How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos
from the but-of-course dept
We already covered the latest Guardian report on the NSA and GCHQ's attempts to compromise Tor. While those have failed to directly break Tor, they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users. Bruce Schneier has a more focused article on how those attacks worked, and as a part of that, detailed how the NSA and GCHQ are effectively able to do man-in-the-middle attacks on giant websites, something that is really only possible because of the major telcos letting the NSA put servers directly off the backbone. As we noted last month, buried in one of the earlier Snowden leaks was the news that the GCHQ and NSA were likely running man-in-the-middle attacks on Google. The latest leaks show why those work. As Schneier explains:Schneier also notes that this is basically the same technique the Chinese have used for their Great Firewall. In other words, the complicit nature of the telcos in basically giving the NSA and GCHQ incredibly privileged access to the backbone is part of what allows them to conduct those kinds of man-in-the-middle attacks. It still amazes me that there isn't more outrage over the role of the major telcos in all of this.To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.
In the academic literature, these are called "man-on-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.
They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.
The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: exploits, foxacid, gchq, man in the middle, nsa, nsa surveillance, quantum, surveillance, telcos, tor
Reader Comments
Subscribe: RSS
View by: Time | Thread
Let me emphasize:
less technically savvy targets
One would think that the real dangerous criminals and terrorists are aware and at least have tech-savvy members in their ranks. So who are they aiming then? The obvious answer is the average Joe. Do we have any doubts that this isn't about terrorism but rather just plain blunt surveillance?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Was there ever a doubt Ninja, as to who the enemy was in the eyes of the government and security branches like the NSA?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Which is why every web server should move to HTTPS. Makes these kinds of attacks harder.
[ link to this | view in chronology ]
Re:
If NSA had a root signing cert from a CA, then the NSA's certificate for google.com would be as good as the one Google uses.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
There is another initiative to make this much harder: Certificate Transparency.
[ link to this | view in chronology ]
Re: Re: Re: Re:
And that is the real issue here.
If the root CA is not trusted. You can't trust any cert from that authority. No amount of checks or tracking "trust chains" can expose the root as being untrusted. It literally just gives a false sense of security.
And how many different CA's are there. Even if the root is not compromised it isn't possible to trust them as is.
One way validation is the problem.
We wouldn't expect our bank to validate us by using a certificate.
Yet we are expected to validate them with such flaky methods.
[ link to this | view in chronology ]
Response to: Anonymous Coward on Oct 4th, 2013 @ 12:17pm
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Unverified and leaves out Microsoft / Apple / Google's backdoors.
"they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users." -- Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.
[ link to this | view in chronology ]
Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.
Way to take stuff out of context
"While those have failed to directly break Tor," -- Unverified if not unverifiable opinion.
the context was....
While those(reported attempts at "de-anonymizing" tor) have (reportedly) failed to directly break Tor.
Way to create an argument that didn't even exist
"they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users." -- Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.
Mentioning Firefox being exploited is nothing to do with endorsing IE.
You are failing hard at trolling M8
You used to at least have a clear tactic.... now you are just another troll designated to the retard pile. You fucked up your own trolling with "trying too hard".
Lrn2Troll noob
[ link to this | view in chronology ]
Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.
[ link to this | view in chronology ]
Re: Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.
Hate him = obviously disagree with everything he says.
It's a really good tactic that works against some.
That's why he makes good points and wraps them up in bullshit.... just so you hate his voice and partly his message. Trolls/shills are getting smarter. This dude is just a noob trying too hard. I would dock his wages if I was his boss.
[ link to this | view in chronology ]
Don't know if you guys caught this one:
"Further afield, the NSA has apparently targeted the computer networks of Saudi Arabia’s Riyad Bank and Chinese technology company Huawei for surveillance, the documents show." link from the Guardian.
So I guess we were worried not about the Chinese spying on us, but all the damn backdoors that the NSA already put in place.
[ link to this | view in chronology ]
Re:
http://www.youtube.com/watch?v=ugdpbPW_k3g&feature=player_detailpage#t=1936
Hua wei, Cisco, HP, and other manufacturers are a good jumping off point for the NSA to hack other networks. Something the US specifically authorizes them to do. Plus, Huawei has so many bugs that their OS is a giant backdoor.
