In a recent post on Privacy Digest, and an article in the NYTimes, there is a discussion of some major and well known vulnerabilities in the global public key infrastructure (PKI) and some examples of exploitations of that vulnerability.

The issue is with the proliferation of certificate authorities on the Internet, and the low level of oversight on their policies.

Using the web as an example, here is how it works. Embedded in every browser is a list of “certificate authorities”. These are companies that are deemed trustworthy to issue and sign website certificates. Website certificates are what allows websites to be authenticated by your browser and enables SSL based secure connections (e.g. to your bank).

These certificate authorities may also be able to delegate their certificate signing authorities to other secondary certificate authority organizations. The list of primary certificate authorities in your browser is long (I count 43 in my copy of Firefox), and who knows how many secondary certificate authorities may be out there. These certificate authorities exist all over the world, and any of them can issue a certificate that your browser will accept as valid.

A malevolent certificate authority could issue certificates to allow them to impersonate any secure website.

The articles talk specifically about a secondary certificate authority called Etisalat, located in the UAE. They created a certificate which allowed them to sign code which would be accepted as valid and authorized by BlackBerry cell phones. They then created and distributed software to about 100,000 users which enabled government surveillance of the devices. RIM, the maker of BlackBerry, was able to detect and patch this introduced back door.

Etisalat could create certificates to allow the UAE to intercept and read all secure web traffic traveling over networks within that country.

It is likely that there are many other certificate authorities that are similarly willing to compromise the security of the PKI for various ends. To date, no action has been taken against Etisalat. The EFF is calling for Verizon to revoke Etisalat’s ability to issue certificates (Verizon is the primary authority that delegated to Etisalat as the secondary).

Read this post from IntelFusion. It makes a very strong case for why I worry about any privacy system run by operators you can’t really trust, investigate, and verify. In this case it is an investigation of Glype servers. They can be configured to do significant logging, and the author has been able to remotely retrieve the logs from many of the Glype servers. The results show many users from within sensitive US Government organizations and would provide the ability for an attacker to gather all kinds of useful intelligence to find soft targets to exploit.

On the personal privacy side, it is an easy way for attackers to intercept usernames, passwords, travel plans, personal information and more for use in, identity theft, burglary, and hacking among other things.

Video: Hacker war drives San Francisco cloning RFID passports – Engadget

The law of unintended consequences strikes again. In an attempt to improve national security, the U.S. Government has been pushing hard for the widespread adoption of RFID tags in passports around the world. They are already in U.S. passports. The problem is that they are easily scanned from a distance (as shown in the video), and can be cloned. If the RFID chip in the passport is trusted by the authorities, then the security situation is actually worse, not better. Getting real passport information from someone used to be hard. It generally involved actually stealing the passport. With the scanner, one could produce large numbers of clones while simply standing around the airport with the antenna in ones roller luggage (staying out side of security).

The long range readable RFID tags also make possible all kinds of other tracking and identification. The video talks about correlating personal information from RFID enabled credit cards with the passport number to produce even better fakes.

Distribution of such devices around a city would provide much better and more accurate and automated tracking of a population than cameras with their resolution, and facial recognition issues.

Before the Gunfire, Cyberattacks – NYTimes.com I held off a while before blogging about this to see a bit of the analysis come in after the initial flush of opinion. It seems clear that a cyber attack of some kind did take place against Georgia. It also seems clear that it was Russian in origin. It further seems clear that it was timed to coincide with the Russian land assault. It is an interesting characteristic of cyber warfare that it is almost impossible to determine if this was actually government controlled, directed, sponsored, or simply a independent sympathetic effort. It is hard to rule out a scenario like support from patriotic cyber criminal organizations. There is at least some evidence that such a scenario played at least some part in the attack. Because Georgia is such a minimally wired country, the actual impact of the attacks was negligible. I would assume there are few significant connections between Georgia and the rest of the Internet. If so, they should have been able to unplug from the rest of the net while deciding how to react. A country like the US or a nation in Europe or much of Asia would be much harder pressed  to disconnect because of the tremendous diversity of international interconnections. Such countries are also much more vulnerable because they rely on the Internet for many critical functions. Additionally, enormous economic damage would result from such an attack.

Bruce Schneier’s Security Matters: The Myth of the ‘Transparent Society’This is a nice little article arguing against the idea of Brin’s Transparent Society as a solution to the privacy problem. I suspect David Brin would object to the characterization of his work as presenting it as a panacea, but many do so argue.Bruce argues that the relative power disparity makes for un-equal results in the two direction of observation. From my perspective, the idea of enabling the public to watch the government surveillance apparatus is completely unrealistic. It would enable our enemies (and as a nation the US does have real enemies) to reverse engineer and avoid our surveillance. The best one can realistically hope for is very rigorous oversight (which has also seemed unrealistic of late).At the same time the spread of cameras, facial recognition, RFID, etc., is rapidly increasing the level of surveillance of the general population. The only place where observation and recording by the people seems to be really effective is in issues of corruption or abuse of power. Rodney King being an obvious (and ambiguous) example.