How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos

from the but-of-course dept

We already covered the latest Guardian report on the NSA and GCHQ’s attempts to compromise Tor. While those have failed to directly break Tor, they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users. Bruce Schneier has a more focused article on how those attacks worked, and as a part of that, detailed how the NSA and GCHQ are effectively able to do man-in-the-middle attacks on giant websites, something that is really only possible because of the major telcos letting the NSA put servers directly off the backbone. As we noted last month, buried in one of the earlier Snowden leaks was the news that the GCHQ and NSA were likely running man-in-the-middle attacks on Google. The latest leaks show why those work. As Schneier explains:

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target’s browser to visit a Foxacid server.

In the academic literature, these are called “man-on-the-middle” attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of “man-on-the-side” attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to “degrade/deny/disrupt Tor access”.

Schneier also notes that this is basically the same technique the Chinese have used for their Great Firewall. In other words, the complicit nature of the telcos in basically giving the NSA and GCHQ incredibly privileged access to the backbone is part of what allows them to conduct those kinds of man-in-the-middle attacks. It still amazes me that there isn’t more outrage over the role of the major telcos in all of this.

The other interesting thing about the FoxAcid servers is that it’s basically a system that gives the NSA a rotating menu of ways to exploit a visitor who gets hooked on one of their servers. It also notes that the NSA is pretty careful about how it uses various exploits, such that “low-value exploits” are used against more technically sophisticated targets, recognizing that they’re more likely to be discovered, and thus burned. They save the “most valuable exploits” for less technically savvy targets, and also the most important targets. This is hardly surprising, but interesting to see the level with which they plan these things out.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How The NSA Pulls Off Man-In-The-Middle Attacks: With Help From The Telcos”

Subscribe: RSS Leave a comment
Ninja (profile) says:

They save the “most valuable exploits” for less technically savvy targets, and also the most important targets.

Let me emphasize:

less technically savvy targets

One would think that the real dangerous criminals and terrorists are aware and at least have tech-savvy members in their ranks. So who are they aiming then? The obvious answer is the average Joe. Do we have any doubts that this isn’t about terrorism but rather just plain blunt surveillance?

Anonymous Coward says:

Nice that all these articles are giving you hints as to what services you should not be using. Places you should never go to, like Google, Yahoo!, and Facebook. I am totally shocked these companies aren’t seeing the threat such info is revealing as seriously detrimental to their long term business potentials.

Was there ever a doubt Ninja, as to who the enemy was in the eyes of the government and security branches like the NSA?

DannyB (profile) says:

Re: Re:

If the NSA can get devices positioned at privileged locations in the backbone, do you suppose they could also coerce at least one CA (certificate authority) somewhere to give NSA a root signing certificate? That way, the NSA’s box could generate a new trusted certificate for a each website it is targeting and then instantly play MITM (man in the middle).

If NSA had a root signing cert from a CA, then the NSA’s certificate for would be as good as the one Google uses.

Anonymous Coward says:

Re: Re: Re:2 Re:

“the chains of trust set up by certificate authorities”

And that is the real issue here.

If the root CA is not trusted. You can’t trust any cert from that authority. No amount of checks or tracking “trust chains” can expose the root as being untrusted. It literally just gives a false sense of security.

And how many different CA’s are there. Even if the root is not compromised it isn’t possible to trust them as is.

One way validation is the problem.

We wouldn’t expect our bank to validate us by using a certificate.

Yet we are expected to validate them with such flaky methods.

