Here’s one of the latest tidbits on the NSA surveillance scandal (which seems to be generating nearly as many blog items as there are phone numbers in the spy agency’s data banks).
Earlier this week, Techdirt picked up on a passing mention in a Brazilian news story and a Slate article to point out that the US National Security Agency had apparently impersonated Google on at least one occasion to gather data on people. (Mother Jones subsequently pointed outTechdirt’s point-out.)
Brazilian site Fantastico obtained and published a document leaked by Edward Snowden, which diagrams how a “man in the middle attack” involving Google was apparently carried out.
A technique commonly used by hackers, a MITM attack involves using a fake security certificate to pose as a legitimate Web service, bypass browser security settings, and then intercept data that an unsuspecting person is sending to that service. Hackers could, for example, pose as a banking Web site and steal passwords.
The technique is particularly sly because the hackers then use the password to log in to the real banking site and then serve as a “man in the middle,” receiving requests from the banking customer, passing them on to the bank site, and then returning requested info to the customer — all the while collecting data for themselves, with neither the customer nor the bank realizing what’s happening. Such attacks can be used against e-mail providers too.
It’s not clear if the supposed attack in the Fantastico document was handled by the NSA or by its UK counterpart, the Government Communications Headquarters (GCHQ). The article by the Brazilian news agency says, “In this case, data is rerouted to the NSA central, and then relayed to its destination, without either end noticing.”
“There have been rumors of the NSA and others using those kinds of MITM attacks,” Mike Masnick writes on Techdirt, “but to have it confirmed that they’re doing them against the likes of Google… is a big deal — and something I would imagine does not make [Google] particularly happy.”
Google provided a short statement to Mother Jones reporter Josh Harkinson in response to his questions on the matter: “As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide our user data to governments only in accordance with the law.” (The company is also trying to win the right toprovide more transparency regarding government requests for data on Google users.)
CNET got a “no comment” from the NSA in response to our request for more information.
As TechDirt suggests, an MITM attack on the part of the NSA or GCHQ would hardly be a complete shock. The New York Times reported last week that the NSA has sidestepped common Net encryption methods in a number of ways, including hacking into the servers of private companies to steal encryption keys, collaborating with tech companies to build in back doors, and covertly introducing weaknesses into encryption standards.
It wouldn’t be much of a stretch to obtain a fake security certificate to foil the Secure Sockets Layer (SSL) cryptographic protocol that’s designed to verify the authenticity of Web sites and ensure secure Net communications.
Indeed, such attacks have been aimed at Google before, including in 2011, when a hacker broke into the systems of DigiNotar — a Dutch company that issued Web security certificates — and created more than 500 SSL certificates used to authenticate Web sites.
In any case, the purported NSA/GCHG impersonation of Google inspired a rather clever graphic by Mother Jones, one that might even impress the rather clever Doodlers at Google: