More info on NSA activities.

Exactly. If it turns out that CAs have been generating bogus certificates for the NSA for MITM attack purposes we can say bye bye to the whole SSL/TLS system.
 
I was recommended (i.e. this is not my work, and I am not promoting it for others) to take a look at Convergence.io not so long ago. I am still working my way through the documentation, (such as it is), but it seems to have merits, in these days of out and out spying.

"Convergence allows you to choose who you want to trust, rather than having someone else's decision forced on you. You can revise your trust decisions at any time, so that you're not locked in to trusting anyone for longer than you want."


Best wishes

Daniel
 
Crivens said:
Interesting that there is a turnkey ready device for this. Yes, I know that you need to do this in order to cache static parts of SSL websites, but one question : What happens if the end user does not trust the certificate you have?
Click to expand...

If it is signed by one of the major CAs, what reason would the end user have for refusing it? His browser will check it out and trust it?

I'd say if it is POSSIBLE that the root CAs could issue bogus certs, then based on the strongarm tactics used by the NSA and other federal organisations with regards to goings-on on the internet (e.g., Dotcom) then we should assume that it has actually been going on for some time.

kpa said:
Exactly. If it turns out that CAs have been generating bogus certificates for the NSA for MITM attack purposes we can say bye bye to the whole SSL/TLS system.
Click to expand...

Pretty much. I'd suggest that the only way to be properly secure is to use your own CA infrastructure (don't trust the root CAs) and exchange certificates/keys out of band somehow (disc/etc. via snail mail or in person).

Of course that relies on the fact that your endpoints aren't backdoored and send the contents of their certificate/key store to the NSA, and that the RNG used to generate the keys is sound. Which may or may not be the case.



edit:
Also pertinent (from 1999): http://www.heise.de/tp/artikel/5/5263/1.html

According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY."
Click to expand...
 
I haven't been here in a while, missed this thread entirely! My answer to all this is, "if everyone is so upset over this NSA leak, then why is Google still rising in wealth and popularity?" Apparently it's not really the "big deal" everyone ranting about it claims that it is. I still use Gmail, how about you?
 
I never trusted Gmail. But I stopped using email at all. Since then I saved a lot of money while not buying online anymore.
 
Goobie said:
I'm not saying stick your neck out and ask, I'm saying its a pretty big building, you'd think they'd offer some explanation. Or, do you think people jut didn't even bother thinking about it? I already know I'm screwed when it comes to a thought police future, but I also figured a lot of people were in the same boat.
Click to expand...

Actually, the purpose of that building (put in very generalized terms) has been in the mainstream press for over a year!

Of course, nobody paid any attention to that news, as usual. There were never any comments after the articles. Now suddenly, it's important. We're just a bunch of nose ringers if you ask me ...
 
kpa said:
Exactly. If it turns out that CAs have been generating bogus certificates for the NSA for MITM attack purposes we can say bye bye to the whole SSL/TLS system.
Click to expand...

And you're not smoking any twirly weed there, my man. Check out Bruce Schneier's blog for this issue. You'll probably stop using the internet.
 
RichardET said:
I haven't been here in a while, missed this thread entirely! My answer to all this is, "if everyone is so upset over this NSA leak, then why is Google still rising in wealth and popularity?" Apparently it's not really the "big deal" everyone ranting about it claims that it is. I still use Gmail, how about you?
Click to expand...
Do you still add to the wealth of the Googles & Co. ?

http://www.washingtonpost.com/world...166-11e3-8b74-d89d714ca4dd_story.html?hpid=z1

Really no a big deal isn't it?
 
I think this (in the story above) covers the NSA / GCHQ attitude to their activities:

GOOGLE-CLOUD-EXPLOITATION1383148810.jpg
 
Crivens said:
Well, it turns out that things can be really interesting...

Backdoor your OS? Why bother...
Click to expand...

Interesting article. Hardware is already a target, and I doubt it affects only the military. I thought the article was VERY interesting. There was a fictional novel written a few years back, that described a "world takeover". Offshore electronics giants had conspired to turn everything off on a certain day. All the chips stopped working, causing monumental turmoil, the collapse of world finance, and other things that comprised the action in the book. I never read it - only read the promos. Anybody remember the name?

Maybe after the dust settled in such a scenario, things would be better? Nah.
 
Crivens said:
Some nice side order to go with the backdooring of the hardware or "BadBios". Have fun.
Click to expand...

