NSA reportedly posed as Google to fool users into giving up their own data

Covert data gathering seems to be the talk of the town, and secret government programmes keep popping up to add to the fire. A new report by Mother Jones now says that the NSA and/or its affiliated agencies may have posed as Google and other major Internet sites to gather data on people.

The first mention of this came from Brazilian website Fantastico, which obtained and published a document leaked by whistleblower Edward Snowden, which detailed how a “man in the middle (MITM)” attack involving Google was allegedly carried out. The document in question has now been removed, though.

This attack, a common tactic among hackers, uses a fake security certificate to impersonate a legitimate one. The attack essentially bypasses browser security settings and intercepts data from an unsuspecting victim. The hacking technique is particularly vicious because hackers can use information received thus on the real websites and act as a “man in the middle”. They then receive requests from the user, passing them on to the real site and return the requested information back, all the while collecting data for themselves, without anyone knowing about it

Super secret tech

The NSA may have impersonated Google to secretly gather data from users


The leaked document mentioned a till-now unknown GCHQ spy programme called 'Flying Pig' in what appears to be a slide taken from an NSA presentation. The document details how NSA employees login to a router, most likely used by an Internet service provider. Once logged in, the agency redirects the target traffic to an “MITM”, basically a site that acts as a middle man, collecting communication and data before sending it to the intended destination.

The worrisome bit is that browsers are designed to stop these attacks cold. They are supposed to interact with partners known as certificate authorities who keep huge databases of “public keys” or digital signatures of websites. Browsers, in turn, will be warned by the latter about any site that can’t be legitimately certified. But that is where the loopholes begin to surface. The original report says,agencies with enough funding can actually buy their own signing keys i.e. the signature needed to certify websites. With this in hand, agencies like the NSA can easily create a fake certificate for any site on the Internet. With close to 200 certificate authorities currently functional, buying this is a relatively easy task. 
MITM attacks can be risky, though, according to the source. Google Chrome, for example, keeps a separate list of the public keys used for Google's sites. And the browser will alert Google if it detects any attempts to forge these sites. But that's only if someone was looking for a warning sign. It could also be that the NSA's system did not trigger off any alarm bells at all.

The MITM attacks were reportedly discovered by journalist Glenn Greenwald from the thousands of documents leaked by Snowden in June. The documents reportedly revealed the NSA's use of MITM attacks against Brazil's state-owned oil company, Petrobras, but also stated that information was also intercepted in the same way from Google’s servers.

The source states that the search giant has been increasing its efforts to stop such clandestine data gathering from the NSA. In a statement, Google has said, "As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide our user data to governments only in accordance with the law."

Published Date: Sep 13, 2013 04:33 pm | Updated Date: Sep 13, 2013 04:33 pm