Spies used YouTube videos and Microsoft log-ins to take over devices
Watching silly YouTube videos and checking your Microsoft Live account might sound harmless enough -- too harmless, in fact, to lead to a security breach. But, thing is, they're not as safe as you think: if a law enforcement agency or your government wanted to keep tabs on your actions, they could've easily used those activities to inject malware into your system. According to a paper published by Morgan Marquis-Boire at the University of Toronto's Citizen Lab, spies used to be able to piggyback on unencrypted YouTube streams and Microsoft Live log-ins by intercepting traffic and using that to open a window into your life. Yes, that means being able to see your emails, bank accounts, IMs and many other things you'd rather keep to yourself. Thankfully, Microsoft and Google have already encrypted those connections, Marquise-Boire writes on The Intercept, to prevent anyone from exploiting them. Mountain View has even started encouraging other websites to encrypt their connections with the promise of a better ranking in its search results.
The study names Hacking Team and FinFisher as two of the companies that sell law enforcement agencies "network-injection" technologies like this for around $1 million dollars. In fact, Italian company Hacking Team is known for developing software to spy on people's emails, phone calls and the like specifically for sale to law enforcement in countries not blacklisted by NATO. It's unclear whether the company actively transacts with the US government, but it doesn't even matter -- Marquise-Boire says the country's (as well as the UK's, Russia's, Israel's and China's) intelligence agency already has a similar system of its own.
You can read the full paper at The Citizen Lab if you wish to delve into the technology behind network-injection systems... or you can just watch a cute cat vid now that it's ostensibly safe to do so.