The thing everyone has a problem with is the over reach of the NSA. Targeted attacks, even to third parties, to obtain specific intel aren't really something that most people worry about here in the US. It's making sure that there's a proper legal channel to get a warrant through an adversarial proceeding that annoys me personally.
http://en.wikipedia.org/wiki/Writ_of_assistance
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Like you really need another foot in your mouth, ootb. M$ long ago sold out. Again a rant with absolutely nothing to back it up but stupid statements pulled from your butt.
Have another report vote.
[ link to this | view in chronology ]
Unintended consequences
The TBB is used by human rights activists all over the world, including those who are paid by the United States Government and who work in places where local knowledge of their activities could result in grave harm to them.
Most (if not all) such countries don't have the capability to breach the security afforded by the TBB...but luckily for them, the NSA is trying to do so and when they succeed, will no doubt leave the hole open -- since it took some effort to acquire and since they'll want to use it again.
Great. Just great.
[ link to this | view in chronology ]
Re: Unintended consequences
It is http. Not https.
Which means that anyone who is watching will be able to see the contents of the request.
[ link to this | view in chronology ]
considering what Google does and what it keeps getting blamed for, how come the NSA, which is doing things 100 times worse, dont get any politicians going after it for manipulating search results? yes, it is getting a lot of well deserved flack over other things but why leave this particular nasty off the list? Google should have stuck up for itself much more, much sooner and much stronger from the start. if it had kicked off at it's treatment and Congress or whoever had carried on, it only had to tell them to screw themselves, we're off! and there would have been a different scenario. similarly, had the entertainment industries been told to fuck off instead of everyone doing whatever to pacify it, i wonder how much further we would have advanced in various developments concerned with movie and music technology??
[ link to this | view in chronology ]
Re:
For instance, IIRC Microsoft was found out to be behind some of these complaints.
Other complaints come from less knowledgeable persons parroting the talking points seeded by these powerful interests.
And of course, there are those with legitimate reasons to complain about Google. They also complain about the NSA, for the same reasons. But they are not the loudest ones.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Really? From where I sit, it looks like they've traditionally bent over backwards for them.
Which still makes me laugh every time someone makes that claim.
[ link to this | view in chronology ]
Re: Re: Re: Re:
From your perspective yes, but from the *AA's perspective, anything less than complete and total compliance, and doing everything they say, is seen as actively working against the *AA's.
[ link to this | view in chronology ]
Time to setup a Raspberry Pi Tor proxy, and run my web browser inside a virtual machine that get's wiped clean after every reboot.
Safely surfing the world wide web is turning into a big chore these days.
We won't forget the treasonous actions taken against law-abiding Americans, NSA! Stop logging the entire lives of red blooded Americans in secret databases. We won't stand for it.
The NSA is worse than East Germany's Stasi! The NSA's current mission and tactics, are incompatible with freedom and democracy. The NSA is simply un-American. They've betrayed their own people. The very people funding this freedom killing abomination.
[ link to this | view in chronology ]
Protect businesses
This is not right. Government decisions are supposed to be open and transparent - this is anything but. Government decisions are supposed to be based upon the facts at hand and upon what is best for the citizens - the NSA has seemingly inserted itself into decision-making processes and corrupted them. Large-scale corruption like this warrants a large-scale judicial review, and heads should be rolling. Instead, it appears that judges and politicians are too frightened to act, while the third arm of government is just totally involved in the problem and so cannot.
Too many secrets.
[ link to this | view in chronology ]
People in Sweden are turning on the FRA (Gotland - an island that the swedish gov. thought it was time to give a military force all on its own) - FRA is the military section that is breaking common Swedish people's encryption (if u don't account for the NSA mitm attacks and most of the larger operators, not all, as in this article bending over backwards). The name means Försvarets (the defensive) radio (radio!) anstalt (institution), they sell information through Kontoret för särskild inhämtning (the office for particular aquisition).
I got a 10mbit line and I can barely load a page without it taking ages (wo hardware/software bottlenecks) - at points i did tracerts and found Telia servers was redirecting my routes over to USA, these days the routes show up allmost clear (sometimes a jump is hidden * * * alltogether in cmd, no not the classical desition is out of reach etc as the final destination is reached) or fully clear - while the connection is clearly bogged down as f**k.
So yeah NSA is doing wrong, so is many of the ISP's and so is definitively the gov.'s - look at the wealth and power distirbution today, IF you can swap to a healthy ISP - if there is none see if you got access to an alternative net (internet isn't the only net out there).
[ link to this | view in chronology ]