How the NSA broke trillions of encrypted connections

As technology has become more interconnected as we have advanced over the years security has become a major issue and many people have pushed companies and developers into ensuring and using encryption and other techniques to guarantee people’s data is safe and secure and only accessible by the people that own it. Diffie-Hellman Key Exchange is a method of generating a shared private key with which two computers can use to secure a previous insecure channel. The Diffie-Hellman Key Exchange method is used by many different protocols to encrypt the traffic like VPN, SSH, HTTPS. To break a key for something like this, which is normally 1024 bits, it can take up to a year and cost millions of dollars, the NSA doesn’t have the money or time to continually crack these keys instead they have just enough time to crack only two. The flaw in the Diffie-Hellman encryption that the NSA discovered that there are two commonly used primes that are used to calculate the 1024-bit key. NSA cracked one key and was able to decrypt two thirds of VPN connections and a quarter of all SSH server globally. The other key they generate allowed them the eavesdrop on about 18% of the top million HTTPS websites. The attack is effective only on IPsec and a fair amount of SSH but not all, PGP and iMessage are immune to this attack. There is also other information backing up this theory of the NSA cracking the two keys, in the files that Edward Snowden leaked there was claims that showed the agency being able to monitor encrypted VPN connections. The research team that discovered this recommend that websites move to 2048-bit Diffie-Hellman keys, but 3072-bit would be needed to be really impervious to this attack and SSH users upgrade to the latest OpenSSH which uses Elliptic-Curve Diffie-Hellman Key Exchange.

Source:

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

http://www.techworm.net/2015/10/nsa-break-encrypted-web-vpn-connections-cryptographic-mistake.html

http://thehackernews.com/2015/10/nsa-crack-encryption.html

https://www.lawfareblog.com/nsa-and-weak-dh

By Peter Carenzo

Man Buys Google.com for $12?

Last week at around 1:20 AM on Tuesday, perhaps not all that strangely for someone surfing the web so late, Sanmay Ved found something rather interesting. Ved, an ex-Google Display Specialist and Account Strategist, found listed on Google Domains, Google.com.

Google Domains is still in beta, but it’s googles attempt at domain registration service. One of the first things you see when vistting the site is “From 12$ a year”, and that’s exactly what Ved found google.com listed for.

While Ved’s ownership may have been brief, he said that his credit card was charged and that google.com showed up in his order history. His ownership was basically confirmed when he was flooded with emails concerning the change of ownership from other sites tied to Google.

Luckily for Google, they noticed almost immediately and, because they owned the site where he purchased the domain, were able to cancel the sale in just about 1 minuet. Ved may have missed out on owning Google.com, but he was refunded his full $12 and got 15 minuets of fame so all’s well that ends well.

Ved got in contact with Google’s security team who acknowledged the incident. A spokesperson for Google reportedly told Business Insider that they are investigating what caused this to happen but still haven’t found anything out of the ordinary yet.

 Google. Image courtesy of antb/Shutterstock.

 

https://nakedsecurity.sophos.com/2015/10/02/how-one-man-bought-google-com-for-just-12/

Proxyham and its Disappearance

There are many different technologies to provide anonymous internet access.  While having a private access to the internet is good for many people, it can be critical for journalists and activists.  Tor, using onion routing, and VPNs providing encrypted tunnels for data, just to name a few.  But all these solutions have weaknesses.  With Tor you never know who is running the exit node you use.  There may also be defects in how legitimate exit nodes handle data.  VPN providers may keep logs that they must provide to the government under a court order.  The issue with all these technologies it that they are fully virtual.  There is still a direct network link, however well obfuscated, that leads directly to you.

DSCN0363

Photo Courtesy of Ben Caudill and Wired

Benjamin Caudill, the founder of Rhino Security Labs, came up with a solution.  It is called Proxyham.  He calls it a physical proxy, to be used as a compliment to traditional tools such as Tor.  Proxyham is a small device based on a raspberry pi, that contains a tradition 2.4Ghz or 5Ghz wifi radio, as well as a long range 900 Mhz transmitter.  The device can be left near a public hotspot.  It will then forward the wifi connection over 900Mhz, up to 2.5 miles to the real user.  The genius of this solution, is that even if a trace does manage to get through whatever other obfuscation methods you use, investigators will only find the ip address and location of the Proxyham.    “You can have it all the way across town, and worst case scenario the police go barge into the library across town,” Caudill said.  … The internet signal travelling back to the user is at such low frequency, Caudill added, that it’s really hard for anyone to track it down. At that frequency, “the spectrum is crowded with other devices,” such as baby monitors, walkie talkies, and cordless phones. – Wired

Caudill had planned to present at this year’s DefCon next month.  But last Friday, the Twitter feed of Rhino Security Labs posted that the presentation was no longer taking place.  DefCon has also confirmed that Caudill informed them that he was not going to present. Not only is he not presenting at DefCon, the entire project has been canceled, all prototypes destroyed, and research halted.  In a call from Wired, Caudill said he couldn’t say why he canceled the project. He is CEO of his own company, so it wasn’t his employer.  There was speculation that the FCC found fault with how the device used 900 MHz radio, but Caudill refuted this claim, stating that the device transmitted at under the 1 Watt limit.  So far the only explanation that makes any sense is that he is under a gag order by… somebody.  When asked if he had a run in with law enforcement he replied,”No comment.”

