A “man-in-the-middle” (MITM) attack is a tool elite hackers use to read supposedly secure online communications. In other words, it is the method organizations like the National Security Agency use to eavesdrop online.
The thousands of documents former NSA contractor Edward Snowden leaked to Guardian journalist Glenn Greenwald earlier this year first documented the agency’s use of MITM attacks, and Sunday’s edition of Brazilian TV news program Fantastico shone a brighter light on how NSA employees utilize MITM attacks to spy, impersonating Google (NASDAQ:GOOG) and possibly other heavily trafficked sites to intercept and read data.
Among the documents leaked to Greenwald and then obtained by Fantastico was a NSA presentation in which the agency described “how the attack was done” on “target” Google users. The May 2012 presentation was used to train new agents using a simple flow chart: an NSA employee logs onto an Internet router — likely one used by an Internet Service Provider or a backbone network — and the “target traffic” is then redirected to the MITM, a intermediary site that harvests the needed information before the data is forwarded to its intended destination.
What the document did not make clear is whether NSA logs onto the Internet routers with the permission of or even knowledge of the router’s owner.
This practice drew particular concern from the Brazilian government because the leaked files showed the NSA allegedly targeted the country’s state-run oil company, Petrobras (NYSE:PBR). Now, Brazilian officials are planning to speak with Snowden in Russia as part of its investigation into the alleged spying. “Without a doubt, Petrobras does not represent a threat to any country,” Brazilian President Dilma Rousseff said in an official note seen by the Los Angeles Times. ”But it does represent one of the world’s largest oil assets and the property of the Brazilian people.”
“It’s a question of national sovereignty,” added Congressman Ivan Valente, who sponsored the proposed meeting with Snowden. “It’s much more than just that the United States is acting against terrorism. With Petrobras, economic, industrial and commercial interests are now at play,” he told the Times.
“The [Department of Defense] does ***not*** engage in economic espionage in any domain, including cyber,” read a statement emailed to The Washington Post from an NSA spokesman, whose agency is part of the Defense Department. However, the statement did reveal that the department “does engage” in computer network exploitation. Computer Network Exploitation, or CNE, is defined as enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target automated information systems or networks.
What makes an MITM attack so effective is that it defeats encryption without having to crack any code. Browsers were designed to automatically foil MITM attacks, Johns Hopkins cryptography expert Matthew Green told Mother Jones’s Josh Harkinson. Browsers trade information with entities known as certificate authorities, which store Internet sites’ “public keys,” or digital signatures. These certificate authorities alert browsers about sites that they cannot certify as legitimate, meaning they may be an impersonation.
According to Green, the problem is that not all certificate authorities are trustworthy. “If you are big enough and spend enough money,” Green told Mother Jones, “you can actually get them to give you your own signing key.” With a signing key, a fake certificate for any site on the Internet can be created, which is likely what the NSA did when it impersonated Google, said Green. Because there are between 100 and 200 certificate authorities, that process is relatively easy, according to him.
An article published by The New York Times on September 5 gave further details on how the NSA is able to circumvent basic privacy safeguards on the Internet. According to an intelligence budget document leaked by Snowden, the NSA spends approximately $250 million annually on the Sigint Enabling Project, a program that “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.”
Sigint is the abbreviation for signals intelligence, the technical term for electronic eavesdropping. In fact, the NSA’s successful interception of everyday Internet communications depends on the voluntary cooperation from Internet companies. When voluntary cooperation failed, documents show that the security agency forced the companies to help through court orders, stole encryption keys, or altered their software or hardware, the Times reported.
In response to questions from Mother Jones, Google issued a short statement. “As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring,” said spokesman Jay Nancarrow. “We provide our user data to governments only in accordance with the law.” As The Washington Post reported earlier this month, Google is encrypting the data the NSA is harvesting from its data centers to make spying more difficult.
“This is a just a point of personal honor,” Eric Grosse, Google’s vice president for security engineering, told the Post. “It will not happen here.” Whether the company’s efforts will thwart MITM attacks is not clear.
Follow Meghan on Twitter @MFoley_WSCS
Don’t Miss: Do Stock Exchanges Need a Kill Switch?