FLYING PIG: The NSA Is Running Man In The Middle Attacks Imitating Google's Servers

from the doubtful-that-google-is-happy-about-that dept

Glyn mentioned this in his post yesterday about the NSA leaks showing direct economic espionage, but with so many other important points in that story, it got a little buried. One of the key revelations was about a GCHQ program called "FLYING PIG" which is the first time I can recall it being clearly stated that the NSA or GCHQ has been running man-in-the-middle attacks on internet services like Google. This slide makes it quite clear that GCHQ or NSA impersonates Google servers:

There have been rumors of the NSA and others using those kinds of MITM attacks, but to have it confirmed that they're doing them against the likes of Google, Yahoo and Microsoft is a big deal -- and something I would imagine does not make any of those three companies particularly happy. As Ryan Gallagher notes in the Slate article linked above:

in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.

Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.

While some may not be surprised by this, it's yet more confirmation as to how far the NSA is going and how the tech companies aren't always "willing participants" in the NSA's efforts here. Of course, the real question now is how the NSA is impersonating the security certificates to make these attacks work.

Filed Under: flying pig, impersonation, man in the middle, nsa, nsa surveillance, security certificates
Companies: google, microsoft, yahoo

Judge Allows FBI To Use Evidence Collected Via Stingray Fake Cell Towers

from the that-4th-amendment-thing... dept

For the past few years, we've been covering a key DOJ case against Daniel Rigmaiden. Rigmaiden appears to have been involved in some likely fraud, but after asking how the feds tracked him down, it was revealed that they used a fake mobile tower, often referred to as a "stingray" (though the actual product goes by a few different names), to create an effective man in the middle attack. This allowed the FBI to keep tabs on Rigmaiden's location and some of what he was doing, as the aircard he used to get online was suddenly running through their own special fake Verizon tower. In fact, it later came out that the DOJ has been misleading judges for years about its use of the technology.

However, a judge has now ruled that none of that really matters, and that the evidence collected by the stingray (or as a result of its use) can be used in the case against Rigmaiden. The reasoning is fairly odd, however. The judge basically said that there's no 4th Amendment issue because Rigmaiden had no reasonable expectation of privacy in either the use of the aircard or in his apartment "because he had obtained the air card and rented the apartment and storage space through fraudulent means — that is, using identifications that he had stolen from other people." That seems like a highly questionable standard on which to base that decision. As the ACLU points out, while Rigmaiden may have been committing fraud elsewhere, and may have used different names in getting the aircard and the space, there is no indication that any fraud was involved in getting those particular things. Under this ruling, you could see that doing something or buying something under an alias could be viewed as giving up one's 4th Amendment protections -- and that seems crazy.

The court also didn't seem to much care about the DOJ hiding its use of the stingray from judges:

The judge also ruled that the government was not in the wrong for failing to disclose to a magistrate judge that it planned to use a stingray to track the defendant, or to explain to the judge how the tracking device it intended to use worked. He characterized this information as a “detail of execution which need not be specified.”

That seems fairly troubling, as it would allow the DOJ to hide other surveillance efforts that might be judged to be 4th Amendment violations... As the ACLU notes in response to this ruling:

“When the government is seeking a warrant to use new technology, it has the duty to explain to the court what that technology is and how it works,” she said. “Stingrays are a very potent example of why that is so, because it scoops up innocent information of third parties who are not under probable cause surveillance.”

Filed Under: daniel rigmaiden, doj, fake mobile phone towers, fbi, fraud, man in the middle, stingray, surveillance, warrants

DOJ Misled Judges For Years About How It Was Using Stingray Devices To Spy On People

from the well-of-course dept

How many times does it need to be repeated? If you give law enforcement the ability to spy on people -- even with limits -- law enforcement will always blow through those limits and abuse its powers. It happens over and over and over again. And that becomes doubly true when law enforcement has worked out ways to avoid oversight. Back in 2011, the WSJ broke a huge story about the frequent use by government officials of a technique for mobile device surveillance generically called "stingray" devices (technically, there are a few products used for this, only some of which are actually called Stingrays, but the name is now used to refer to all of them). The device works by pretending to be a mobile phone tower, so devices can connect to it, and law enforcement gets all your data. It's basically a cellular man-in-the-middle attack, with law enforcement being that man in the middle. Yay.

The technology has been a key component in a case involving Daniel Rigmaiden, which we wrote about last year. Rigmaiden was taken into custody (on a fraud charge) and, representing himself in court, he has sought more info on how he was tracked down -- leading to some reluctant disclosure about law enforcement using Stingray devices on questionable authority to find him. In that case, we noted that law enforcement claimed it had a court order to use the technology, but the judge was confused, asking where were the warrants for the use of the device. The judge asked how it was possible that a court order or warrant was issued without the judge ever being told about the technology used in surveillance and was told, simply, "it was a standard practice."

Indeed, that appears to be the case. The ACLU filed a bunch of FOIA (Freedom of Information Act) requests to dig into this and newly released documents show that, indeed, it was apparently standard practice by the DOJ to be "less than explicit" and less than "forthright" with judges in seeking warrants and court orders to make use of this technology. Here's an email that was revealed:

As some of you may be aware, our office has been working closely with the magistrate judges in an effort to address their collective concerns regarding whether a pen register is sufficient to authorize the use of law enforcement's WIT technology (a box that simulates a cell tower and can be placed inside a van to help pinpoint an individual's location with some specificity) to locate an individual. It has recently come to my attention that many agents are still using WIT technology in the field although the pen register application does not make that explicit.

While we continue work on a long term fix for this problem, it is important that we are consistent and forthright in our pen register requests to the magistrates…

Basically, that's the DOJ admitting that it has not been forthright or explicit in letting judges know that it is going to use this extremely intrusive form of surveillance in seeking approvals. And the courts have been concerned about this. As the ACLU notes, this email was written three years after the Rigmaiden situation happened -- suggesting that the DOJ has been getting away with this sort of thing for many years, without anyone digging in. The ACLU is now arguing that this should be a reason to suppress the evidence obtained via these devices, and will ask the court to "send a clear message" that it cannot hide the truth from federal judges in seeking rubber stamps to violate the privacy of the public.

Filed Under: 4th amendment, doj, man in the middle, privacy, stingray, surveillance, warrants

Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks

from the wow dept

We've pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks... if you can somehow get a certificate authority to grant you a fake certificate. Of course, the protection against that was supposed to be that a certificate authority wouldn't do that. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue "valid" certs for any server. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. Trustwave has admitted to all this after revoking the certificate. They insist that the structure was limited so that it could only be used internally on the network. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private ("encrypted") accounts from their own devices, and see what they were doing. Considering this certificate was issued for "loss prevention," it's not hard to guess how it was used.

Either way, it's pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Thanks to Trustwave's deal with this (unnamed) company, that was not the case. On top of that, there's no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security.

In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy...

Filed Under: certificate authorities, man in the middle, privacy, secure certificates, security, ssl
Companies: trustwave

Syrian Government Trying To Swipe Social Networking Passwords?

from the hamfisted dept

You may recall reports a few months ago from Tunisia, that indicated the government there had used a form of a man-in-the-middle attack to get usenames and passwords and access Facebook accounts of certain political opponents. It appears that Syria is trying to do the same thing. Reports have come out that Syria, via the Syrian Telecom Ministry, has kicked off a large man-in-the middle-attack on the HTTPS version of Facebook's site. While the EFF notes that the attack is amateurish, that doesn't mean it won't snare a potentially large number of people:

The attack is not extremely sophisticated: the certificate is invalid in user's browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users' only line of defense.

Either way, I'm a bit surprised that governments are using and promoting such ineffective means of spying on the populace. Of course, hopefully, this helps teach people to not just click through potential warnings, but also to get a better sense of how to keep their own computers secure and how to avoid such attacks.

Filed Under: man in the middle, syria
Companies: facebook

Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?

from the getting-sophisticated dept

A few months back, we talked about how the Tunisian government tried to do a massive hack on Facebook to access the communications of protesters and activists. It looks like the Iranian government tried to do something similar, figuring out a way to get bogus SSL certificates for Google, Yahoo, Skype and others, which would have allowed the government to set up a man-in-the-middle type attack to get passwords and access otherwise "encrypted" content. While this was discovered, it does suggest the levels that some governments will go to in order to spy on users online. More importantly, it highlights some of the serious problems with the certificate authority model of trust and security online. So here's the big question: how do we prevent these types of things from happening?

Filed Under: certificates, iran, man in the middle, security, ssl, trust

Scammers Run A Trucking Company With No Trucks

from the the-magic-of-computers dept

You have to admit that there are some creative scammers out there. Take, for example, a group of Russian immigrants, who used their hacking skills to effectively run a trucking company that didn't exist. They would hack into a Department of Transportation website that listed licensed trucking firms to change the contact info (temporarily) on certain firms to their own address and phone number. Then, they would go to another online site that listed cargo in need of transportation. They'd pose as the firm whose contact info they'd replaced, get the deal, and then go find another trucking firm to actually deliver the cargo. The cargo itself would get delivered, and the scammers would contact the original cargo owners to get paid. Then, the company that actually delivered the cargo would contact the company these scammers pretended to be working for, and discover that it had no clue what they were talking about. Apparently, this scam was effective enough to net the scammers over a half-million dollars. Of course, it wasn't effective enough to keep them from getting arrested.

Filed Under: man in the middle, scams, trucking