My friend Jeff has alerted me to a large hole in the SSL encryption problem: that of the compelled certificate creation attack.

Here’s how it works: your web browser comes pre-programmed to trust a number of certificate authorities. A certificate authority is an organization which vouches for an SSL-certificate being presented by a website. An SSL-certificate is designed to positively identify that a website you’re connecting to is who it says it is.

A national government intent on spying could compel one of these certificate authorities (call it ABC Certificates) to create an imposter SSL certificate (for, say, bankofamerica.com) and bless it with ABC Certificates’s stamp of approval. Because your browser trusts ABC Certificates, it will happily trust this fake certificate from bankofamerica.com. The evil national government could then surreptitiously intercept all traffic bound for the real bankofamerica.com and point it to its fake website so as to collect information. Or, it could surreptitiously insert a proxy into the SSL data stream and capture packets, with you or your browser being none the wiser.

You can read the findings of the two Indiana University researchers, Christopher Soghoian and Sid Stamm, here [PDF] on Cryptome.Org. You can also read the discussion of the vulnerability here (scroll to lower 2/3rds of the transcript).

Yesterday I received a strange email sent to a neighborhood list by a neighbor. The subject was “Modesty Marquita” (which sounds like a stripper name, actually) and all that was in the body of the message was a URL to a webserver in Brazil. I searched the web for any references to either of these items and didn’t turn up anything unusual, so I wrote it off.

This evening made me change my mind, however. Another friend (Let’s call her Anne) sent out four similar emails. Same M.O.: a random person’s name in the subject line and a web URL in the body. That’s when I figured out something is not right in Gmail land.

The kicker was this message below (I’ve changed account data). This message was sent from one Gmail account to another one: in other words it never left Google’s network:
Continue reading →

This morning’s paper told of a massive cyber-espionage network being uncovered, with most of it leading back to China. The report, called Shadows in the Cloud: An investigation into cyber espionage 2.0 is quite revealing:

Complex cyber espionage network – Documented evidence of a cyber espionage network that compromised government, business, and academic computer systems in India, the Office of the Dalai Lama, and the United Nations. Numerous other institutions, including the Embassy of Pakistan in the United States, were also compromised. Some of these institutions can be positively identified, while others cannot.

Theft of classified and sensitive documents – Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”.

Evidence of Collateral Compromise – A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan.

Command-and-control infrastructure that leverages cloud-based social media services – Documentation of a complex and tiered command and control infrastructure, designed to maintain persistence. The infrastructure made use of freely available social media systems that include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail.

Links to Chinese hacking community – Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC.

Read more of the report here.