NSA disguised itself as Google to spy, say reports CNET Article

[chrisj1968]

Story  link: http://news.cnet.com/8301-13578_3-57602701-38/nsa-disguised-itself-as-google-to-spy-say-reports/

 

If a recently leaked document is any indication, the US National Security Agency -- or its UK counterpart -- appears to have put on a Google suit to gather intelligence.

 

 

Here's one of the latest tidbits on the NSA surveillance scandal (which seems to be generating nearly as many blog items as there are phone numbers in the spy agency's data banks).

Earlier this week, Techdirt picked up on a passing mention in a Brazilian news story and a Slate article to point out that the US National Security Agency had apparently impersonated Google on at least one occasion to gather data on people. (Mother Jones subsequently pointed outTechdirt's point-out.)

Brazilian site Fantastico obtained and published a document leaked by Edward Snowden, which diagrams how a "man in the middle attack" involving Google was apparently carried out.

A technique commonly used by hackers, a MITM attack involves using a fake security certificate to pose as a legitimate Web service, bypass browser security settings, and then intercept data that an unsuspecting person is sending to that service. Hackers could, for example, pose as a banking Web site and steal passwords.

The article by Brazil's Fantastico mentions a hitherto unknown GCHQ spy program called "Flying Pig." This prompted a Twitter quip from Electronic Frontier Foundation attorney Kurt Opsahl: "PRISM, Flying Pig. Someone in the surveillance state has a thing for Pink Floyd album covers."

(Credit: Pig: Musiclipse.com; prism: Harvest, Capitol.)

The technique is particularly sly because the hackers then use the password to log in to the real banking site and then serve as a "man in the middle," receiving requests from the banking customer, passing them on to the bank site, and then returning requested info to the customer -- all the while collecting data for themselves, with neither the customer nor the bank realizing what's happening. Such attacks can be used against e-mail providers too.

It's not clear if the supposed attack in the Fantastico document was handled by the NSA or by its UK counterpart, the Government Communications Headquarters (GCHQ). The article by the Brazilian news agency says, "In this case, data is rerouted to the NSA central, and then relayed to its destination, without either end noticing."

"There have been rumors of the NSA and others using those kinds of MITM attacks," Mike Masnick writes on Techdirt, "but to have it confirmed that they're doing them against the likes of Google... is a big deal -- and something I would imagine does not make [Google] particularly happy."

Google provided a short statement to Mother Jones reporter Josh Harkinson in response to his questions on the matter: "As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide our user data to governments only in accordance with the law." (The company is also trying to win the right toprovide more transparency regarding government requests for data on Google users.)

CNET got a "no comment" from the NSA in response to our request for more information.

As TechDirt suggests, an MITM attack on the part of the NSA or GCHQ would hardly be a complete shock. The New York Times reported last week that the NSA has sidestepped common Net encryption methods in a number of ways, including hacking into the servers of private companies to steal encryption keys, collaborating with tech companies to build in back doors, and covertly introducing weaknesses into encryption standards.

It wouldn't be much of a stretch to obtain a fake security certificate to foil the Secure Sockets Layer (SSL) cryptographic protocol that's designed to verify the authenticity of Web sites and ensure secure Net communications.

Indeed, such attacks have been aimed at Google before, including in 2011, when a hacker broke into the systems of DigiNotar -- a Dutch company that issued Web security certificates -- and created more than 500 SSL certificates used to authenticate Web sites.

In any case, the purported NSA/GCHG impersonation of Google inspired a rather clever graphic by Mother Jones, one that might even impress the rather clever Doodlers at Google:

 

 

 

[COKid]

And yet I still don't care. But you get an "A" for your fud errorts. :)

[vcfan]

NSA:  "No one will suspect a thing"

[freak180]

And yet I still don't care. But you get an "A" for your fud errorts. :)

Such a childish attitude 

[+Warwagon MVC]

And yet I still don't care. But you get an "A" for your fud errorts. :)

 

I really wish the NSA would target you for no apparent reason.

[theyarecomingforyou]

If you want an insight into the insanity that pervades intelligence services in the US then check out this interview on the Colbert Report:

 

http://www.youtube.com/watch?v=nF6Ajwjq2So&feature=youtu.be&t=14m21s

 

They are run by angry little men who think they know better than everybody else. Truly scary. :no:

[DocM]

There was a recent article in Foreign Policy Magazine (paywall) reporting that NSA Chief Keith Alexander had what amounted to their Situation Room decorated by Hollywood types to look like the command deck of the Enterprise D from ST:TNG, including a leather Captain's Chair. All computerized with a full-wall screen and ops-crew consoles.

Every Congress-critter that passed through got the tour and time in The Chair, and NSA almost always got what they wanted.

EDIT: one of several reports on the FP article -

http://www.businessinsider.com/nsa-chief-keith-alexander-and-star-trek-2013-9

[123456789A]

Oh, I thought Google was the NSA.

[Growled Member]

The NSA has gone way too far and it's time why were reined back in. 

[Anibal P]

The NSA has gone way too far and it's time why were reined back in. 

 

The sheep in the country won't vote someone in who will actually do the right thing, they rather vote for the one who promises the most freebies 

[Anibal P]

i dunno, Republicans promised as usual, tax cuts and incentives to the rich (freebies), and it didnt help them any.

The so called right thing you say, ruined the country.

 

Those tax cuts helped me out and I'm nowhere close to being considered rich by any definition, don't let propaganda get in the way of reality  

[AsherGZ]

No matter who the ruling party is, your president is just a puppet. The main people running your country from behind the scenes are defence contractors and organizations who never want America to be at peace. Organizations like NSA are nothing more than a lame effort to scare the people into good behavior and ensure they never stand up to the system that thrives on war and send your soldiers to die in the name of freedom because they have access to all your secrets. I mean how many times has the all knowing NSA prevented a terrorist attack. Your government is perfectly fine with letting the people believe whatever new hoohah your media claims the NSA is capable of. After all that's how your government controls you: using fear tactics.