How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos

from the but-of-course dept

Fri, Oct 4th 2013 12:01pm — Mike Masnick

We already covered the latest Guardian report on the NSA and GCHQ's attempts to compromise Tor. While those have failed to directly break Tor, they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users. Bruce Schneier has a more focused article on how those attacks worked, and as a part of that, detailed how the NSA and GCHQ are effectively able to do man-in-the-middle attacks on giant websites, something that is really only possible because of the major telcos letting the NSA put servers directly off the backbone. As we noted last month, buried in one of the earlier Snowden leaks was the news that the GCHQ and NSA were likely running man-in-the-middle attacks on Google. The latest leaks show why those work. As Schneier explains:

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-on-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

Schneier also notes that this is basically the same technique the Chinese have used for their Great Firewall. In other words, the complicit nature of the telcos in basically giving the NSA and GCHQ incredibly privileged access to the backbone is part of what allows them to conduct those kinds of man-in-the-middle attacks. It still amazes me that there isn't more outrage over the role of the major telcos in all of this.

The other interesting thing about the FoxAcid servers is that it's basically a system that gives the NSA a rotating menu of ways to exploit a visitor who gets hooked on one of their servers. It also notes that the NSA is pretty careful about how it uses various exploits, such that "low-value exploits" are used against more technically sophisticated targets, recognizing that they're more likely to be discovered, and thus burned. They save the "most valuable exploits" for less technically savvy targets, and also the most important targets. This is hardly surprising, but interesting to see the level with which they plan these things out.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: exploits, foxacid, gchq, man in the middle, nsa, nsa surveillance, quantum, surveillance, telcos, tor

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 4 Oct 2013 @ 12:05pm

They save the "most valuable exploits" for less technically savvy targets, and also the most important targets.

Let me emphasize:

less technically savvy targets

One would think that the real dangerous criminals and terrorists are aware and at least have tech-savvy members in their ranks. So who are they aiming then? The obvious answer is the average Joe. Do we have any doubts that this isn't about terrorism but rather just plain blunt surveillance?
[ link to this | view in chronology ]
- Anonymous Coward, 4 Oct 2013 @ 1:04pm
  
  Re:
  How do they determine how technically savvy a target is?
  [ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:13pm

Nice that all these articles are giving you hints as to what services you should not be using. Places you should never go to, like Google, Yahoo!, and Facebook. I am totally shocked these companies aren't seeing the threat such info is revealing as seriously detrimental to their long term business potentials.

Was there ever a doubt Ninja, as to who the enemy was in the eyes of the government and security branches like the NSA?
[ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:17pm

Does it mean that they have Google's private key? Otherwise man in the middle attacks won't work on SSL. Or they have managed to obtain another certificate issued for Google.com from a CA authority.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Oct 2013 @ 12:48pm
  
  Re:
  Google did not always use SSL/TLS, so no need for any kind of private key.
  
  Which is why every web server should move to HTTPS. Makes these kinds of attacks harder.
  [ link to this | view in chronology ]
- DannyB (profile), 4 Oct 2013 @ 1:09pm
  
  Re:
  If the NSA can get devices positioned at privileged locations in the backbone, do you suppose they could also coerce at least one CA (certificate authority) somewhere to give NSA a root signing certificate? That way, the NSA's box could generate a new trusted certificate for a each website it is targeting and then instantly play MITM (man in the middle).
  
  If NSA had a root signing cert from a CA, then the NSA's certificate for google.com would be as good as the one Google uses.
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Oct 2013 @ 1:45pm
    
    Re: Re:
    Certificate patrol makes this more difficult as it detects and shows changes in certificates.
    [ link to this | view in chronology ]
    - Anonymous Coward, 4 Oct 2013 @ 1:54pm
      
      Re: Re: Re:
      It does until you get tired of the false positives and start clicking the "Yeah, whatever" button every time.
      
