The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

Archive for January 2013

It appears that China recently launched a poorly executed Man in the Middle (MITM) attack on GitHub.

Greatfire.org has all the details.

In short:

GitHub.com is an https only website, so the only way to monitor it is to use a MITM attack to decrypt the contents of the communications. There is evidence that GitHub is widely used in China for code sharing, so the backlash from blocking it completely was too large, and it was unblocked a few days later.

The attack happened on January 26. It was poorly executed in that the faked certificate did not match the real one in any of the meta-data and it was not signed by a recognized certificate authority. This caused most browsers to report a security error. The MITM attack only lasted about an hour.

Based on reports it only impacted users in China, which strongly suggests that it was government backed at some level. My work in censorship circumvention over the years has shown that China is far from monolithic. This could have been the work of a local government or regional ISP. I have not seen an analysis showing if this was country wide or not. It seems very ham fisted for the central government.

The speculated reason for the attack is to monitor access to a list of people who have been involved in creating the Great Firewall of China, which is hosted on GitHub, and is connected to a petition on Whitehouse.gov proposing that those people be denied entry to the US.

· · · ·

For years I have been telling people to be especially careful when they venture into the dark back alleys of the Internet. My thinking was that these more “wild west” areas would be home to most of the malware and other attacks.

Dark Reading analyzes a Cisco report which says that online shopping sites and search engines are over 20 times more likely to deliver malware than counterfeit software sites. Advertisers are 182 times more dangerous than pornography sites.

So, I guess I need to change my tune. Be careful when you are going about your daily business, and have fun in those dark alleys!

· ·

A Guest Post by Robin Wilton of the Internet Society

 

We are the raw material of the new economy. Data about all of us is being prospected for, mined, refined, and traded…

 

. . . and most of us don’t even know about it.

 

Every time we go online, we add to a personal digital footprint that’s interconnected across multiple service providers, and enrich massive caches of personal data that identify us, whether we have explicitly authenticated or not.

 

That may make you feel somewhat uneasy. It’s pretty hard to manage your digital footprint if you can’t even see it.

 

Although none of us can control everything that’s known about us online, there are steps we can take to understand and regain some level of control over our online identities, and the Internet Society has developed three interactive tutorials to help educate and inform users who would like to find out more.

 

We set out to answer some basic questions about personal data and privacy:

 

  1. Who’s interested in our online identity? From advertisers to corporations, our online footprint is what many sales driven companies say helps them make more informed decisions about not only the products and services they provide – but also who to target, when and why.

 

  1. What’s the real bargain we enter into when we sign up? The websites we visit may seem free – but there are always costs. More often than not, we pay by giving up information about ourselves – information that we have been encouraged to think has no value.

 

  1. What risk does this bargain involve? Often, the information in our digital footprint directly changes our online experience. This can range from the advertising we see right down to paying higher prices or being denied services altogether based on some piece of data about us that we may never even have seen. We need to improve our awareness of the risks associated with our digital footprint.

 

  1. The best thing we can do to protect our identity online is to learn more about it.

 

The aim of the three tutorials is to help everyone learn more about how data about us is collected and used. They also suggest things you need to look out for in order to make informed choices about what you share and when.

 

Each lasts about 5 minutes and will help empower all of us to not only about what we want to keep private, but also about what we want to share.

 

After all, if we are the raw material others are mining to make money in the information economy, don’t we deserve a say in how it happens?

 

Find out more about the Internet Society’s work on Privacy and Identity by visiting its website.

 

* Robin Wilton oversees technical outreach for Identity and Privacy at the Internet Society.

No tags

Play

Welcome to first podcast of 2013. In honor of Data Privacy Day, which falls on January 28th, I’ll be discussing current data privacy and security issues facing both consumers and businesses by taking you through the pros and cons of privacy legislation, privacy in the context of social media, and corporate data security at the human level.

Hope you enjoy January’s episode of The Privacy Blog Podcast. Please leave any feedback or questions you have in the comments section below.

· · · · · · · ·

The latest Java exploit has given another view into the workings of the cybercrime economy. Although I should not be, I am always startled at just how open and robustly capitalistic the whole enterprise has become. The business is conducted more or less in the open.

Krebs on Security has a nice piece on an auction selling source code to the Java exploit. You can see that there is a high level of service provided, and some warnings about now to ensure that the exploit you paid for stays valuable.

· ·

I did not post on the recent Java vulnerability because the fixes came out so quickly, however, it looks like I relaxed too soon.

Apparently there was a second vulnerability that did not get fixed. At this point, you should probably just disable Java in your browser. Gizmodo has a short article on how to do that for the various browsers.

Very few websites actually require Java any more. If you absolutely need to visit one of them, I suggest enabling Java on just one of your browsers and using that browser exclusively for visiting that trusted site with Java.

· ·

Gigaom reports on a major security issue at Nokia, first announced in the “Treasure Hunt” blog.

Their Asha and Lumia phones come with something they call the “Xpress Browser”. To improve the browser experience, the web traffic is proxies and cached. That is a fairly common and accepted practice.

Where Nokia has stepped into questionable territory is when it does this for secure web traffic (URLs starting with HTTPS://). Ordinarily it is impossible to cache secure web pages because the encryption key is unique and used only for a single session, and is negotiated directly between the browser and the target website. If it was cached no one would be able to read the cached data.

Nokia is doing a “man in the middle attack” on the user’s secure browser traffic. Nokia does this by having all web traffic sent to their proxy servers. The proxy then impersonate the intended website to the phone, and set up a new secure connection between the proxy and the real website.

Ordinarily this would generate security alerts because the proxy would not have the real website’s cryptographic Certificate. Nokia gets around this by creating new certificates which are signed by a certificate authority they control and which is pre-installed and automatically trusted by the phone.

So, you try to go to Gmail. The proxy intercepts that connection, and gives you a fake Gmail certificate signed by the Nokia certificate authority. Your phone trusts that so everything goes smoothly. The proxy then securely connects to Gmail using the real certificate. Nokia can cache the data, and the user gets a faster experience.

All good right?

The fly in the ointment is that Nokia now has access to all of your secure browser traffic in the clear, including email, banking, etc.

They claim that they don’t look at this information, and I think that is probably true. The problem is that you can’t really rely on that. What if Nokia gets a subpoena? What about hackers? What about accidental storage or logging?

This is a significant breaking of the HTTPS security model without any warning to end users.

· · · · ·