How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos

from the but-of-course dept

We already covered the latest Guardian report on the NSA and GCHQ's attempts to compromise Tor. While those have failed to directly break Tor, they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users. Bruce Schneier has a more focused article on how those attacks worked, and as a part of that, detailed how the NSA and GCHQ are effectively able to do man-in-the-middle attacks on giant websites, something that is really only possible because of the major telcos letting the NSA put servers directly off the backbone. As we noted last month, buried in one of the earlier Snowden leaks was the news that the GCHQ and NSA were likely running man-in-the-middle attacks on Google. The latest leaks show why those work. As Schneier explains:

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-on-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

Schneier also notes that this is basically the same technique the Chinese have used for their Great Firewall. In other words, the complicit nature of the telcos in basically giving the NSA and GCHQ incredibly privileged access to the backbone is part of what allows them to conduct those kinds of man-in-the-middle attacks. It still amazes me that there isn't more outrage over the role of the major telcos in all of this.
The other interesting thing about the FoxAcid servers is that it's basically a system that gives the NSA a rotating menu of ways to exploit a visitor who gets hooked on one of their servers. It also notes that the NSA is pretty careful about how it uses various exploits, such that "low-value exploits" are used against more technically sophisticated targets, recognizing that they're more likely to be discovered, and thus burned. They save the "most valuable exploits" for less technically savvy targets, and also the most important targets. This is hardly surprising, but interesting to see the level with which they plan these things out.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 12:05pm

    They save the "most valuable exploits" for less technically savvy targets, and also the most important targets.

    Let me emphasize:

    less technically savvy targets

    One would think that the real dangerous criminals and terrorists are aware and at least have tech-savvy members in their ranks. So who are they aiming then? The obvious answer is the average Joe. Do we have any doubts that this isn't about terrorism but rather just plain blunt surveillance?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:13pm

    Nice that all these articles are giving you hints as to what services you should not be using. Places you should never go to, like Google, Yahoo!, and Facebook. I am totally shocked these companies aren't seeing the threat such info is revealing as seriously detrimental to their long term business potentials.

    Was there ever a doubt Ninja, as to who the enemy was in the eyes of the government and security branches like the NSA?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:17pm

    Does it mean that they have Google's private key? Otherwise man in the middle attacks won't work on SSL. Or they have managed to obtain another certificate issued for Google.com from a CA authority.

     

    reply to this | link to this | view in thread ]

  4. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Oct 4th, 2013 @ 12:20pm

    Unverified and leaves out Microsoft / Apple / Google's backdoors.

    "While those have failed to directly break Tor," -- Unverified if not unverifiable opinion.

    "they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users." -- Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:28pm

    Jesus, that was a lot of reading and links...
    Don't know if you guys caught this one:
    "Further afield, the NSA has apparently targeted the computer networks of Saudi Arabia’s Riyad Bank and Chinese technology company Huawei for surveillance, the documents show." link from the Guardian.

    So I guess we were worried not about the Chinese spying on us, but all the damn backdoors that the NSA already put in place.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:37pm

    Kinky

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:39pm

    bullet-proof Internet Explorer


    Like you really need another foot in your mouth, ootb. M$ long ago sold out. Again a rant with absolutely nothing to back it up but stupid statements pulled from your butt.

    Have another report vote.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:41pm

    Unintended consequences

    So, the NSA is deliberately compromising end-user systems that use the TBB.

    The TBB is used by human rights activists all over the world, including those who are paid by the United States Government and who work in places where local knowledge of their activities could result in grave harm to them.

    Most (if not all) such countries don't have the capability to breach the security afforded by the TBB...but luckily for them, the NSA is trying to do so and when they succeed, will no doubt leave the hole open -- since it took some effort to acquire and since they'll want to use it again.

    Great. Just great.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:48pm

    Re:

    Google did not always use SSL/TLS, so no need for any kind of private key.