OMH!!! Really, I had always figured on the likelihood that hard disks were compromiseable with hacks utilizing the disk controller's on-board processor(s). But an ARM9!? Coupled with a hack to install a custom linux kernel, triggered to run in the hard disk controller's ARM9 processor, and set about doing nefarious things! Amazing! Now I feel justified about my pocket full of bootable thumb drives ... ;)
 
Last year's CCC congress had a talk describing how to create a USB device which can detect the OS it is connected to, or if it is being duplicated by dd or something equivalent and then serve different content.

This means that you can not check a memory stick for malware when it is connected to your (administrator) machine which is running something the hand picket target for the malware does not use. Sysadmins would check the device before allowing the PHB to connect it to some company equipment. Paranoid sysadmins would make a copy, check copy and stick, but would still not find the content which is pushed into the file system when the device is connected to some Windows machine (or MacOS, or...). Even using some $TARGET_OS in a virtual machine might not work as the timings would most likely be different.
 
Crivens said:
Last year's CCC congress had a talk describing how to create a USB device which can detect the OS it is connected to, or if it is being duplicated by dd or something equivalent and then serve different content.

This means that you can not check a memory stick for malware when it is connected to your (administrator) machine which is running something the hand picket target for the malware does not use. Sysadmins would check the device before allowing the PHB to connect it to some company equipment. Paranoid sysadmins would make a copy, check copy and stick, but would still not find the content which is pushed into the file system when the device is connected to some Windows machine (or MacOS, or...). Even using some $TARGET_OS in a virtual machine might not work as the timings would most likely be different.
Click to expand...

Sounds like the really paranoid sysadmins would make a complete copy onto hardware they trust, check that, and pass that along for use with the sensitive equipment. :)
 
Crivens said:
Last year's CCC congress had a talk describing how to create a USB device which can detect the OS it is connected to, or if it is being duplicated by dd or something equivalent and then serve different content.

This means that you can not check a memory stick for malware when it is connected to your (administrator) machine which is running something the hand picket target for the malware does not use. Sysadmins would check the device before allowing the PHB to connect it to some company equipment. Paranoid sysadmins would make a copy, check copy and stick, but would still not find the content which is pushed into the file system when the device is connected to some Windows machine (or MacOS, or...). Even using some $TARGET_OS in a virtual machine might not work as the timings would most likely be different.
Click to expand...

Sounds interesting. Do you have any evidence to support this?
 
da1 said:
Sounds interesting. Do you have any evidence to support this?
Click to expand...

In Criven's link to the badbios research, it more or less describes the scenario. The researcher has not yet revealed the data to many others, excepting for a bios dump, and so there is some skepticism. Regardless of skepticism, the news prompted me to look at USB storage, in general. People (including myself) tend to look at new memory sticks as being benign. Yet - typical sticks possess ARM9 processors running at about 180Mhz, and utilizing half a meg of various types of (system used) memory. When you plug your USB stick into your computer, you're really connecting a computer to a computer. Gives one pause, if one has always been of the ilk to gloss over any impact from the little things (guilty).

I went looking on the vendor's sites for software to reset original state of the little critters, but such software seemed disappointingly missing from them. Yet, offers of such software can be found on "free software" sites unending, and kept in the repositories at (seemingly, to this casual observer) "malware look and feel" domains ...
 
da1 said:
Sounds interesting. Do you have any evidence to support this?
Click to expand...

The 27c3 video feeds contain one entry about backdooring embedded controllers. This might to be considered when thinking about the BadBIOS thing.

The 29C3 contains, for example, one talk about breaking the cisco phones. So no suprise there, this is public knowledge. But the talk about the USB devices is also in the 29C3, here.

Sadly I have not enough time to view it all, but one can try.
 
From: twitter/dragosr

"I've been going through about $300 in USB sticks a week isolating this. :-( they've become use once devices for me"
Click to expand...

The author makes mention of a plane flight and something about "packing up forensics" - so maybe there will be some disclosure upcoming ...
 
Global Hacker Contest: Aaand the winner iiiis... [Daemons: please don't edit this!]
http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/

The Dutch hacker groups (with a range of IT skills)- AIVD and MIVD – "have displayed interest in hacking". Ha! But their new boygroup is prohibited by law from performing the type of operations carried out by the NSA as Dutch law does not allow this type of Internet searches. They should have known this, as my mom always said: "Boy! Do not hack! Hacking is illegal."
 
Wait a minute. Hardware back doors were supposed to be the area the Chinese were involved in. I don't think they're going to be happy if the NSA is in there, too. This could cause an international incident! Maybe the UN needs to get involved.
 
You must log in or register to reply here.
Back
Top