RFID, GPS Technology and Electronic Surveillance
The Marketing of Internet Spying Boxes to the Feds
March 24, 2010Wired - That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
“If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.The company in question is known as Packet Forensics, which advertised its new man-in-the-middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington, D.C., wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.
According to the flyer:
“Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.”The product is recommended to government investigators, saying:
“IP communication dictates the need to examine encrypted traffic at will.” And, “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”Packet Forensics doesn’t advertise the product on its website, and when contacted by Wired.com, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.
“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company’s server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between — your ISP, a wiretap at your ISP, or in the case of an unencrypted Wi-Fi connection, by anyone using a simple packet-sniffing tool.
In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities — companies that promise to check a website operator’s credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website’s server, guaranteeing that the BankofAmerica.com website is actually owned by Bank of America. Browser makers have accredited more than 100 Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid.
To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities — using money, blackmail or legal process — to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name.
“It is not hard to do these attacks,” said Seth Schoen, an EFF staff technologist. “There is software that is being published for free among security enthusiasts and underground that automate this.”China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China’s firewall censorship. All they’d need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance.
In all, Mozilla’s Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more — all of which are equally trusted by the browser.
The list of trusted root authorities includes the United Arab Emirates-based Etilisat, a company that was caught last summer secretly uploading spyware onto 100,000 customers’ BlackBerries.
Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper on the risks (.pdf) Wednesday, and promises he will soon release a Firefox add-on to notify users when a site’s certificate is issued from an authority in a different country than the last certificate the user’s browser accepted from the site.
EFF’s Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently, browsers warn users when they encounter a certificate that doesn’t belong to a site, but many people simply click through the multiple warnings.
“The basic point is that in the status quo there is no double check and no accountability,” Schoen said. “So if Certificate Authorities are doing things that they shouldn’t, no one would know, no one would observe it. We think at the very least there needs to be a double check.”EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet — in case a user’s local ISP has been compromised, either by a criminal or a government agency using something like Packet Forensics’ appliance.
One of the most interesting questions raised by Packet Forensics’ product is how often do governments use such technology and do Certificate Authorities comply? Christine Jones, the general counsel for Go Daddy — one of the net’s largest issuers of SSL certificates — says her company has never gotten such a request from a government in her eight years at the company.
“I’ve read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake’ SSL certificate,” Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification.VeriSign, the net’s largest Certiicate Authority, echoes GoDaddy.
“Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate.”
“Verisign has never issued a fake SSL certificate, and to do so would be against our policies,” said vice president Tim Callan.Matt Blaze notes that domestic law enforcement can get many records, such as a person’s Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data.
Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail — which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) — they could install one of Packet Forensics’ boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer’s Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they’d been found out.
Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL.
“I still lock my doors even though I know how to pick the lock,” Blaze said.
Undercover Feds on Social Networking Sites Raise Questions
March 16, 2010Wired - The next time someone tries to “friend” you on Facebook, it may turn out to be an undercover fed looking to examine your private messages and photos, or surveil your friends and family. The Electronic Frontier Foundation has obtained an internal Justice Department document that describes what law enforcement is doing on social networking sites.
The 33-page document shows that law enforcement agents from local police to the FBI and Secret Service have been logging on to MySpace and other sites undercover to communicate with suspects, read private postings and view photos and videos that are restricted to a user’s friends.
The document also describes techniques for verifying alibis — such as checking messages posted by a suspect on Twitter disclosing his whereabouts at the time a crime was committed — and uncovering information that might point to illegal activity, such as photos depicting a suspect with expensive jewelry, a new car or even a weapon.
The document says evidence from social networking sites can:
· Reveal personal communications
· Establish motives and personal relationships
· Provide location information
· Prove and disprove alibis
· Establish crime or criminal enterprise
The investigative techniques were part of a slide presentation titled “Obtaining and Using Evidence from Social Networking Sites” (.pdf) given last year by John Lynch, deputy chief of the Justice Department’s Computer Crime and Intellectual Property division to describe how valuable social networking sites can be to give law enforcement access to non-public information. The cops can also map social relationships and networks, among other things. The document does not include guidance or cautionary notes on how to conduct an investigation responsibly using these services, though it acknowledges the problematic nature of using an assumed identity to open an account with a social networking site.
“Can failure to follow [terms of service] render access unauthorized?” the document asks. “If agents violate terms of service, is that ‘otherwise illegal activity’?”Agents who create fake accounts to communicate with suspects under an assumed identity could create a conundrum for the Justice Department, which prosecuted Lori Drew in 2008 for essentially doing the same thing. Drew was charged with computer fraud and abuse for violating MySpace’s terms of service when she conspired with two others to create a fake MySpace account under the identity of a teenage boy in order to communicate with a teenage girl named Megan Meyer.
The account was used to bully Meyer, who then committed suicide. Drew was found guilty of three misdemeanors by a Los Angeles jury, but the judge eventually overturned the convictions on grounds that the federal law was constitutionally vague.
Facebook’s terms of service prohibit users from providing false personal information to the site, as does MySpace.
In the offline world, agents involved in an investigation can’t impersonate a suspect’s spouse, child, parent or best friend, the Associated Press notes. But online they can.
“This new situation presents a need for careful oversight so that law enforcement does not use social networking to intrude on some of our most personal relationships,” said Marc Zwillinger, a former federal prosecutor told the news outlet.The document also discusses the value to prosecutors of using social networking sites to obtain information on the background of defense witnesses, though it cautions that the same sites could be “potential pitfalls” in that defense attorneys could also use them to background prosecution witnesses.
Another document obtained by EFF is a syllabus for a training course for employees of the Internal Revenue Service describing the use of social networking sites and Google Street View to investigate taxpayers (.pdf). The syllabus notes, however, that IRS employees are prohibited from using deception or fake online accounts to obtain information about taxpayers and generally limits employees to using publicly available information.
“In civil matters, employees cannot misrepresent their identities, even on the Internet,” the document states. “You cannot obtain information from websites by registering using fictitious identities.”
No comments:
Post a Comment