      There is another initiative to make this much harder: Certificate Transparency.
      [ link to this | view in chronology ]
      - Anonymous Coward, 4 Oct 2013 @ 3:24pm
        
        Re: Re: Re: Re:
        "the chains of trust set up by certificate authorities"
        
        And that is the real issue here.
        
        If the root CA is not trusted. You can't trust any cert from that authority. No amount of checks or tracking "trust chains" can expose the root as being untrusted. It literally just gives a false sense of security.
        
        And how many different CA's are there. Even if the root is not compromised it isn't possible to trust them as is.
        
        One way validation is the problem.
        
        We wouldn't expect our bank to validate us by using a certificate.
        
        Yet we are expected to validate them with such flaky methods.
        [ link to this | view in chronology ]
- Anonymous Coward, 5 Feb 2014 @ 2:44pm
  
  Response to: Anonymous Coward on Oct 4th, 2013 @ 12:17pm
  Or... The NSA is could also be in the middle of your connection with the CA, providing you with a manufactured certificate of Google.com, where they own the private key of.
  [ link to this | view in chronology ]
- Jan, 13 Dec 2014 @ 6:39am
  
  Re:
  Well probably they control a CA authority and can issue certificates at leasure. They seem to mimic completely the real site, or the Quantum Insert is a proxy server. Anyway once it get's to the client or proxy the information is in cleartext, so can be modified as much as they want and sent trough to the end client computers. There were big articles in the Belgian press today explaining how they hacked the Belgacom network. They created a Quantum Insert on Linkedin and infected the computers of 3 Belgacom staff members. Once they had control over the 3 staff member computers (2011 - probably still Windows xp in this government agency) they received the login information to the servers and network switches easily by spying telnet and ftp traffic - the staff members directly telnetted to critical components of the Belgacom core network. From there on they could upload their own code in the network switches and control everything including eavesdropping on mobile communications of any mobile number within Europe transiting trough the Belgacom network.
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 4 Oct 2013 @ 12:20pm

Unverified and leaves out Microsoft / Apple / Google's backdoors.
"While those have failed to directly break Tor," -- Unverified if not unverifiable opinion.

"they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users." -- Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Oct 2013 @ 1:24pm
  
  Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.
  Wow... that stick up your ass really is way up there.
  
  Way to take stuff out of context
  "While those have failed to directly break Tor," -- Unverified if not unverifiable opinion.
  
  the context was....
  
  While those(reported attempts at "de-anonymizing" tor) have (reportedly) failed to directly break Tor.
  
  Way to create an argument that didn't even exist
  "they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users." -- Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.
  
  Mentioning Firefox being exploited is nothing to do with endorsing IE.
  
  You are failing hard at trolling M8
  You used to at least have a clear tactic.... now you are just another troll designated to the retard pile. You fucked up your own trolling with "trying too hard".
  Lrn2Troll noob
  [ link to this | view in chronology ]
  - John Fenderson (profile), 4 Oct 2013 @ 1:49pm
    
    Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.
    You have to understand that Blue apparently believes that if you aren't loudly denouncing something specifically every time you speak, whether or not it's relevant to the topic at hand, then you must be in favor of it.
    [ link to this | view in chronology ]
    - Anonymous Coward, 4 Oct 2013 @ 3:05pm
      
      Re: Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.
      He is trying to get everyone to hate the message.... just because he said it.
      
      Hate him = obviously disagree with everything he says.
      It's a really good tactic that works against some.
      
      That's why he makes good points and wraps them up in bullshit.... just so you hate his voice and partly his message. Trolls/shills are getting smarter. This dude is just a noob trying too hard. I would dock his wages if I was his boss.
      [ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:28pm

Jesus, that was a lot of reading and links...
Don't know if you guys caught this one:
"Further afield, the NSA has apparently targeted the computer networks of Saudi Arabia�s Riyad Bank and Chinese technology company Huawei for surveillance, the documents show." link from the Guardian.

