This week's seen all sorts of interesting revelations about how the US government seeks access to your computers, your data and anything else you may have that they deem of interest. Let's look at a few of them.
First, the NSA appears to have passed itself off as Google in so-called 'Man In The Middle' attacks on Internet users. CNET reports:
A technique commonly used by hackers, a MITM attack involves using a fake security certificate to pose as a legitimate Web service, bypass browser security settings, and then intercept data that an unsuspecting person is sending to that service. Hackers could, for example, pose as a banking Web site and steal passwords.
. . .
It's not clear if the supposed attack ... was handled by the NSA or by its UK counterpart, the Government Communications Headquarters (GCHQ). The article by the Brazilian news agency says, "In this case, data is rerouted to the NSA central, and then relayed to its destination, without either end noticing."
"There have been rumors of the NSA and others using those kinds of MITM attacks," Mike Masnick writes on Techdirt, "but to have it confirmed that they're doing them against the likes of Google... is a big deal -- and something I would imagine does not make [Google] particularly happy."
Google provided a short statement to Mother Jones reporter Josh Harkinson in response to his questions on the matter: "As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide our user data to governments only in accordance with the law." (The company is also trying to win the right to provide more transparency regarding government requests for data on Google users.)
CNET got a "no comment" from the NSA in response to our request for more information.
As TechDirt suggests, an MITM attack on the part of the NSA or GCHQ would hardly be a complete shock. The New York Times reported last week that the NSA has sidestepped common Net encryption methods in a number of ways, including hacking into the servers of private companies to steal encryption keys, collaborating with tech companies to build in back doors, and covertly introducing weaknesses into encryption standards.
It wouldn't be much of a stretch to obtain a fake security certificate to foil the Secure Sockets Layer (SSL) cryptographic protocol that's designed to verify the authenticity of Web sites and ensure secure Net communications.
There's more at the link. Worthwhile reading.
Next, despite a ruling from the full bench of the 9th Circuit earlier this year, it appears that several security agencies are using US border controls to circumvent requirements for search warrants. NBC reports:
Newly disclosed U.S. government files provide an inside look at the Homeland Security Department's practice of seizing and searching electronic devices at the border without showing reasonable suspicion of a crime or getting a judge's approval.
The documents published Monday describe the case of David House, a young computer programmer in Boston who had befriended Army Pvt. Chelsea Manning, the soldier convicted of giving classified documents to WikiLeaks. U.S. agents quietly waited for months for House to leave the country then seized his laptop, thumb drive, digital camera and cellphone when he re-entered the United States. They held his laptop for weeks before returning it, acknowledging one year later that House had committed no crime and promising to destroy copies the government made of House's personal data.
The government turned over the federal records to House as part of a legal settlement agreement after a two-year court battle with the American Civil Liberties Union, which had sued the government on House's behalf. The ACLU said the records suggest that federal investigators are using border crossings to investigate U.S. citizens in ways that would otherwise violate the Fourth Amendment.
. . .
Catherine Crump, an ACLU lawyer who represented House, said she doesn't understand why Congress or the White House are leaving the debate up to the courts.
"Ultimately, the Supreme Court will need to address this question because unfortunately neither of the other two branches of government appear motivated to do so," said Crump.
Again, more at the link.
What's even more worrying is what payloads the security agency(ies) might be loading onto your hardware before they return it to you. In its latest 'Technology Investor' newsletter, Casey Research explains.
... when you're on the road and perhaps storing important documents on your laptop, tablet, or smartphone ... Your devices are subject to seizure on the flimsiest of pretexts, and any data they hold can be pirated.
. . .
An August 2008 exposé in the Washington Post revealed publicly for the first time that the US Department of Homeland Security had been exercising [such] powers in secret for quite a while. And its reach is even broader. The policies apply to anyone entering the country by any means, and they cover hard drives, flash drives, mobile phones, iPods, pagers, beepers, and video and audio tapes, as well as books, pamphlets, and other written materials. Moreover, anything confiscated may be held indefinitely. The courts have approved all of these actions.
. . .
... agents are allowed to share the contents of seized computers with other agencies and private entities for data decryption and "other reasons." Copies sent to non-federal organizations must be returned to the DHS, but there is no way to ensure against copies of copies being made and retained. There is also no limitation on authorities keeping notes or making extensive reports about the materials.
. . .
Security experts believe that, in addition to suspected terrorists and their sympathizers, there are plenty of other potential targets of domestic and foreign authorities alike, including: political activists of any stripe; journalists specializing in political stories; known hackers and data security specialists; academics involved in political research; corporate personnel connected to certain types of technology; business leaders charged with large-scale decision making; and probably any number of other focus groups that are less obvious.
If you are singled out, the first concern, of course, is data theft. You must assume that all stored information has been compromised... or at least looked at and probably copied for a more leisurely perusal later on. There is no defense against this. If you have to carry sensitive material, you're at risk. Encryption will only slow them down.
Best bet is not to have anything important on there in the first place. If you must transport critical info, make sure you have copies back home—they mean it when they say "indefinite holding." Plus, if you have a hard drive on which sensitive material was previously stored, you might want to wipe that clean. Simply erasing it isn't enough: you need to run a program that completely overwrites all of the data, making retrieval impossible.
But perhaps more insidious is that many government officials may, with impunity, "modify" your computer or phone. They can install hard- or software that gives them future access to your machine and anything you do on it.
For instance, they can add a keylogger that keeps track of all your keystrokes, stores them, and transmits them to a remote computer of their choice.
They can load a Trojan that will be all but impossible for you to detect. It'll just sit there until you do something that it's been programmed to watch for, at which time it will activate and broadcast the desired data. Or the Trojan's purpose may be to provide a back door for a remote controller to enter your computer system, take it over, and use it for any desired purpose. You can essentially be turned into a bot and even be added to a botnet.
Your phone can be turned into a listening and/or tracking device. It can be made to transmit not only your location, but also anything you do with the phone, including voice calls, texts, video, websites visited, app usage, files read, and so on to a designated receiver.
. . .
Remember, your phone, tablet, or laptop need only be out of your sight and in a skilled hacker's hands for a few minutes in order for the damage to be done. And at that point, there is virtually no way to know that your device is spying on you.
More at the link, including details of how your hardware can be modified to do this, and signs that may reveal it's been done to yours.
Basically, these stories reveal that our security establishment has turned into a loose cannon; a self-serving, out-of-control bureaucracy determined to do whatever it deems appropriate to do its job, whether or not the measures it uses will pass constitutional muster. In most cases, it does its utmost to prevent their constitutionality from being tested, so that it can't be forbidden to use them. It no longer gives a damn about the rights and privileges of citizens and residents. It's interested only in its own mission and its own self-perpetuation.
It's long past time to shut down these arrogant bastards. How we'll do it, I don't know . . . but unless we do, our constitutional Republic is doomed.