    Which is why every web server should move to HTTPS. Makes these kinds of attacks harder.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:51pm

    Re: Unintended consequences

    Did you notice the sample "tag" in the article?

    It is http. Not https.

    Which means that anyone who is watching will be able to see the contents of the request.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:53pm

    every 5 minutes it seems like, Google are being blamed for something else. they get accused of anything and everything that the various, paid under the table, politicians can dream up. even as we speak there is another ridiculous discussion going on over how Google sorts out search results. i find it quite strange that the companies complaining are mostly those that dont want to do f**k all themselves to improve their lot, relying, yet again, on some or other complaint to yet another politician.
    considering what Google does and what it keeps getting blamed for, how come the NSA, which is doing things 100 times worse, dont get any politicians going after it for manipulating search results? yes, it is getting a lot of well deserved flack over other things but why leave this particular nasty off the list? Google should have stuck up for itself much more, much sooner and much stronger from the start. if it had kicked off at it's treatment and Congress or whoever had carried on, it only had to tell them to screw themselves, we're off! and there would have been a different scenario. similarly, had the entertainment industries been told to fuck off instead of everyone doing whatever to pacify it, i wonder how much further we would have advanced in various developments concerned with movie and music technology??

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:01pm

    Re:

    There are powerful interests who feel threatened by Google, and are behind a lot of the complaints about Google.

    For instance, IIRC Microsoft was found out to be behind some of these complaints.

    Other complaints come from less knowledgeable persons parroting the talking points seeded by these powerful interests.

    And of course, there are those with legitimate reasons to complain about Google. They also complain about the NSA, for the same reasons. But they are not the loudest ones.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:04pm

    Re:

    How do they determine how technically savvy a target is?

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    DannyB (profile), Oct 4th, 2013 @ 1:09pm

    Re:

    If the NSA can get devices positioned at privileged locations in the backbone, do you suppose they could also coerce at least one CA (certificate authority) somewhere to give NSA a root signing certificate? That way, the NSA's box could generate a new trusted certificate for a each website it is targeting and then instantly play MITM (man in the middle).

    If NSA had a root signing cert from a CA, then the NSA's certificate for google.com would be as good as the one Google uses.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:24pm

    Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.

    Wow... that stick up your ass really is way up there.

    Way to take stuff out of context
    "While those have failed to directly break Tor," -- Unverified if not unverifiable opinion.

    the context was....

    While those(reported attempts at "de-anonymizing" tor) have (reportedly) failed to directly break Tor.



    Way to create an argument that didn't even exist
    "they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users." -- Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.

    Mentioning Firefox being exploited is nothing to do with endorsing IE.



    You are failing hard at trolling M8
    You used to at least have a clear tactic.... now you are just another troll designated to the retard pile. You fucked up your own trolling with "trying too hard".
    Lrn2Troll noob

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    PRMan, Oct 4th, 2013 @ 1:25pm

    Re: Re:

    Google hasn't traditionally played nice with the MAFIAA. Therefore, Google is mentioned on all news sources (owned by the MAFIAA) as being the ringleader against SOPA and also as the number one name in helping the NSA, when in fact they have spent more to fight the NSA than anyone else.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:45pm

    Re: Re:

    Certificate patrol makes this more difficult as it detects and shows changes in certificates.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 1:49pm

    Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.

    You have to understand that Blue apparently believes that if you aren't loudly denouncing something specifically every time you speak, whether or not it's relevant to the topic at hand, then you must be in favor of it.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:54pm

    Re: Re: Re:

    It does until you get tired of the false positives and start clicking the "Yeah, whatever" button every time.

    There is another initiative to make this much harder: Certificate Transparency.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Arthur Moore (profile), Oct 4th, 2013 @ 2:03pm

    Re:

    Hacking Huawei isn't much of a surprise. Especially if Huawei uses their own equipment.

    http://www.youtube.com/watch?v=ugdpbPW_k3g&feature=player_detailpage#t=1936

    Hua wei, Cisco, HP, and other manufacturers are a good jumping off point for the NSA to hack other networks. Something the US specifically authorizes them to do. Plus, Huawei has so many bugs that their OS is a giant backdoor.