As stated by Wired,”Online anonymity tools certainly aren’t illegal. Tools like VPNs have allowed users to obscure their IP addresses for years. The anonymity software Tor is even funded by the U.S. government. But it’s possible that secretly planting a ProxyHam on someone else’s network might be interpreted as unauthorized access under America’s draconian and vague Computer Fraud and Abuse Act.”

So is the government now cracking down on the development of security technology they can’t crack?  Look at what is happening to Apple in relation to iMessage and full device encryption.  They are being punished for using this kind of security.  If it was simply a matter of conforming to the Computer Fraud and Abuse Act, why all the secrecy?

This blog was based on two articles, one by Wired, detailing the disappearance of the project: http://www.wired.com/2015/07/online-anonymity-project-proxyham-mysteriously-vanishes/

And another by Motherboard cited in the Wired post with a more detailed explanation of the initial proposal by Rhino Security Labs:

http://motherboard.vice.com/read/with-this-device-you-can-connect-anonymously-to-wi-fi-25-miles-away

Edit:  Interesting speculation by hackaday:

Let’s Speculate Why The ProxyHam Talk Was Cancelled

It’s July. In a few weeks, the BlackHat security conference will commence in Las Vegas. A week after that, DEFCON will begin. This is the prime time for ‘security experts’ to sell themselves, tip off some tech reporters, exploit the Arab Spring, and make a name for themselves. It happens every single year.

The idea the ProxyHam was cancelled because of a National Security Letter is beyond absurd. This build uses off the shelf components in the manner they were designed. It is a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges, but so will blowing up a mailbox with some firecrackers.

If you believe the FBI and other malevolent government forces are incompetent enough to take action against [Ben Caudill] and the ProxyHam, you need not worry about government surveillance. What you’re seeing is just the annual network security circus and it’s nothing but a show.

The ProxyHam is this year’s BlackHat and DEFCON pre-game. A marginally interesting security exploit is served up to the tech media and devoured. This becomes a bullet point on the researcher’s CV, and if the cards land right, they’re able to charge more per hour. There is an incentive for researchers to have the most newsworthy talk at DEFCON, which means some speakers aren’t playing the security game, they’re playing the PR game.

In all likelihood, [Ben Caudill] only figured out a way to guarantee he has the most talked-about researcher at DEFCON. All you need to do is cancel the talk and allow tech journos to speculate about National Security Letters and objections to the publication of ProxyHam from the highest echelons of government.

If you think about it, it’s actually somewhat impressive. [Ben Caudill] used some routers and a Raspberry Pi to hack the media. If that doesn’t deserve respect, nothing does.

Author- Mark White

http://hackaday.com/2015/07/14/how-to-build-a-proxyham-despite-a-cancelled-defcon-talk/

Defense spending unable to keep up with growing cybersecurity threats.

The government lack of care when it comes to cybersecurity is slowly catching up with them. With the rapid growth of technology and hacking culture, the need to protect government and military systems is more important than ever. The only thing that is holding back the military from spending on the latest software is because of rules set by the General Services Administration, they require that the software must be on the market for at least two years. By the time they get the software it is already very outdated.

Another issue with inferior software is that with every year more things are connected through networks. We’re in a time when everything is connected that includes our weapon systems, ships, tanks, and planes as stated by Defense Secretary Ash Carter. It’s sad to see that the Navy is still using Windows XP as there operating system. They have recently entered a contract with Microsoft, for them to provide security patches for the outdated software. If an attacker were able to get into some of these systems it would be a catastrophe no matter what the outcome is. Examples of such catastrophes would be, sensitive information being leaked, blueprints for new weapon designs/ systems, or absolute worst case scenario would be them gaining access to military equipment and causing them to fire.

The government is working on making it easier for agencies and the military to get new software. The National Defense Authorization Act, which is being debated in Congress, this will lead to major reform on how agencies can obtain newer software and be able to bring cybersecurity to a more secured standard. So far it has passed the House back in late May, and was passed in the Senate in mid-June. According to congress.gov it says that it is currently on the stage of “Resolving Differences”, as to when the President will sign it, there is no set date.

Sources

http://www.usnews.com/news/articles/2015/08/17/defense-spending-red-tape-endangers-cybersecurity

http://thehill.com/policy/cybersecurity/242235-house-passed-defense-budget-fully-funds-cyber

https://www.congress.gov/bill/114th-congress/house-bill/1735/text

Anti-iPhone WiFi

A new zero day vulnerability in iOS gives anyone with a router the ability to shutdown any iOS powered device.  Security researchers have just recently discovered this bug in Apple’s SSL library which can apparently crash all applications on the device and even trigger an endless reboot cycle to render the device inoperable.  This bug could also be coupled with another bug uncovered two years ago that forces iOS devices to connect to WiFi hotspots as soon as they get into range.  In this way, an iOS user would be unable to use their device when within the radius of any WiFi hotspot configured in this manner.

The good news about this – if there is any – is that the researchers at Skycure that discovered this vulnerability haven’t released the details on exactly how to do it in the hopes that Apple will solve the issues before anyone takes advantage of this issue in the wild.

– Keegan Parrotte

Sources

http://appleinsider.com/articles/15/04/22/researchers-leverage-ssl-bug-to-crash-apple-devices-over-wi-fi-in-no-ios-zone-attack

http://arstechnica.com/security/2015/04/22/ios-bug-sends-iphones-into-endless-crash-cycle-when-exposed-to-rogue-wi-fi/

http://www.theregister.co.uk/2015/04/22/apple_no_ios_zone_bug/