Cyberwar: “Do as I say, not as I do” shall be the whole of the law.

Summary:   Much of the hooplah about the possible involvement of foreign intelligence in digital certificate-forging is probably foreign governments wishing they had the level of access to citizen data that ours does (and we won’t share).  The second in a series by guest author Marcus J. Ranum discussing cyberwar — perhaps one of the major forms of war in the 21st century.

Contents

  1. Introduction
  2. About Digital Certificates
  3. Hacking by the governments of China and Iran
  4. Conclusion
  5. About the author, including links to other posts in this series
  6. For more information

(1)  Introduction

Today’s scary story, a two-fer about Iran and cyberwar:  “Cyber-attack in Europe highlights Internet risks“, Los Angeles Times, 9 September 2011 — “The assault, apparently launched from Iran, focused on the digital security systems used to authenticate websites for banking, email and e-commerce around the world.”  At the end are more articles about this.

The cyber-attack (allegedly from Iran) illustrates only two interesting things:

  1. The digital certificate system used in browsers is weaker than most users realize.
  2. Governments will go to great lengths in order to see what “their” people are doing.

(2)  About Digital Certificates

Definitions:

  • Digital Certificate (aka public key certificate): an electronic document using a digital signature to bind a public key with an identity (e.g., a person, organization, an address).
  • Secure Sockets Layer (SSL):  a cryptographic protocol that provide communication security over the Internet. It encrypts the network connections above the Transport Layer, using asymmetric cryptography for privacy and a keyed message authentication code for message reliability.

The certificate capability in SSL (Secure Sockets Layer) was not actually designed to solve a security problem; it was designed to solve RSA Data Security’s (RSADSI) problem, which was “how to capitalize on our patents on public key encryption?” What RSADSI did was allow free use of public key cryptography in browsers and web servers in return for getting the initial monopoly on selling certificates. This was done by spinning Verisign off from RSA and making them instantly the go-to place for certificates.  Verisign’s authentication business was eventually purchased by Symantec for $1.2 billion, so — yes — that strategy worked.

Security cognoscenti have always been skeptical of SSL and, particularly noteworthy, that SSL in its normal operation doesn’t check revocation of certificates and doesn’t fully check the heirarchy. Possibly this was done to make it easier to deploy a web certificate heirarchy.  Possibly this was done to make it easier to deploy a web certificate heirarchy, but there would have been tacit approval from Ft Meade {NSA} of SSL’s weakness to “man in the middle” attacks.   When SSL was initially developed, cryptographic export controls were still in place and there was a moment of fear that NSA would put the kibosh on any international standard that arose; strangely, they didn’t. Perhaps it was because they saw SSL as weak in places that were convenient to them?

.

Additionally, SSL lacks a property known as “forward secrecy” which is highly desirable for ephermeral communications – namely, that a temporary key is used, which cannot be reconstructed by an attacker at a later time. It’s possible that, given the certificate on the server side, the key can be reconstructed out of an encrypted session – exactly the kind of thing a good encryption system would not permit!

SSL has a bewildering number of options and versions and some versions offer very poor security, indeed. Users generally don’t care – they just look for the little “lock logo” on their browser and feel secure.The whole system was intended to accomplish nothing more than letting the user feel secure enough.

“Secure enough,” of course, is a matter of what you’re doing and who you’re doing it with. For virtually all the ‘usual’ purposes on the internet, it’s good enough; a cybercriminal or hacker will go after the security of the end-point rather than the security of the encryption, because their objective is to become involved in your system — an organization devoted to traffic monitoring and analysis, with the ability to subpoena or “ask nicely” for certificates, might take a different route.

Depending on whether or not you’re a member of the “tin foil hat brigade” it’s suspicious that Verisign did such tremendously good business with federal agencies as well as the private sector and was headquartered relatively near the CIA. If you really want to engage your inner conspiracy nut, you should research the evolution of Network Solutions, Inc., formerly owned by SAIC, which later became a subsidiary of Verisign. Unlike the Iranians or pretty much anyone else, the US intelligence community or FBI doesn’t have very far to drive if they want to present a subpoena or national security letter/request.  Tey’ve already put in place all the legal frameworks to ensure that if they ask, they’ll get it. Besides, they’re a good customer.

(3)  Hacking by the governments of China and Iran

To the second point, above, perhaps the Iranian government was behind this, and perhaps they weren’t. Even accepting for a moment that they were, all they were attempting to achieve was a level of access to their citizens’ traffic that the US government already has.  The US government  just does not share. That’s why the (alleged) attacks against Google’s gmail service by (allegedly) the Chinese government, attempting to learn about the activities of (alleged) dissidents is so ironic to me.

If those dissidents were US-based members of Anonymous or Wikileaks, the US government would have only had to ask politely, to get the same information, probably including transaction logs and IP addresses as well. Recall that the US government has already required that service providers backdoor their systems, has re-interpreted constitutional protections against “search and seizure” to not include electronic “business records” — and the Office Of The Inspector General has identified “egregious breakdown” in oversight of FBI’s failure to follow its own guidelines regarding fishing expeditions and access to citizen information under the guise of counter-terrorism. For example, during 2006-2009 information extracted under the PATRIOT act was used for 15 terrorism investigations compared to 1618 drug investigations.

