The Brazilian television show “Fantastico” exposed an NSA training presentation that discusses how the agency runs man-in-the-middle attacks on the Internet. The point of the story was that the NSA engages in economic espionage against Petrobras, the Brazilian giant oil company, but I’m more interested in the tactical details.
The video on the webpage is long, and includes what I assume is a dramatization of an NSA classroom, but a few screen shots are important. The pages from the training presentation describe how the NSA’s MITM attack works:
However, in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route — on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.
Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events“) and also allows spies to collect information about specific SSL encryption certificates.
It’s that first link — also here — that shows the MITM attack against Google and its users.
Another screenshot implies is that the 2011 DigiNotar hack was either the work of the NSA, or exploited by the NSA.
Here’s another story on this.
Posted on September 13, 2013 at 6:23 AM •
Assume it’s really true that the NSA has no idea what documents Snowden took, and that they wouldn’t even know he’d taken anything if he hadn’t gone public. The fact that abuses of their systems by NSA officers were largely discovered through self-reporting substantiates that belief.
Given that, why should anyone believe that Snowden is the first person to walk out the NSA’s door with multiple gigabytes of classified documents? He might be the first to release documents to the public, but it’s a reasonable assumption that the previous leakers were working for Russia, or China, or elsewhere.
Posted on August 29, 2013 at 1:13 PM •
Really good article by Susan Landau on the Snowden documents and what they mean.
Posted on August 22, 2013 at 6:54 AM •
Former NSA director Michael Hayden lists three effects of the Snowden documents:
- “…the undeniable operational effect of informing adversaries of American intelligence’s tactics, techniques and procedures.”
- “…the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law.”
- “…the erosion of confidence in the ability of the United States to do anything discreetly or keep anything secret.”
It’s an interesting list, and one that you’d expect from a NSA person. Actually, the whole essay is about what you’d expect from a former NSA person.
- This, I agree, is actual damage. From what I can tell, Snowden has done his best to minimize it. And both the Guardian and the Washington Post refused to publish materials he provided, out of concern for US national security. Hayden believes that both the Chinese and the Russians have Snowden’s entire trove of documents, but I’m less convinced. Everyone is acting under the assumption that the NSA has compromised everything, which is probably a good assumption.
- Hayden has it backwards — this is good. I hope that companies that have cooperated with the NSA are penalized in the market. If we are to expect the market to solve any of this, we need the cost of cooperating to be greater than the cost of fighting. If we as consumers punish companies that have complied with the NSA, they’ll be less likely to roll over next time.
- In the long run, this might turn out to be a good thing, too. In the Internet age, secrecy is a lot harder to maintain. The countries that figure this out first will be the countries that do well in the coming decades.
And, of course, Hayden lists his “costs” without discussing the benefits. Exposing secret government overreach, a secret agency gone rogue, and a secret court that’s failing in its duties are enormously beneficial. Snowden has blown a whistle that long needed blowing — it’s the only way can ever hope to fix this. And Hayden completely ignores the very real question as to whether these enormous NSA data-collection programs provide any real benefits.
I’m also tired of this argument:
But it takes a special kind of arrogance for this young man to believe that his moral judgment on the dilemma suddenly trumps that of two (incredibly different) presidents, both houses of the U.S. Congress, both political parties, the U.S. court system and more than 30,000 of his co-workers.
It’s like President Obama claiming that the NSA programs are “transparent” because they were cleared by a secret court that only ever sees one side of the argument, or that Congress has provided oversight because a few legislators were allowed to know some of what was going on but forbidden from talking to anyone about it.
Posted on July 24, 2013 at 2:52 PM •
Edward Snowden has set up a dead man’s switch. He’s distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him.
Dead man’s switches have a long history, both for safety (the machinery automatically stops if the operator’s hand goes slack) and security reasons. WikiLeaks did the same thing with the State Department cables.
“It’s not just a matter of, if he dies, things get released, it’s more nuanced than that,” he said. “It’s really just a way to protect himself against extremely rogue behavior on the part of the United States, by which I mean violent actions toward him, designed to end his life, and it’s just a way to ensure that nobody feels incentivized to do that.”
I’m not sure he’s thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it’s important to keep all of them in mind when designing a security system.
Posted on July 18, 2013 at 8:37 AM •
Good article on the longstanding practice of secretly tapping undersea cables.
This is news right now because of a new Snowden document.
Posted on July 17, 2013 at 12:03 PM •
This study concludes that there is a benefit to forcing companies to undergo privacy audits: “The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading.”
Posted on July 9, 2013 at 12:17 PM •
“Empirical Analysis of Data Breach Litigation,” Sasha Romanosky, David Hoffman, and Alessandro Acquisti:
Abstract: In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated, which are not? Which lawsuits settle, or are dismissed? Using a unique database of manually-collected lawsuits from PACER, we analyze the court dockets of over 230 federal data breach lawsuits from 2000 to 2010. We use binary outcome regressions to investigate two research questions: Which data breaches are being litigated in federal court? Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach. We also find that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. While the compromise of financial information appears to lead to more federal litigation, it does not seem to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is more strongly correlated with settlement.
The full paper is available by using the one-click download button.
Posted on March 27, 2012 at 6:46 AM •
Reuters discovered the information:
The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.
The company, unsurprisingly, is saying nothing.
VeriSign declined multiple interview requests, and senior employees said privately that they had not been given any more details than were in the filing. One said it was impossible to tell if the breach was the result of a concerted effort by a national power, though that was a possibility. “It’s an ugly, slim sliver of facts. It’s not enough,” he said.
The problem for all of us, naturally, is if the certificate system was hacked, allowing the bad guys to forge certificates. (This has, of course, happened before.)
Are we finally ready to accept that the certificate system is completely broken?
Posted on February 3, 2012 at 10:49 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.