Kazakhstan Decides To Break The Internet, Wage All Out War On Encryption

from the mandated-middle-men dept

Starting on January 1, the country of Kazakhstan has formally declared war on privacy, encryption, and a secure Internet. A new law takes effect in the new year that will require all citizens of the country to install a national, government-mandated security certificate allowing the interception of all encrypted citizen communications. In short, the country has decided that it would be a downright nifty idea to break HTTPS and SSL, essentially launching a "man in the middle" attack on every resident of the country.

While it has since been removed, a statement posted to the website of the country's largest ISP KazakhTelecom (Google cache and rather sloppy translation) stated that the ISP was required to intercept encrypted traffic to "secure protection of Kazakhstan users" who have access to encrypted content from "foreign Internet resources":

"The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources...Detailed instructions for installation of security certificate will be placed in December 2015 on site www.telecom.kz.

Of course, such an effort will wind up doing the exact opposite of protecting the country's residents -- instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands. Oddly, while the notice states that all Windows, OS X, iOS and Android devices must adhere to the new law, Linux isn't mentioned, giving privacy conscious residents and journalists ample time to install their Linux distro of choice. Security experts are quick to point out the entire, ham-fisted affair is not only ethically idiotic, but likely impossible to fully implement and enforce:

"There are obvious, myriad ethical issues with this sort of mandated state surveillance," said (Security researcher Kenneth) White. "But I suspect that the political forces pushing these measures have grossly underestimated the technical hurdles and moral backlash that lay before them." "The best case scenario is that the regime will seriously weaken the security of only a subset of their citizens," said White.

Bang up job, team! Last month, Human Rights Watch described Kazakhstan as an authoritarian dictatorship with "few tangible and meaningful human rights." Freedom House, meanwhile, ranks Kazakhstan poorly when it comes to Internet freedom, noting that the country's war on religious extremists has resulted in an increase in Internet filters, a total blockade of Live Journal, intensified surveillance at cybercafes, and a spike in "physical assaults on bloggers and online journalists."

It's easy to dismiss what Kazakhstan is doing as the drunken stumbling of a tin pot dictatorship, until you remember that the UK is proposing something not entirely dissimilar, and both current leading U.S. Presidential candidates dream of waging their own war on encryption and common sense.

Filed Under: encryption, kazakhstan, man in the middle, privacy, security, surveillance

New Leak Shows NSA's Plans To Hijack App Store Traffic To Implant Malware And Spyware

from the a-spy-in-the-house-of-apps dept

Proving there's nowhere spy agencies won't go to achieve their aims, a new Snowden leak published jointly by The Intercept and Canada's CBC News shows the NSA, GCHQ and other Five Eyes allies looking for ways to insert themselves between Google's app store and end users' phones.

The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…

The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.

Branded "IRRITANT HORN" by the NSA's all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads -- the same malicious implants detailed in an earlier Snowden leak.


While the document doesn't go into too much detail about the pilot program's successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]

In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information -- which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.

But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.

[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.

As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about "legal framework" and "oversight," but it's hard to believe any legal mandate or oversight directly OK'ed plans to hijack private companies' servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies' directives being captured and sifted through in order to find suitable targets for backdoors and implants.

Filed Under: app stores, google play, irritant horn, man in the middle, nsa, surveillance
Companies: apple, google

Did Lenovo/Superfish Break The Law?

from the certainly-can-make-an-argument-that-way dept

For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.

Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.”  It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.^[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice.  For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices.  Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.

What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:

1. Cause significant consumer harm,
2. Not be reasonably avoidable by consumers, and
3. Not be offset by countervailing benefits to consumers.

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.

Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising.  It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.

Filed Under: deceptive, ftc, https, malware, man in the middle, section 5, unfair
Companies: komodia, lenovo, superfish

Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!

from the getting-worse-by-day dept

With each passing day, it appears that new revelations come out, detailing how the Komodia/Superfish malware is even worse than originally expected. If you don't recall, last week it came out that Lenovo was installing a bit of software called "Superfish" as a default bloatware on a bunch of its "consumer" laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) "SSL hijacker" from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: "komodia" which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia.

But it gets worse. Filippo Valsorda has shown that you didn't even need to crack Komodia's weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia's proxy client sees an invalid certificate, it just makes it valid. Seriously.

At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.

Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.

Okay, but at least there's a warning, right? Well, no, because... as Valsorda notes, there's another horrible part of the implementation that gets around this: alternative names.

The Komodia proxy copies the server certificate almost entirely... What will it do with alternative names?

Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.

Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it's a completely valid certificate.

So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.

An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.

As Valsorda points out, because of this, attackers don't even need to know which Komodia-compromised software you're running. They can just fuck with them all.

Thought we were done with how bad this is? Nope. Not yet.

Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.

Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What's really stunning is that many of these products actually pitch themselves as "security" products to better "protect" your computer.

Filed Under: alternate domains, https, komodia, man in the middle, root certificate, rootkit, superfish
Companies: komodia, superfish

Lenovo In Denial: Insists There's No Security Problem With Superfish -- Which Is Very, Very Wrong.

from the so-long-and-thanks-for-all-the-superfish dept

Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.

Lenovo's response? Basically to shrug its shoulders and say it doesn't understand why anyone's that upset. This is because whoever wrote Lenovo's statement on this is completely clueless about computer security.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Bullshit. That's really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you're doing and sends info back to third parties. That's not what Superfish does, so Lenovo doesn't see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of "Most Promising American Companies," tries to watch what you're surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.

The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn't be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you're visiting is perfectly legitimate. For many years, we've pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate -- and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack -- solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don't see why.

And, even beyond that, it's implemented incredibly stupidly -- in a way that is ridiculously dangerous. That's because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn't take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it's now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is "komodia" which just so happens to also be the name of a company that "redirects" HTTPS traffic (for spying on kids and such).

This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn't like the way the software created popups and such -- but with no mention of the massive security problems. And, even now, the company doesn't seem willing to admit to them.

Furthermore, the company doesn't even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won't do it). This is a huge mess. I've personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago -- right in the middle of the period of when Superfish was being preloaded -- I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don't seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn't seem to have the slightest clue of just how badly it has put people at risk.

It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here. It's one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It's a second thing to not realize the security implications of it. However, it's another thing entirely, once it's been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it's responded to the mess it created.

Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls
Companies: komodia, lenovo, superfish

China Using Man-In-The-Middle Attack Against Google

from the now,-where-did-they-get-that-idea? dept

One of the most shocking revelations from the Snowden documents was that the NSA and GCHQ are running "man-in-the-middle" (MITM) attacks against Google -- that is, impersonating the company's machines so as to snoop on encrypted traffic to them. They are able to do that through the use of secret servers, codenamed Quantum, placed at key places on the Internet backbone, which therefore require the complicity of the telecom companies. Of course, in countries like China, arranging for Internet streams to be intercepted in this way is even easier, so perhaps the following story on greatfire.org should come as no surprise:

From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access google.com and google.com.hk via CERNET, the country's education network, were receiving warning messages about invalid SSL certificates. The evidence, which we include later in this post, indicates that this was caused by a man-in-the-middle attack.

Greatfire.org's analysis of why China is using MITM attacks against Google on the education network, rather than simply blocking access completely, is particularly interesting. The problem for the Chinese authorities is that Google has now implemented HTTPS by default:

Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers -- not what that data is. This in turn means that the authorities cannot block individual searches on Google -- all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.

The reason is that access to Google is simply too important for the research community in China. Blocking Google entirely would therefore be counterproductive for the country's future:

The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason.

The MITM approach offers the perfect solution: it allows researchers to get most of the benefit of Google's huge Internet index, but can be used to block selective search queries or results when people try to access sites or information that Chinese authorities want to censor. As the Greatfire.org post suggests, the increasing use of encrypted connections for online services means that MITM attacks are likely to become much more common -- and not just in China.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: attacks, blocking, censorship, china, man in the middle, mitm

DOJ Describes Its Use Of Malware As 'Augmenting Content' As It Pushes For Great Ability To Hack Computers

from the augment-that-content dept

Over at the Wall Street Journal, there's a good article about the DOJ's push for greater powers to use malware and to hack into computers in pursuit of criminals. The key issue, as the DOJ sees it, is that it normally needs a warrant from a local judge in order to make use of a malware exploit -- and when you're talking about networked computers, it's not always clear what's local. Thus, at least one warrant request for installing malware has been rejected over privacy concerns when the physical location of a computer was unknown (other courts, however, have approved such warrants). Given that, the DOJ is seeking to expand the rules making it easier to use malware (and to use it across multiple computers, rather than just a single computer per warrant).

The article points to a massive 402 page document to the rule making body of the courts, in which it explains how it has used malware to find criminal suspects. Of course, this is the DOJ that we're talking about, so it's not going to come right out and say "hey, here's the malware we used and how we use it." Instead, as noted by the ACLU's Christopher Soghoian, the DOJ hides its description of malware on page 201 (smack dab in the middle of such a giant document) in a single paragraph using some rather incredible language:

In the normal course of operation, websites send content to visitors. A user's computer downloads that content and uses it to display web pages on the user's computer. Under the NIT authorized by this warrant, the website would augment that content with some additional computer instructions. When a computer successfully downloads those instructions from Website A, the instructions are designed to cause the "activating" computer to deliver certain information to a computer controlled by or known to the government. That information is described with particularity on the warrant (in Attachment B of this affidavit), and the warrant authorizes obtaining no other information. The NIT will not deny the user of the "activating" computer access to any data or functionality of that computer.

As Soghoian notes, if you blink, you might miss it. The DOJ calls its malware insertion man-in-the-middle attack by describing it as "augmenting" the content sought by the user "with some additional computer instructions." That's certainly one way to look at it, but you have to assume that less than technologically savvy judges aren't likely to understand what this means at all.

