Eva Galperin and Yan Zhu
Electronic Frontier Foundation
The NSA has seen the future of mass surveillance, and it appears they believe that the future lies in malware. Earlier this week, The Intercept reported on a series of slides and memos leaked by Edward Snowden describing the NSA’s “more aggressive” approach to signals intelligence, which circumvents encryption such as web browsing via HTTPS and email using PGP, by installing spyware directly onto targets’ computers.
The NSA’s Tailored Access Operations Unit, which develops and deploys malware tools, has been described in a Der Spiegel report as “a squad of plumbers that can be called in when normal access to a target is blocked”, implying that they are a last resort for use when other methods of surveillance fail, but new slides reveal the explosive growth of TAO’s data collection via malware “implants” and plans to scale the number of infected computers from the tens of thousands potentially into the millions using a system called TURBINE.
Furthermore, evidence suggesting that NSA exploits Internet chokepoints for man-in-the-middle attacks and develops software to manage millions of “Computer Network Attack” implants at once demonstrates that their intent is to compromise computer security on a massive scale, rather than a tailored approach. With the help of TURBINE, the NSA’s spyware network has grown from a few hundred implants in 2004, to somewhere between 85,000 and 100,000 implants around the world. Even if you believe that there may be a few hundred key systems with information vital to national security that the NSA cannot reach in any other way—even if you believe there are up to 100,000 such systems—pushing that number up into the millions stretches credulity to the breaking point. It appears that TURBINE is neither necessary for nor proportionate to the government’s aims and that the NSA intends to recapitulate their mass surveillance program by installing spyware on every computer they can get their hands on.
Not only are implants a gross privacy violation, industrial scale exploitation makes everyone on the Internet less safe. As security researcher Matt Blaze points out in The Intercept’s report, “How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?”
Even Mark Zuckerberg is concerned, to the extent of calling President Obama on the phone to complain. Zuckerberg is right to be angry at NSA for undermining the security that users expect from his company: according to The Intercept, NSA has set up fake Facebook servers and uses Facebook’s cookies and other identifying data to associate a target’s identity with the target’s active device for malware delivery. “When our engineers work tirelessly to improve security,” writes Zuckerberg, “we imagine we’re protecting you against criminals, not our own government.” In this context, the distinction between governments and criminals has become meaningless: an attacker is an attacker, and every website that wants to protect the privacy and security of its users ought to take note.
Slides reveal that a man-in-the-middle capability called SECONDDDATE quietly redirects web browsers from the site they think they’re visiting to NSA malware servers called FOXACID. The Intercept reports that “SECONDDATE is tailored not only for ‘surgical’ surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers.”
EFF has the following recommendations for website operators who wish to protect their users from this kind of man-in-the-middle attack:
- Deploy HTTPS by default and set the HTTP Strict Transport Security Header to reduce the risk of a man-in-the-middle or man-on-the-side attack. Users can also download HTTPS Everywhere to force HTTPS connections on thousands of sites that don’t yet support it by default.
- Set the “secure” flag on all HTTP cookies to prevent them from being sent in plaintext, since we know that unique cookie strings are used as selectors for TURBINE. HTTPS Everywhere can also set this automatically on the user side if a server fails to do so.
- If possible, support Certificate Transparency for your SSL certificates so that man-in-the-middle attacks using fake certificates for your domain can be publicly logged. (Google has announced plans to enforce Certificate Transparency for all Extended Validation certificates sometime in the near future.)
- Prefer TLS/SSL ciphersuites that support Forward Secrecy so that compromised private keys cannot decrypt past communications.
- Deploy StartTLS for encryption on email servers.
- Use Public Key Pinning to ensure that users only accept SSL certificate chains that you’ve approved. In the absence of pinning, any Certificate Authority can issue a malicious certificate for your domain that will be trusted by browsers; in fact, we’ve seen circumstantial evidence of governments ordering CAs to do so. Unfortunately, the HTTP Public Key Pinning specification is young and has only been implemented in Chrome 18+ at this time, with Mozilla actively working on it for Firefox as well.
NSA has issued a confused press statement that dodged the issues and denied claims never made in The Intercept’s article, adding that it keeps its “foreign intelligence operations . . . as tailored as possible” and that it never targets “any user of global Internet services without appropriate legal authority.” EFF is skeptical, and users and website operators should be as well.