CAT | Internet
Another from the “if the data exists, it will get compromised” file.
This article from the Washington Post talks about an interesting case of counter surveillance hacking.
In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.
Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.
I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.
Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.
Wired reports on a move by the Japanese government to ask websites to block users who “abuse” TOR.
I assume that TOR is being used as an example, and it would apply to any secure privacy tool.
The interesting question is whether this is simply a foot in the door on the way to banning anonymity, or at least making its use evidence of evil intent.
Currently, public privacy services make little effort to hide themselves. Traffic from them is easily detected as being from an anonymity system. If blocking becomes common, many systems may start implementing more effective stealth systems, which would make filtering anonymity for security reasons even harder.
The Register has an article on Firefox black listing an SSL Certificate authority.
Certificates and certificate authorities are the underpinnings of our secure web infrastructure.
When you see the lock on your browser, it means that the session is encrypted and the site has presented a valid site certificate (so it is who it claims to be).
That site certificate is signed by one of many certificate authorities.
I see 86 certificate issuing authorities in my Firefox now.
Many of those certificate authorities have multiple signing certificates.
Additionally the certificate authorities can delegate to subordinate certificate authorities to sign site certificates.
Any certificate signed by any of these authorities or subordinate authorities is recognized as valid.
These entities are located all over the world, many under the control of oppressive governments (however you define that).
Certificate authorities can create certificates to enable man in the middle attacks, by signing keys purporting to be for a given website, but actually created and held by some other entity.
There are plugins like certificate patrol for Firefox that will tell you when a site you have visited before changes certificates or certificate authorities. Unfortunately this happens fairly frequently for legitimate reasons, such as when renewing certificates every year or few years.
Some certificate authorities are known or suspected to be working with various law enforcement entities to create false certificate for surveillance.
Here is how it works:
The government has certificate authority create a new certificate for a website.
The government then intercepts all sessions to that site with a server (at national level routers for example).
The server uses real site certificate to communicate with the real website securely.
The server uses the new fake certificate to communicate with user securely.
The server then has access to everything in the clear as it shuttles data between the two secure connections..
It can read and/or modify anything in the data stream.
Firefox is removing TeliaSonera’s certificate authority from the list in Firefox for this reason. Going forward no certificate issued by them will be recognized as valid. This will impact a large number of legitimate websites that have contracted with TeliaSonera, as well as preventing the fake certificates.
There is a lot of controversy about this. What is appropriate cooperation with law enforcement vs. supporting and enabling dictators.
In any case, this is a failure of the protocol. If the browser shows a certificate as valid when it has not come from the real website, then there has been a security failure.
The SSL key infrastructure is showing its age. It was “good enough” when there were only one or two certificate authorities and the certificates were not actually protecting anything of great importance. Now everyone relies heavily on the security of the web. Unfortunately, while it is broken, it is very hard to replace.
In the short term, installing a certificate checker like certificate patrol is probably a good idea, despite the number of false positives you will see.
In the longer term, there is a really hard problem to solve.
According to the Telegraph, the UK government is instituting a code of conduct for public WiFi which would require blocking of pornography to protect kids.
I see a couple of problems here.
1) Porn proliferates very quickly, so the blocking is likely to always be behind the curve, and kids are really good at getting around these kinds of blocks.
2) Some people will feel that things are allowed that should be blocked.
3) Inevitably legitimate websites will be blocked. A common example is breast feeding web sties, which frequently get caught in these kinds of nets.
4) Implementing this requires active monitoring of the activity on the WiFi which generally enables other kinds of surveillance.
Most home networks don’t have filtering on the whole network, so kids at home would be exposed to raw Internet. The standard is generally to filter at the end device. It seems to me that would be the best option here.
Parents could choose exactly the blocking technology and philosophy they want to have applied, and it does not impact anyone else.
Cnet reports that an internal DEA document reveals that the DEA are unable to intercept text messages sent over Apple’s iMessage protocol.
The protocol provides end to end encryption for messages between iOS and Mac OS X devices.
This is not to suggest that the encryption in iMessages is particularly good, but to contrast with standard text messages and voice calls which are completely unprotected within the phone company’s networks.
It appears that an active man in the middle attack would be able to thwart the encryption, but would be significantly more effort. The lack of any kind of out of band channel authentication suggests that such an attack should not be too difficult.
If you really need to protect your chat messages, I suggest using a tool like Silent Text. They take some steps that make man in the middle attacks almost impossible.