Filed Under: augmenting content, doj, legal authority, malware, man in the middle, warrants

NSA Aiming To Infect 'Millions' Of Computers Worldwide With Its Malware; Targets Telco/ISP Systems Administrators

from the so,-telco-sys-admins-are-now-'national-security-threats'-or-did-I-miss-t dept

The NSA is still working hard to make the world's computer usage less safe. The latest leak published by The Intercept shows the agency plans to infect "millions" of computers worldwide with malware, making it easier for the NSA to harvest data and communications from these compromised machines.

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

The methods detailed include the agency masquerading as a Facebook server and sending out laced spam emails in order to subvert users' computers and give the NSA access to local files as well as control of webcams and microphones. Not only does the agency actively work to delay bug fixes in order to exploit systems, but its ongoing malware mission ensures that using a computer and/or accessing the web will always be more dangerous than it should be.

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

The NSA has argued previously that its malware targets are strictly national security threats. But the evidence provided here undermines this defense of NSA malware deployment.

In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

The Intercept's report notes that the GCHQ has deployed similar tactics, hacking into computers owned by Belgacom system engineers. The malware attacks go far beyond end user computers, targeting routers and setting the agency up for man-in-the-middle attacks (something that has become far more necessary as fewer and fewer people actually open, much less click links in spam email). The NSA may view this all as fair game -- a means to an end -- but the ugly truth is that the agency's malware/hacking attempts are not limited to threats, but rather any person/service it believes can offer access to even more communications and data. At this point, the only thing slowing the agency down is the audacious size of its undertaking.

“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”

The program -- utilizing the previously discussed TURBINE (part of the agency's TAO - Tailored Access Operations), as well as several other NSA tools like SECONDDATE and WILLOWVIXEN -- is aimed at "Owning the Internet" according to the leaked documents. This internet "ownership" ultimately belongs to the American public, whether they want it or not -- the price tag (according to the leaked Black Budget) was $67.6 million last year. As the scope continues to broaden, the budget will expand as well. The end result is the US public funding the weakening of security standards and encryption worldwide, all in the name of "national security."

At this point, neither agency named (GCHQ, NSA) has offered anything more than canned "in accordance with policy/applicable laws" text in response to the latest leaks. (Only the GCHQ has responded so far.) The NSA may try pass these efforts off as "targeting" foreign subjects, deliberately ignoring the facts that the internet has no real borders, and that undermining the security of users worldwide -- no matter what the stated "goal" -- makes the computing world less safe for everyone involved, including domestic end users.

Filed Under: attacks, gchq, infections, malware, man in the middle, nsa, own the web, privacy, seconddate, turbine, willowvixen
Companies: facebook

GCHQ Used Fake Slashdot Page To Install Malware To Hack Internet Exchange

from the is-nothing-sacred? dept

Back in September, it was reported that the UK's equivalent of the NSA, GCHQ, had gleefully hacked Belgacom, the Belgian telco, using a "quantum insert" to plant malware on the computers of key engineers at the company. At the time, it was described as follows:

According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.

Over the weekend it appears that Der Spiegel published a further report by Laura Poitras on this hacking, which revealed that the spoofed websites used to install this malware were none other than Slashdot and Linkedin. Interesting choices. So, it sounds like they did a man-in-the-middle attack, redirecting very specific visitors from those two sites to sites that planted malware instead. I wonder if LinkedIn (which is already involved in a lawsuit over the NSA stuff) and Slashdot have any legal basis to go after the government for effectively attacking their servers?

Update: Nicholas Weaver explains what happened in much more detail. It's not a fake page, but a packet injection attack.

Filed Under: gchq, malware, man in the middle, quantum insert, slashdot, surveillance
Companies: belgacom

How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos

from the but-of-course dept

We already covered the latest Guardian report on the NSA and GCHQ's attempts to compromise Tor. While those have failed to directly break Tor, they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users. Bruce Schneier has a more focused article on how those attacks worked, and as a part of that, detailed how the NSA and GCHQ are effectively able to do man-in-the-middle attacks on giant websites, something that is really only possible because of the major telcos letting the NSA put servers directly off the backbone. As we noted last month, buried in one of the earlier Snowden leaks was the news that the GCHQ and NSA were likely running man-in-the-middle attacks on Google. The latest leaks show why those work. As Schneier explains:

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-on-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

Schneier also notes that this is basically the same technique the Chinese have used for their Great Firewall. In other words, the complicit nature of the telcos in basically giving the NSA and GCHQ incredibly privileged access to the backbone is part of what allows them to conduct those kinds of man-in-the-middle attacks. It still amazes me that there isn't more outrage over the role of the major telcos in all of this. The other interesting thing about the FoxAcid servers is that it's basically a system that gives the NSA a rotating menu of ways to exploit a visitor who gets hooked on one of their servers. It also notes that the NSA is pretty careful about how it uses various exploits, such that "low-value exploits" are used against more technically sophisticated targets, recognizing that they're more likely to be discovered, and thus burned. They save the "most valuable exploits" for less technically savvy targets, and also the most important targets. This is hardly surprising, but interesting to see the level with which they plan these things out.

Filed Under: exploits, foxacid, gchq, man in the middle, nsa, nsa surveillance, quantum, surveillance, telcos, tor