Jan (profile) says:

Re: Re:

Well probably they control a CA authority and can issue certificates at leasure. They seem to mimic completely the real site, or the Quantum Insert is a proxy server. Anyway once it get’s to the client or proxy the information is in cleartext, so can be modified as much as they want and sent trough to the end client computers. There were big articles in the Belgian press today explaining how they hacked the Belgacom network. They created a Quantum Insert on Linkedin and infected the computers of 3 Belgacom staff members. Once they had control over the 3 staff member computers (2011 – probably still Windows xp in this government agency) they received the login information to the servers and network switches easily by spying telnet and ftp traffic – the staff members directly telnetted to critical components of the Belgacom core network. From there on they could upload their own code in the network switches and control everything including eavesdropping on mobile communications of any mobile number within Europe transiting trough the Belgacom network.

out_of_the_blue says:

Unverified and leaves out Microsoft / Apple / Google's backdoors.

“While those have failed to directly break Tor,” — Unverified if not unverifiable opinion.

“they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users.” — Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.

Anonymous Coward says:

Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.

Wow… that stick up your ass really is way up there.

Way to take stuff out of context
“While those have failed to directly break Tor,” — Unverified if not unverifiable opinion.

the context was….

While those(reported attempts at “de-anonymizing” tor) have (reportedly) failed to directly break Tor.

Way to create an argument that didn’t even exist
“they were more successful effectively exploiting vulnerabilities in Firefox to target certain Tor users.” — Umm, yeah, Mike, cause compared to bullet-proof Internet Explorer from totally not-in-cahoots-with-NSA Microsoft, Firefox is like leaving keys and signed-over title in your car.

Mentioning Firefox being exploited is nothing to do with endorsing IE.

You are failing hard at trolling M8
You used to at least have a clear tactic…. now you are just another troll designated to the retard pile. You fucked up your own trolling with “trying too hard”.
Lrn2Troll noob

Anonymous Coward says:

Re: Re: Re: Unverified and leaves out Microsoft / Apple / Google's backdoors.

He is trying to get everyone to hate the message…. just because he said it.

Hate him = obviously disagree with everything he says.
It’s a really good tactic that works against some.

That’s why he makes good points and wraps them up in bullshit…. just so you hate his voice and partly his message. Trolls/shills are getting smarter. This dude is just a noob trying too hard. I would dock his wages if I was his boss.

Anonymous Coward says:

Jesus, that was a lot of reading and links…
Don’t know if you guys caught this one:
“Further afield, the NSA has apparently targeted the computer networks of Saudi Arabia?s Riyad Bank and Chinese technology company Huawei for surveillance, the documents show.” link from the Guardian.

So I guess we were worried not about the Chinese spying on us, but all the damn backdoors that the NSA already put in place.

Arthur Moore (profile) says:

Re: Re:

Hacking Huawei isn’t much of a surprise. Especially if Huawei uses their own equipment.

Huawei, Cisco, HP, and other manufacturers are a good jumping off point for the NSA to hack other networks. Something the US specifically authorizes them to do. Plus, Huawei has so many bugs that their OS is a giant backdoor.

The thing everyone has a problem with is the over reach of the NSA. Targeted attacks, even to third parties, to obtain specific intel aren’t really something that most people worry about here in the US. It’s making sure that there’s a proper legal channel to get a warrant through an adversarial proceeding that annoys me personally.

Anonymous Coward says:

Unintended consequences

So, the NSA is deliberately compromising end-user systems that use the TBB.

The TBB is used by human rights activists all over the world, including those who are paid by the United States Government and who work in places where local knowledge of their activities could result in grave harm to them.

Most (if not all) such countries don’t have the capability to breach the security afforded by the TBB…but luckily for them, the NSA is trying to do so and when they succeed, will no doubt leave the hole open — since it took some effort to acquire and since they’ll want to use it again.

Great. Just great.