So I guess we were worried not about the Chinese spying on us, but all the damn backdoors that the NSA already put in place.
[ link to this | view in chronology ]
- Arthur Moore (profile), 4 Oct 2013 @ 2:03pm
  
  Re:
  Hacking Huawei isn't much of a surprise. Especially if Huawei uses their own equipment.
  
  http://www.youtube.com/watch?v=ugdpbPW_k3g&feature=player_detailpage#t=1936
  
  Hua wei, Cisco, HP, and other manufacturers are a good jumping off point for the NSA to hack other networks. Something the US specifically authorizes them to do. Plus, Huawei has so many bugs that their OS is a giant backdoor.
  
  The thing everyone has a problem with is the over reach of the NSA. Targeted attacks, even to third parties, to obtain specific intel aren't really something that most people worry about here in the US. It's making sure that there's a proper legal channel to get a warrant through an adversarial proceeding that annoys me personally.
  
  http://en.wikipedia.org/wiki/Writ_of_assistance
  [ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:37pm

Kinky
[ link to this | view in chronology ]
- Anonymous, 4 Oct 2013 @ 6:48pm
  
  Re:
  Man-in-the-middle, man-on-the-side, sounds rather queer to me.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:39pm

bullet-proof Internet Explorer

Like you really need another foot in your mouth, ootb. M$ long ago sold out. Again a rant with absolutely nothing to back it up but stupid statements pulled from your butt.

Have another report vote.
[ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:41pm

Unintended consequences
So, the NSA is deliberately compromising end-user systems that use the TBB.

The TBB is used by human rights activists all over the world, including those who are paid by the United States Government and who work in places where local knowledge of their activities could result in grave harm to them.

Most (if not all) such countries don't have the capability to breach the security afforded by the TBB...but luckily for them, the NSA is trying to do so and when they succeed, will no doubt leave the hole open -- since it took some effort to acquire and since they'll want to use it again.

Great. Just great.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Oct 2013 @ 12:51pm
  
  Re: Unintended consequences
  Did you notice the sample "tag" in the article?
  
  It is http. Not https.
  
  Which means that anyone who is watching will be able to see the contents of the request.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 12:53pm

every 5 minutes it seems like, Google are being blamed for something else. they get accused of anything and everything that the various, paid under the table, politicians can dream up. even as we speak there is another ridiculous discussion going on over how Google sorts out search results. i find it quite strange that the companies complaining are mostly those that dont want to do f**k all themselves to improve their lot, relying, yet again, on some or other complaint to yet another politician.
considering what Google does and what it keeps getting blamed for, how come the NSA, which is doing things 100 times worse, dont get any politicians going after it for manipulating search results? yes, it is getting a lot of well deserved flack over other things but why leave this particular nasty off the list? Google should have stuck up for itself much more, much sooner and much stronger from the start. if it had kicked off at it's treatment and Congress or whoever had carried on, it only had to tell them to screw themselves, we're off! and there would have been a different scenario. similarly, had the entertainment industries been told to fuck off instead of everyone doing whatever to pacify it, i wonder how much further we would have advanced in various developments concerned with movie and music technology??
[ link to this | view in chronology ]
- Anonymous Coward, 4 Oct 2013 @ 1:01pm
  
  Re:
  There are powerful interests who feel threatened by Google, and are behind a lot of the complaints about Google.
  
  For instance, IIRC Microsoft was found out to be behind some of these complaints.
  
  Other complaints come from less knowledgeable persons parroting the talking points seeded by these powerful interests.
  
