Data Privacy Smoke and Mirrors

Data Privacy

As hardware and software manufacturers make public statements about hardening and protecting their services in the name of customer privacy, federal agencies speak out against it – let the smoke and mirrors game begin…

After Snowden revealed how deep tech company’s “data sharing” cooperation with the federal government has been, many of them are now making stands on protecting their customer’s data privacy. Google and Apple have announced that their latest operating systems will include encryption by default. According to the Washington Post, Apple has gone as far as stating that they will not be able to unlock an Apple device, even with a search warrant:

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data, so it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

As expected, government officials are coming out in protest of the tech giants move to protect data privacy. FBI Director James Comey recently told reporters that the move could hinder investigations and put lives at risk, “I’d hate to have people look at me and say, ‘Well how come you can’t save this kid?’ ‘How come you can’t do this thing?

In all honesty, this just appears to be a lot of smoke and mirrors. Manufacturers have worked hand-in-hand with law enforcement for a very long time, and most likely are not going to stop now, or anytime soon. Does anyone remember Cisco’s “Lawful Intercept?”

On Cisco’s website, Lawful Intercept is defined as:

… the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications as authorized by judicial or administrative order. Countries throughout the world have adopted legislative and regulatory requirements for providers of public and private communication services (service providers) to design and implement their networks to support authorized electronic surveillance explicitly. International standards organizations have also developed standards to guide service providers and manufacturers in specific lawful intercept capabilities.”

Communication interception devices in use by the government (and apparently some law enforcement agencies) have the capability to intercept and analyze cell phone calls and other electronic signals, so having physical access to a device may not be as big as a priority as before. Even so, if someone can remotely access a device as the currently logged in user, certain data encryption is meaningless – the device will dutifully unencrypt the data for the remote user thinking it is in fact the legitimate user.

It would seem that this display of concern for data privacy is nothing more than a public display to regain consumer trust. As soon as access to a device is needed for a criminal case or terrorist incident, you better believe that a back door or other way to access needed data will be available.



Did Iran Recover Encrypted Data from the Downed Stealth Drone?

Iranian officials released claims yesterday that they have finished their reverse engineering of the downed US stealth drone and will begin to make a copy. They also claim they have recovered encrypted data from the UAV.

On Sunday, Iranian Brig. General Amir Ali Hajizadeh stated, “The Americans should be aware to what extent we have infiltrated the plane, our experts have full understanding of its components and programs.”

The Iranians released information they say was encrypted flight and maintenance data from internal databases:

“This drone was in California on October 16, 2010, for some technical work and was taken to Kandahar in Afghanistan on November 18, 2010. It conducted flights there but apparently faced problems and US experts were unable to fix it.”

They also claimed that the drone flew over Bin Laden’s compound two weeks before American Special Forces captured the  Al-Qaeda leader.

Though some reports are saying that what the Iranians have actually recovered is basically no more than the drone’s “Black Box”. Iranian Gen. Hajizadeh states, “Had we not accessed the plane’s software and hard discs, we wouldn’t have been able to achieve these facts”.

US officials are denying that Iran was able to recovered any encrypted data. Today, U.S. Defense Secretary Leon Panetta stated, “I don’t want to get into the particulars of that program, but I think I can tell you based on my experience that I would seriously question their ability to do what they say they have done.”

Because the stealth drone is a classified system, the public may never know the truth. Iran is most likely not working on reverse engineering the drone by itself, both China and Russia would love to get their hands on this state of the art drone.

If Iran did somehow recover encrypted data, one would have to ask, could they use the information gained to compromise another UAV? The US is using an ever increasing number of automated systems and especially drones as force multipliers.

Back in 2009, now retired USAF Lt. General Dave Deptula stated that during that year, the Air Force trained more drone pilots than fighter and bomber pilots combined. As robotic system usage increases, the US must be sure that the systems are protected against subversion and in the case of captured hardware, that the unit will not give away information that could be used to compromise other systems.

Researchers Break Military Chip Encryption Keys using Nvidia Tesla GPUs

German IT Security researchers at Ruhr University have recently released a report documenting the ability to crack strong encryption used in programmable chips. These chips are used in Military and Aerospace embedded systems.

According to Government Computer News, the researchers were able to crack the encryption key and access data on two different model Field Programmable Gate Array (FPGA) chips using an attack called differential power analysis (DPA).

In the attack, power use is monitored during the power up sequence of the chip. As it is powered up, the chip accesses a key used to decrypt the configuration data file and data stream. By analyzing the power used, the team was able to decrypt the key:

“Side-channel analysis attacks follow a divide-and-conquer strategy,” they wrote. “That is, the key is recovered in small pieces.”

The keys were extracted in eight pieces of 32 bits each from the data gathered in a single power up for each chip. They analyzed the power consumption of 50,000 encrypted bitstream blocks for the Virtex 4 and 90,000 blocks for Virtex 5.

According to the report, a set of four nVidia Fermi Tesla C2070 GPU’s analyzing the data could obtain the key from a Virtex 4 device in about 6 hours, and a Virtex 5 device in about 9 hours.

But what could an attacker do if they obtained the key? An attacker could possibly reverse engineer the bitstream, modify the device configuration or implant a hardware trojan.

Defenses against this type of attack exist, but according to the research some new chips do not use the defense technology and some existing chips may also be vulnerable. Though at this time no known attacks using DPA exist,  that doesn’t mean that some nation states have not thought about using it in an attack. Paul Kocher, a developer of DPA and president of Cryptography Research, had this to say:

“If China gets a piece of military equipment and breaks the key in an FPGA, they wouldn’t talk about it, but if [the researchers] can do it, the presumption is that anyone else who wants to could.”

Counterfeit network gear intended for the US military has already been recovered by FBI agents. It is not a long stretch to think that FPGA chips could also be a target of foreign nations.

* Update – “Cracks in encryption security for embedded chips not fatal, company says” – GCN

SSL Issues: From Man-in-the-Middle Attacks to Foreign Hackers

Very good article yesterday on The Register that talks about the issues with SSL. We have been taught over the years that if the website you are visiting uses HTTPS (instead of the standard HTTP address) and you have a little lock icon show up in your browser, then your web frolicking is safe and encrypted.

But that may not necessarily be true.

Security researcher Moxie Marlinspike has shown time and again that SSL can be intercepted and the encryption bypassed. One would just have to look at his program SLLstrip to see this in action.

It works as a man-in-the-middle attack and takes your request for an HTTPS encrypted site, and basically steps in between the process, creating the encrypted link with the target system, but communicating to your system completely unencrypted.

I saw a presentation once by Moxie where he talked about running SSLstrip on a Tor exit node (Tor is a program used for surfing anonymously online). He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?). He also talked about the inherent weaknesses of SLL, which was also the topic of The Register’s article.

According to the article, hacker attacks aside, there seems to be little verification checking before certificates are handed out. For example, in 2008 Mike Zusman from the security firm Intrepidus Group was able to purchase a certificate for Microsoft’s domain. In the same year a separate researcher was able to purchase a certificate for

But that is just a few that slipped by right? Not necessarily:

Last week, an analyst from the Electronic Frontier Foundation found that CAs have issued more than 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01.” These are the prefixes that many organizations append to their domains and use to designate Microsoft exchange servers and other internal resources.

When you add in reports of foreign hackers stealing certificates & creating fake certificates and also hardware devices that perform SSL man-in-the-middle attacks, it sounds like SSL is really in need of an overhaul.