    The thing everyone has a problem with is the over reach of the NSA. Targeted attacks, even to third parties, to obtain specific intel aren't really something that most people worry about here in the US. It's making sure that there's a proper legal channel to get a warrant through an adversarial proceeding that annoys me personally.

    http://en.wikipedia.org/wiki/Writ_of_assistance

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 2:11pm

    Re: Re: Re:

    Google hasn't traditionally played nice with the MAFIAA


    Really? From where I sit, it looks like they've traditionally bent over backwards for them.

    as being the ringleader against SOPA


    Which still makes me laugh every time someone makes that claim.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    That One Guy (profile), Oct 4th, 2013 @ 2:22pm

    Re: Re: Re: Re:

    Really? From where I sit, it looks like they've traditionally bent over backwards for them.

    From your perspective yes, but from the *AA's perspective, anything less than complete and total compliance, and doing everything they say, is seen as actively working against the *AA's.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 3:05pm

    Re: Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.

    He is trying to get everyone to hate the message.... just because he said it.

    Hate him = obviously disagree with everything he says.
    It's a really good tactic that works against some.

    That's why he makes good points and wraps them up in bullshit.... just so you hate his voice and partly his message. Trolls/shills are getting smarter. This dude is just a noob trying too hard. I would dock his wages if I was his boss.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 3:24pm

    Re: Re: Re: Re:

    "the chains of trust set up by certificate authorities"

    And that is the real issue here.

    If the root CA is not trusted. You can't trust any cert from that authority. No amount of checks or tracking "trust chains" can expose the root as being untrusted. It literally just gives a false sense of security.

    And how many different CA's are there. Even if the root is not compromised it isn't possible to trust them as is.




    One way validation is the problem.

    We wouldn't expect our bank to validate us by using a certificate.

    Yet we are expected to validate them with such flaky methods.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 6:45pm

    Here I thought I was being overly paranoid by disabling cookies, javascript, flash, and iframes. Turns out I wasn't being paranoid enough!

    Time to setup a Raspberry Pi Tor proxy, and run my web browser inside a virtual machine that get's wiped clean after every reboot.

    Safely surfing the world wide web is turning into a big chore these days.

    We won't forget the treasonous actions taken against law-abiding Americans, NSA! Stop logging the entire lives of red blooded Americans in secret databases. We won't stand for it.

    The NSA is worse than East Germany's Stasi! The NSA's current mission and tactics, are incompatible with freedom and democracy. The NSA is simply un-American. They've betrayed their own people. The very people funding this freedom killing abomination.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous, Oct 4th, 2013 @ 6:48pm

    Re:

    Man-in-the-middle, man-on-the-side, sounds rather queer to me.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Postulator (profile), Oct 4th, 2013 @ 9:17pm

    Protect businesses

    One thing is very clear from all of this, and I am saying this as a fan of big government. Business must not be in a position of relying upon government largesse. The NSA is clearly blackmailing companies. In the case of telecoms, "if you do this for us, you'll get that spectrum you want to buy". In the case of other companies, presumably applying a range of various arm-twisting using all the resources a government can apply.

    This is not right. Government decisions are supposed to be open and transparent - this is anything but. Government decisions are supposed to be based upon the facts at hand and upon what is best for the citizens - the NSA has seemingly inserted itself into decision-making processes and corrupted them. Large-scale corruption like this warrants a large-scale judicial review, and heads should be rolling. Instead, it appears that judges and politicians are too frightened to act, while the third arm of government is just totally involved in the problem and so cannot.

    Too many secrets.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Feb 5th, 2014 @ 2:44pm

    Response to: Anonymous Coward on Oct 4th, 2013 @ 12:17pm

    Or... The NSA is could also be in the middle of your connection with the CA, providing you with a manufactured certificate of Google.com, where they own the private key of.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This