Anonymous Coward says:

every 5 minutes it seems like, Google are being blamed for something else. they get accused of anything and everything that the various, paid under the table, politicians can dream up. even as we speak there is another ridiculous discussion going on over how Google sorts out search results. i find it quite strange that the companies complaining are mostly those that dont want to do f**k all themselves to improve their lot, relying, yet again, on some or other complaint to yet another politician.
considering what Google does and what it keeps getting blamed for, how come the NSA, which is doing things 100 times worse, dont get any politicians going after it for manipulating search results? yes, it is getting a lot of well deserved flack over other things but why leave this particular nasty off the list? Google should have stuck up for itself much more, much sooner and much stronger from the start. if it had kicked off at it’s treatment and Congress or whoever had carried on, it only had to tell them to screw themselves, we’re off! and there would have been a different scenario. similarly, had the entertainment industries been told to fuck off instead of everyone doing whatever to pacify it, i wonder how much further we would have advanced in various developments concerned with movie and music technology??

Anonymous Coward says:

Re: Re:

There are powerful interests who feel threatened by Google, and are behind a lot of the complaints about Google.

For instance, IIRC Microsoft was found out to be behind some of these complaints.

Other complaints come from less knowledgeable persons parroting the talking points seeded by these powerful interests.

And of course, there are those with legitimate reasons to complain about Google. They also complain about the NSA, for the same reasons. But they are not the loudest ones.

Anonymous Coward says:

Here I thought I was being overly paranoid by disabling cookies, javascript, flash, and iframes. Turns out I wasn’t being paranoid enough!

Time to setup a Raspberry Pi Tor proxy, and run my web browser inside a virtual machine that get’s wiped clean after every reboot.

Safely surfing the world wide web is turning into a big chore these days.

We won’t forget the treasonous actions taken against law-abiding Americans, NSA! Stop logging the entire lives of red blooded Americans in secret databases. We won’t stand for it.

The NSA is worse than East Germany’s Stasi! The NSA’s current mission and tactics, are incompatible with freedom and democracy. The NSA is simply un-American. They’ve betrayed their own people. The very people funding this freedom killing abomination.

Postulator (profile) says:

Protect businesses

One thing is very clear from all of this, and I am saying this as a fan of big government. Business must not be in a position of relying upon government largesse. The NSA is clearly blackmailing companies. In the case of telecoms, “if you do this for us, you’ll get that spectrum you want to buy”. In the case of other companies, presumably applying a range of various arm-twisting using all the resources a government can apply.

This is not right. Government decisions are supposed to be open and transparent – this is anything but. Government decisions are supposed to be based upon the facts at hand and upon what is best for the citizens – the NSA has seemingly inserted itself into decision-making processes and corrupted them. Large-scale corruption like this warrants a large-scale judicial review, and heads should be rolling. Instead, it appears that judges and politicians are too frightened to act, while the third arm of government is just totally involved in the problem and so cannot.

Too many secrets.

Postulator says:

The reason the gov. is out of sync with the populous is because it is controlled by the plutocracy (the rich and powerful) through facism (global organisation dictating terms), there are some wealthy families high up in the socio-economic ladder that wants it this way. – The answer is not to do away with government but to take control over it by holding politicians accountable – that menas YOU start with YOUR regional politicians. Without actually taking action things wont change.
People in Sweden are turning on the FRA (Gotland – an island that the swedish gov. thought it was time to give a military force all on its own) – FRA is the military section that is breaking common Swedish people’s encryption (if u don’t account for the NSA mitm attacks and most of the larger operators, not all, as in this article bending over backwards). The name means Försvarets (the defensive) radio (radio!) anstalt (institution), they sell information through Kontoret för särskild inhämtning (the office for particular aquisition).
I got a 10mbit line and I can barely load a page without it taking ages (wo hardware/software bottlenecks) – at points i did tracerts and found Telia servers was redirecting my routes over to USA, these days the routes show up allmost clear (sometimes a jump is hidden * * * alltogether in cmd, no not the classical desition is out of reach etc as the final destination is reached) or fully clear – while the connection is clearly bogged down as f**k.

So yeah NSA is doing wrong, so is many of the ISP’s and so is definitively the gov.’s – look at the wealth and power distirbution today, IF you can swap to a healthy ISP – if there is none see if you got access to an alternative net (internet isn’t the only net out there).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...