(4)  Conclusion

In other words, because the US “invented the internet” our government has been neatly positioned to trapdoor and spy on it to its heart’s content. All other nations with intelligence services are – no doubt – jealous. Nations like Iran and China, that are not part of the UK/USA/Canada/Australia intelligence-sharing circle cannot get this information by asking nicely and feel that they have to commit the occasional “smash and grab.” Many of the cell phone providers have turned responding to FBI requests into a profit center; perhaps the US Government should open up to China, Iran, Russia, and other dictatorships and sell them data on “their” citizens – it’s what any self-respecting capitalist would do, right?

(5)  About the author

See the About the Authors page for information about Marcus J. Ranum

Other publications:

The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

  1. The Pentagon Cyberstrategy, 2 September 2011
  2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  3. Conflating Threats, 14 September 2011
  4. About Stuxnet‏, the next generation of warfare?, 29 September 2011
  5. When the Drones Come To Roost, 8 October 2011
  6. About Attribution (identifying your attacker), 21 October 2011

(6)  For more information about cyberwar

(a)  About this incident:

  1. DigiNotar Certificate Authority breach “Operation Black Tulip”, Interim Report by FOX-IT, 5 September 2011 — FOX-IT are security consultants hired to investigate this incident.
  2. Fake DigiNotar web certificate risk to Iranians“, BBC, 5 September 2011
  3. Dutch Government Struggles to Deal With DigiNotar Hack“, PC World, 7 September 2011
  4. SSL Certificate Authority Recall Grows“, eSecurity Planet, 7 Spetember 2011 — “Mozilla issues yet another Firefox update for SSL issues as certificate authority risks mount beyond DigiNotar.”
  5. DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands“, IEEE Spectrum, 9 September 2011

(b)  About cyber-snooping by the US government:

  1. Certifed Lies: Detecting and Defeating Government Interception Attacks Against SSL“, Christopher Soghoian (Indiana U – Bloomington) and Sid Stammy, working paper posted at SSRN, 16 April 2010
  2. Article about VeriSign (“Trust is the Foundation of Every Human Relationship”):  “VeriSign sells digital certification services and runs the Internet registry, thus is well prepared to sell private information on its all-too-trusting customers and to assist ISPs and wireless providers in the business of betrayal, though it is hardly alone in spying boomtime.”
  3. Facebook Subpoena / Search Warrant Guidelines
  4. Patriot Act – The kitchen-sink approach to national security“, Benjamin Wallace-Wells, New York, 27 August 2011
  5. A Review of the FBI’s Use of Exigent Letters and Other Informal Requests for Telephone Records, Office of the Inspector General of the US Department of Justice, January 2010
  6. A thread for the tinfoil hatters:  “Beware Verisign has a security breach“, DN Forum, 2003

.

.

Advertisements

2 thoughts on “Cyberwar: “Do as I say, not as I do” shall be the whole of the law.

  1. Air traffic system vulnerable to cyber attack“, New Scientist, 12 September 2011 — “A next-generation global air traffic control system is vulnerable to malicious hacks that could cause catastrophe.” Opening:

    AN ALARM blares in the cockpit mid flight, warning the pilot of an imminent collision. The pilot checks his tracking display, sees an incoming aircraft and sends the plane into a dive. That only takes it into another crowded air lane, however, where it collides with a different plane. Investigators later discover that the pilot was running from a “ghost” – a phantom aircraft created by a hacker intent on wreaking havoc in the skies.

    It’s a fictional scenario, but US air force analysts warn that it could be played out if hackers exploit security holes in an increasingly common air traffic control technology.

    At issue is a technology called Automatic Dependent Surveillance – Broadcast (ADS-B), which the International Civil Aviation Organisation certified for use in 2002. Gradually being deployed worldwide, ADS-B improves upon the radar-based systems that air traffic controllers and pilots rely on to find out the location and velocity of aircraft in their vicinity. …

    Like

    1. The problem with the article is that it doesn’t show any kind of sensible understanding of security. Which makes me (always) suspicious. They are worried that someone could degrade the signals with a jammer near the tower? Sure, but you could also degrade the signals with a .22 rifle by just shooting a few holes in the cables leading to the antenna. Virtually all of our infrastructure is vulnerable to simple and effective rifle-based attacks and – because of how the infrastructure is distributed, it’s impossible to protect it. (Imagine how much damage 3 guys in 3 pickup trucks with 3 .300 win/mag rifles and scopes could do to a local power grid if they simply drove around shooting holes in transformers?) Yeah… and (unlike in a “cyber” attack, the damage would be costly to repair and there’s always the question of a lurking rifle-man…)

      Also, the stuff about the communications being in the clear is – interesting but sort of bogus. The problem with crypto is that it only solves a fairly limited set of problems and they aren’t the kind of problems that an air traffic control system has. For an ATC system you need to be able to allow a “complete stranger” to participate in the communications, without having to exchange complex crypto keys, first. Otherwise, there is hardly any point in having one! So you could build a digital certificate system and “sign” the outbound messages but then the receivers would have to be pre-introduced into the system OR they would have the same problem as SSL, that they trusted anything that came in with a specific certificate, etc, ad nauseam.

      This stuff is _hard_ and when I read a scary scary article that treats it as if it’s easy, I immediately smell a rat or a hidden agenda. There are a lot of “security researchers” that like to point out holes in stuff as a lead-in to getting fat consultant $$ fixing the holes. This article makes my spider-senses tingle.

      Like

Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s