  And of course, there are those with legitimate reasons to complain about Google. They also complain about the NSA, for the same reasons. But they are not the loudest ones.
  [ link to this | view in chronology ]
  - PRMan, 4 Oct 2013 @ 1:25pm
    
    Re: Re:
    Google hasn't traditionally played nice with the MAFIAA. Therefore, Google is mentioned on all news sources (owned by the MAFIAA) as being the ringleader against SOPA and also as the number one name in helping the NSA, when in fact they have spent more to fight the NSA than anyone else.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 4 Oct 2013 @ 2:11pm
      
      Re: Re: Re:
      Google hasn't traditionally played nice with the MAFIAA
      
      Really? From where I sit, it looks like they've traditionally bent over backwards for them.
      
      as being the ringleader against SOPA
      
      Which still makes me laugh every time someone makes that claim.
      [ link to this | view in chronology ]
      - That One Guy (profile), 4 Oct 2013 @ 2:22pm
        
        Re: Re: Re: Re:
        Really? From where I sit, it looks like they've traditionally bent over backwards for them.
        
        From your perspective yes, but from the *AA's perspective, anything less than complete and total compliance, and doing everything they say, is seen as actively working against the *AA's.
        [ link to this | view in chronology ]
Anonymous Coward, 4 Oct 2013 @ 6:45pm

Here I thought I was being overly paranoid by disabling cookies, javascript, flash, and iframes. Turns out I wasn't being paranoid enough!

Time to setup a Raspberry Pi Tor proxy, and run my web browser inside a virtual machine that get's wiped clean after every reboot.

Safely surfing the world wide web is turning into a big chore these days.

We won't forget the treasonous actions taken against law-abiding Americans, NSA! Stop logging the entire lives of red blooded Americans in secret databases. We won't stand for it.

The NSA is worse than East Germany's Stasi! The NSA's current mission and tactics, are incompatible with freedom and democracy. The NSA is simply un-American. They've betrayed their own people. The very people funding this freedom killing abomination.
[ link to this | view in chronology ]
Postulator (profile), 4 Oct 2013 @ 9:17pm

Protect businesses
One thing is very clear from all of this, and I am saying this as a fan of big government. Business must not be in a position of relying upon government largesse. The NSA is clearly blackmailing companies. In the case of telecoms, "if you do this for us, you'll get that spectrum you want to buy". In the case of other companies, presumably applying a range of various arm-twisting using all the resources a government can apply.

This is not right. Government decisions are supposed to be open and transparent - this is anything but. Government decisions are supposed to be based upon the facts at hand and upon what is best for the citizens - the NSA has seemingly inserted itself into decision-making processes and corrupted them. Large-scale corruption like this warrants a large-scale judicial review, and heads should be rolling. Instead, it appears that judges and politicians are too frightened to act, while the third arm of government is just totally involved in the problem and so cannot.

Too many secrets.
[ link to this | view in chronology ]
Postulator, 20 Jan 2018 @ 7:17am

The reason the gov. is out of sync with the populous is because it is controlled by the plutocracy (the rich and powerful) through facism (global organisation dictating terms), there are some wealthy families high up in the socio-economic ladder that wants it this way. - The answer is not to do away with government but to take control over it by holding politicians accountable - that menas YOU start with YOUR regional politicians. Without actually taking action things wont change.
People in Sweden are turning on the FRA (Gotland - an island that the swedish gov. thought it was time to give a military force all on its own) - FRA is the military section that is breaking common Swedish people's encryption (if u don't account for the NSA mitm attacks and most of the larger operators, not all, as in this article bending over backwards). The name means Försvarets (the defensive) radio (radio!) anstalt (institution), they sell information through Kontoret för särskild inhämtning (the office for particular aquisition).
I got a 10mbit line and I can barely load a page without it taking ages (wo hardware/software bottlenecks) - at points i did tracerts and found Telia servers was redirecting my routes over to USA, these days the routes show up allmost clear (sometimes a jump is hidden * * * alltogether in cmd, no not the classical desition is out of reach etc as the final destination is reached) or fully clear - while the connection is clearly bogged down as f**k.

So yeah NSA is doing wrong, so is many of the ISP's and so is definitively the gov.'s - look at the wealth and power distirbution today, IF you can swap to a healthy ISP - if there is none see if you got access to an alternative net (internet isn't the only net out there).
[ link to this | view in chronology ]