from the end user. It seems like a total dismissal of function for the sake of form. Especially since the uninterested just scroll a little to get past the techno-babble. I think having the header right there was good, it reminded people that email wasn't magic, there was understandable technology at work, and you could easily see what was going on if you cared to look.


I think having the header visible would also slowly teach people patterns of what looks legit and what doesn't.


>JFC... I never understood why that "improvement" was necessary in the first place.

What improvement are you talking about? Mobile phones truncate the URL bar because phone screens are physically narrow.


Desensitization to the URL bar is just one of many, many problems with AMP. Google is training users to ignore it, because sometimes it says google.com when they’re somewhere else.


Chrome iOS shows just the domain and subdomain-- which may help fight fishing attacks by focusing users on just that (but annoying to just about everyone else). Safari and Firefox show the whole URL, truncated on the right by the lack of space.


> Safari and Firefox show the whole URL, truncated on the right by the lack of space.

Safari doesn't.


It's a preference under "Advanced" for "Smart Search Field:" to "Show full website address". Not as hidden as some Safari settings, but it is at the end of the Preferences window.


This thread is about mobile. Mobile Safari doesn't.


They noted that mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to vet the legitimacy of the pages.

I hate when my phone / browser truncates or hides URL's.


Why is this article so focused on TLS/SSL (8 mentions) certificates? They present it as like having a certificate is something hard or unique.


You know how we've spent four years training users to expect https, by deprecating http in the major browsers? That's resulted in many, many people believing the padlock icon means the site is "safe". I expect that applies to the person who wrote the article as well.


> There are two domains that are hosting the phishing content, live since March 2019. The associated IP network block and Autonomous System Number (ASN) are known to have hosted malware

At which point the article fails to include the one actionable piece information - the IP blocks and ASNs.

It's so like the tech press to write a comprehensive article that omits the only info that could actually help.


It feels like you are supposed to blindly believe them, and if you are left with questions, well, you are just a nerd so they don't care.


The original source has more information and wider list of targets (UC San Diego, Heritage Foundation, United States Institute of Peace): https://blog.lookout.com/lookout-phishing-ai-discovers-phish...


What kind of dirtbag would choose those organizations to attack? That’s the lowest of the low.


They've always been intelligence targets. Any organization closely tied to regional conflicts, and therefore intelligence agencies and the military, is going to be a target.

Red Cross and Unicef show up everywhere there's a serious conflict. Often the very first western organizations there. The job of most intel agencies is to keep their governments up to date on those conflicts. Especially one involved in plenty of global conflicts like Russia.

I'm sure the US embeds agents with them all the time.


Also good for outrage, the main ingredient of modern media. Once the enemy fires on a Red Cross branded outpost, they must be the bad guys, no matter how many of the doctors were actually intelligence operatives.

Using NGOs like this should be as unacceptable as using outright human shields, but as always, it's different when the perfidious foreigners do it.


> Once the enemy fires on a Red Cross branded outpost, they must be the bad guys, no matter how many of the doctors were actually intelligence operatives.

I mean, yes? At what number of intelligence operatives would firing at Red Cross workers be a good thing?

> Using NGOs like this should be as unacceptable as using outright human shields

Yes. But, like human shields, firing on them with disregard will indeed make people think you're the bad guys.


>They've always been intelligence targets

...and intelligence cover.


They're probably not trying to interfere with their operations but rather to obtain any geopolitical intelligence they can from their files.


Only kill them. Otherwise not interfere.


The CIA ran a fake vaccination campaign to try and locate Osama bin Laden by gathering DNA samples.

https://www.scientificamerican.com/article/how-cia-fake-vacc...

So now how do you know if the next humanitarian group running around your country isn't full of U.S. spooks?


"The misguided vaccine program in Pakistan was started in a poor neighborhood of Abbottabad, no doubt to give it an air of legitimacy. Yet after the first in a standard series of three hepatitis B shots was given, the effort was abandoned so that the team could move to bin Laden's wealthier community. This lapse in protocol proves that the best interests of the recipients were not the guiding principle of the effort—while not coincidently betraying the program for the sham it was."

Damn, they couldn't even be arsed to give them the full number of shots



It's cyberwarfare.


> The unusual aspect of the campaign is that it identifies mobile devices; once detected, it then logs keystrokes in real-time as the user enters them into the phishing page.

You don't even have to hit submit, hopefully not autofilled.


Auto password fillers don't fill on the wrong site; they are actually a great defense against this kind of thing if you get it right the first time and then are very suspicious if it ever doesn't auto fill.

IMO, browsers should have site bookmarks to replace EV certificates, where you can bookmark a site and give it a name and the name appears where the EV company name used to.


I think most of the good password fillers will check the full domain, so they would not fill any password in for these sites. That's also a good indication that your not on the expected site.


autofiller wouldn't trigger on a phishing site




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: