FLYING PIG: The NSA Is Running Man In The Middle Attacks Imitating Google's Servers
from the doubtful-that-google-is-happy-about-that dept
Glyn mentioned this in his post yesterday about the NSA leaks showing direct economic espionage, but with so many other important points in that story, it got a little buried. One of the key revelations was about a GCHQ program called "FLYING PIG" which is the first time I can recall it being clearly stated that the NSA or GCHQ has been running man-in-the-middle attacks on internet services like Google. This slide makes it quite clear that GCHQ or NSA impersonates Google servers:in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.While some may not be surprised by this, it's yet more confirmation as to how far the NSA is going and how the tech companies aren't always "willing participants" in the NSA's efforts here. Of course, the real question now is how the NSA is impersonating the security certificates to make these attacks work.
Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: flying pig, impersonation, man in the middle, nsa, nsa surveillance, security certificates
Companies: google, microsoft, yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: Re: This is supporting evidence that root CA is pwned
The certificate authorities (Verisign, Godaddy, etc) do not have the customer's private key. The customer sends them their PUBLIC key only (wrapped in a CSR file), and gets back the signed certificate.
In no moment does the PRIVATE key have to ever leave the customer's premises (and, with some architectures involving HSMs, it can't, since the key lives within a dedicated tamper-resistant crypto processor).
The NSA can demand the customer private key all they want from the certificate authorities; the CAs cannot give the NSA something they do not have.
What they COULD demand from Verisign, Goddady, and so on, would be to sign a fake certificate, which says "this public key is for www.google.com" but with a different public key, one the NSA has the private key for. These are so-called "MITM certificates", and highly frowned upon.
Doing that (creating a MITM certificate) puts an enormous reputation risk on the certificate authority. If word ever gets out that a certificate authority issued a fake certificate for Google, that CA would risk getting dropped from all major browser makers, and losing all their business. This kind of thing has already happened (see for instance Diginotar).
Pigs would have to fly before any of the major certificate authorities ever agreed to issue a MITM certificate for the NSA.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
LOL. Yeah right! Just like pigs would fly before telephone companies agreed to provide the NSA with bulk customer metadata.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
1) Issue an NSL (or equivalent) to a medium-sized CA demanding an MITM cert. Even a large CA would be reluctant to challenge such a thing, and a medium-sized CA wouldn't have the corporate courage nor the resources to do so. They'd roll over quickly.
2) Get a mole into any given CA and have them supply an MITM cert at need. We have already seen that the NSA does, indeed, seek to plant moles in various companies. CAs would be a prime target.
3) Steal a CA's private authentication key so that the NSA could sign their own MITM keys at need. Pre-Snowden, this would be laughed off. Now, it looks quite likely. Again, this would be a prime target for the NSA to acquire if it could, and it has billions to spend to achieve that.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
Someone -- more likely, multiple someones -- at Google have access to Google's private key. We already know that NSA has been recruiting assistants from inside telcos: why not recruit one inside Google? Give them a security clearance, swear them to secrecy, and have them hand over the private key.
How would other people at Google know? How would the CA know? How would we know? The NSA isn't going to tell anyone, and the person on the inside isn't either. Google's execs will deny this, and from their point of view, they're telling the truth.
Yes, yes, I know: this might also require the collusion of someone at the CA. That's just as easily accomplished, and -- were I to put on my evil subversive hat -- that's one of the first things I'd do: I'd make sure that people loyal to me were in place at all the major ones. Even if it took 5 or 10 years to do it: I have time, money, and patience.
The entire certificate process is rickety, with far too much reliance on opaque processes and unaccountable people: it's absolutely ripe for this kind of exploitation. Doubly so because (unfortunately) we can't just rip it out and replace it tomorrow.
And while a couple of months ago I would have agree with the assertion that no CA will issue a MITM certificate: that was then. This is now. Different ballgame with different rules. I now only think it's possible, I think it's plausible.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
If I understand you correctly, you still seem to believe there's a line that the corporate/government intelligent regime will not cross. I don't think there is any evidence of such a limitation.
Every new revelation shows that the NSA sees absolutely no limits on what it can and will do.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
a) issue the certificate and hope no one finds out.
b) go to jail.
It's not about "agreeing" to do it.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
Well - since thje program is called flying pig...
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
If the math is working then there are only 4 ways of faking one's identity - either the private key used to sign certificates is no longer private (stolen or revealed), or the CA created a fake cert (in)voluntarily. So - either CAs security is C.R.A.P., or they are just happy/left_with_no_choice to sell their clients. Either way - the whole idea of "trusted third party" is falling apart before our eyes.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
How many backdoors have been found over the years on encryption programs that have been called unbreakable?
and it is all done to protect us from the terrorists (or commies if you are old enough to know past history of our government)...
[ link to this | view in chronology ]
Re: Re: Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Bullshit!
A Titan graphics card can do 3 trillion FIPS. You can buy rack-mount frames for a couple of grand from Amazon, complete with one Titan card and slots for three more. Every frame also has a CPU to interface between the four cards and the central system controller via high-level commands.
The system was designed by Nvidia to be infinitely scalable, and the fastest supercomputer in the world is now an array of Titan GPUs (at Oak Ridge).
60 standard IT-department computer racks will execute as many GPU instructions as there are millimeters to the nearest star.
EVERY SECOND.
To crack Google's certificate.
THAT'S how they forged Google's credentials and did their man-in-the-middle horror.
�Faye Kane ♀ girl brain
Sexiest astrophysicist you'll ever see naked
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
Also, there is NO PROOF that the product of large prime numbers is all that difficult to factor. Breaking the public keys of large organizations that keep the same keys for a long time (years) is well within the capabilities of even larger corporations, let alone the NSA.
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
Swine Flu right after Barrack was elected.
"Barracks were originally a temporary shelter or hut[1] but are now better known as specialized buildings for permanent military accommodation"
https://en.wikipedia.org/wiki/Barracks
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
Re: This is supporting evidence that root CA is pwned
[ link to this | view in chronology ]
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
I think you're misreading that... By "breaking" the crypto, they're often talking about ways to get around it, not to actually break it. In some cases, that might include what's discussed here. So I think the MITM attack is part of "breaking" the crypto -- not the other way around.
[ link to this | view in chronology ]
When pigs fly?
Well you better duck to avoid all the low-flying pigs now!
[ link to this | view in chronology ]
Re: When pigs fly? Pre 911
[ link to this | view in chronology ]
Re: Re: When pigs fly? Pre 911
that the encryption being broken is not the "evil" encryption I use and encourage them to use but the encryption THEY use everyday and don't even realize it. You authors do know that when you talk about SSL and broken encryption the dumb masses son't know it is the encryption that they use to do banking etc. Can't say I feel for them as they, just like joe six pack still won't do anything. How did Tom B.'s "Greatest Generation" ever raise the world worst, most spoiled, entitled, blind sheep... the baby boomers! who have destroyed this world while sitting back with the tv ignoring the world burning around them.
[ link to this | view in chronology ]
Re: When pigs fly?
[ link to this | view in chronology ]
Re: Re: When pigs fly?
[ link to this | view in chronology ]
Re: When pigs fly?
[ link to this | view in chronology ]
Re: Re: When pigs fly?
With sufficient thrust, pigs fly just fine.?
[ link to this | view in chronology ]
Likely NSA controls not only certificates, but the root servers.
Anyhoo, seems as though some just don't understand that the internet relies entirely on a very few critical points -- meaning a few hundred people in the world, tops, to be put on payroll, bribed, threatened, whatever is necessary.
Oh, and of course Mike is as always merely assuming that those corporations aren't tacitly cooperating.
[ link to this | view in chronology ]
Feeding the troll...
A MitM attack like this would hoover up EVERYTHING on a target immediately... and Google would have no clue.
That would also make Google releasing information about NSL's and other requests pointless, they're intercepting before anything hits Google's servers and thus wouldn't need to request anything from them.
[ link to this | view in chronology ]
Re: Feeding the troll...
I may abhor some of their business practices, but at least they are trying to be honest about this.
[ link to this | view in chronology ]
Re: Likely NSA controls not only certificates, but the root servers.
Now here is a talking point for ya, this could be used by some to argue that Google and other tech companies are not complying fully with the government or they throw roadblocks and the NSA wanted to bypass that, making all tech companies including Google the good guys, would that make you uncomfortable? Of course it could be simpler than that, it could just mean the NSA wanted to collect data that it didn't want any records of it anywhere, but that is not how it looks to others, specially if you see what they are doing now, suing the government to at the very least show some information to the public, it makes them look good even your nemesis Google.
[ link to this | view in chronology ]
And speaking of pigs...
"nun ruu.n-irurn-I-u-Hr-ufln"
HAHAHAHA
[ link to this | view in chronology ]
For those who require secure non corrupt communication, like banks, the revelations are earth shaking in that nothing sent over the internet or by telephone is secure from interception. Without secure communication, especially for financial issue, modern society itself is not possible except in a totalitarian form.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: on behalf of Hollywood
If you're a troll, you're too obvious to be effective. But over the years I've learned that nothing is too stupid for somebody to believe it. So if you're serious, you just took a magic marker and wrote "Ignore me, I'm stupid!" on your forehead.
Either way, STFU.
--faye kane ♀ girl brain
sexiest astrophysicist you'll ever see naked
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
We need more ways to verify authenticity of certificates
Maybe we need a number of registries of the thumbprints of valid certificates for large websites. In fact, the largest sites (Google, Yahoo, Facebook, Microsoft, Apple, etc etc) could carry such registries.
Maybe there could be a standard path to this file of valid thumbprints, similar to the standard location of robots.txt.
For someone who wants to be really sure they are talking to Amazon.com, or to Google.com, they could check the thumbprint manually.
To somewhat automate the process, numerous free utilities and browser extensions would no doubt appear to double check the certificate thumbprints for you.
As long as the utilities and the thumbprint files are available from many sources, it becomes less and less likely that they could all be compromised. A partial compromise of some sources would be quickly revealed in that client software would notice the discrepancy of different supposed thumbprints for Google's certificate from different sources of the thumbprint registries.
There are various problems with this idea, including...
Each registry of thumbprints could become very large. There needs to be a way to segment them.
The registry of thumbprints needs to be massively distributed so it is effectively impossible to compromise them all.
How are updates distributed? When Google needs to use a new SSL certificate, how do they update all registries with the thumbprint of their new certificate?
The most obvious problems boil down to: how do you make this idea scale? How do you trust sources of updates?
[ link to this | view in chronology ]
Re: We need more ways to verify authenticity of certificates
[ link to this | view in chronology ]
Re: We need more ways to verify authenticity of certificates
[ link to this | view in chronology ]
The final text would be a jumb of icons, b ut if you use a camera to read it, the computer can translate the text, I was thinking Google Glass here.
I thought of that after reading about the Voynich manuscirpt, maybe I should find a new hobby LoL
[ link to this | view in chronology ]
Vote, protest peacefully, sign petitions
[ link to this | view in chronology ]
Re: Vote, protest peacefully, sign petitions
It really is amazing what a huge change we brought on when the young and liberal voted Obama into office! Almost like a different country, huh?
Voting, paying taxes, petitions, calling elected officials, lol... protesting peacefully??? You are delusional. That is exactly how the tyrants in govt want you to act. makes you feel better but does NOTHING!!! Buy yourself a rifle, learn how to use it, stop paying taxes, and stop supporting your own oppression. Man you are a sad one.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Sooner or later the government branches will have to address it as it isn't going to go away and it isn't going to be forgotten. Approval rates are already at floor level for congress, Obama's approval rating is falling the same way in recent weeks, and you are rapidly reaching the point that if something is not done, people are going to respond to all this.
How they will respond is what worries me.
[ link to this | view in chronology ]
Re:
NOT A SINGLE THING WILL CHANGE in any big way till the last "boomer' is dead and it will be too late by then. When will the time come that we pick up our rifles and vote from the rooftops. Are not all Federal agents now Domestic enemies??? Sure seem to fit that description. Just like a Death camp guard following orders... :-(
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Combining fake certs with an older revelation
[ link to this | view in chronology ]
Sprint and Level3 may or may not have been included at that point. I suspect they probably were but without the public announcement. They might not have had the requisite government contracts for plausible deniability.
[ link to this | view in chronology ]
Hopefully more and more people will take internet security more seriously and take steps to improve it for themselves and their loved ones.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That is the most worrying thing about this.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Already been done
He discusses this and gives you a method to determine if your connections are being intercepted.
Also, does anyone remember the Trustwave certificate?
http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert/
and
htt p://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html
I don't even know if I can trust Chrome, that I downloaded from what I thought was a Google.com server, even though it has a built-in list of CA certificates that it validates against....
[ link to this | view in chronology ]
Re: Already been done
[ link to this | view in chronology ]
Are we gonna see??
Watch this people, because when they're done we're going to need to do some real political reform in this country and clean that mess up.
[ link to this | view in chronology ]
Re: Are we gonna see??
After the Feds looked away while the banksters' carried on with their shenangans, and then bailed them out after their gambling debt came due, you think the banksters will make a fuss over this? I highly doubt it. They're all in bed together; that and for safe measure there are probably well positioned moles within the banking industry. Thus nothing will come of this from them but maybe some hollow words of complaint and fake posturing.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Man in the Middle
[ link to this | view in chronology ]
https://www.documentcloud.org/documents/785152-166819124-mitm-google.html
This is how the NSA is man-in-the-middling selected 'targets'. It's simple, just add new static routes which redirect all the target's traffic away from a real Certificate Authorities' IP addresses, to an NSA run Certificate Authority Server's IP address.
In other words. When the 'target' attempts to connect to Verisign.com, he/she will be redirected to nsa.com, which is running a fake Certificate Authority server setup by the NSA. Although these would be IP addresses, not Domain Names. Static routes work using IP addresses.
This is accomplished through changing 'static routes', inside an ISP's network. Specifically, by editing static routes inside ISP corporate routers.
So the 'router' you see in picture of the classified slide, isn't a residential home router. It's most likely an ISP's corporate router.
Which is why you see multiple inbound 'Google Requests' coming into the router, and multiple 'Targeted / Non-Targeted' requests coming out of the router.
The 'Non-Targeted' requests are from ISP subscribers the NSA doesn't care about. The 'Targeted' requests is the actual subscriber the NSA cares about intercepting.
As for Google's SSL/TLS private session key stored on Google's own servers. The NSA doesn't need to have this key in their possession.
The NSA runs their own Certificate Authority Server, which stores a public key for the spoofed Google Server. Which the NSA is also running. So the 'target' encrypts against the NSA's spoofed public key. Establishing an encrypted session to the spoofed NSA Google Server.
The spoofed NSA Google Server then establishes a second encrypted session to the real Google servers, using Google's real public key, obtained from a real Certificate Authority.
Then the NSA just sits there in the middle and reads everything unencrypted. Because the NSA server is in control of both session keys. The spoofed Google key, and the real Google key.
Here's a visualization to help explain how this works:
1. Spoof a Certificate Authority thru static reroutes.
Target >------> NSA Certificate Authority
_________^Spoofed Google Public key
2. Establish encrypted session with spoofed NSA Google Server.
Target >---> spoofed Google Server(MITM)
_______^Spoofed Google Private key
3. Establish encrypted session from spoofed server to the real Google Server.
spoofed NSA Google Server (MITM) >---> real Google Server
________________________________^Real Google private key
4. The end result looks like this:
Target >---> NSA Spoofed Google Server(MITM) >---> Real Google Server
_______^NSA Spoofed Google private key_______^Real Google private key
I hope I did a good job explaining this. It's hard to do without picture to aid the explanation.
In summery, the REAL Certificate Authorities themselves are probably not compromised. The NSA is using static routes to re-direct a specific 'targets' traffic to the NSA's FAKE certificate authorities, they are running themselves.
The NSA Certificate Authority then has the target encrypt against it's fake public key, and redirects it (thru static routes) to the NSA's fake Google server. A session connection is established using the NSA's fake private key.
Then the spoofed NSA Google server sets up another encrypted connection with the REAL Google server, and simple relays information back and forth between the target and real Google server. The NSA is now able to sit in the middle, reading and decrypting everything.
This leaves one question. How did the NSA come into possession of a Certificate Authorities root certificate? Without a root certificate, web browsers will refuse to connect to the NSA's fake Certificate Authority Server.
The answer is simple. The NSA either hacked into a Certificate Authority and stole the root certificate. Or the NSA used one of their super computers to brute force the root certificate's private key, by analyzing their public key.
I suppose they could also force an American CA to make give them a copy of their private key. I'm going to go with the hacking into a CA and stealing the key, as my pick of exploitation.
[ link to this | view in chronology ]
Re: Google... really?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Citations?
Did I miss the appropriate links here?
[ link to this | view in chronology ]
Re: Citations?
[ link to this | view in chronology ]
opportunity
[ link to this | view in chronology ]
I'm inclined to think bittorrent has the answer to scalability.
[ link to this | view in chronology ]
open wide!
with or without using Tor, please install and use the HTTPS Everywhere Add-on for Firefox. Configure it to use the Observatory option(s) which will help us all.
[ link to this | view in chronology ]
fly little piggies. fly... be free!
[ link to this | view in chronology ]
[ link to this | view in chronology ]