In Security the Key Phrase is Trust No One

Last month I posted a story about an interesting Windows security issue dealing with how the operating system handles SSL root certificates. After reading the linked research paper I’ve started scrounging the sourced information within and I must say the phrase trust no one is made very apparently. The paper cites several stories dealing with government entities coercing private companies into allowing bypassing in place security measures to allow surveillance. Lets look at a few of these stories.

The first one relates to an online e-mail service called Hushmail. According to Hushmail’s own site:

Every day, people around the world send billions of emails. The vast majority of these are transmitted without using any form of encryption. When you send an email without encryption, it can be monitored, logged, analyzed and stored by your employer, your internet service provider, or worse – a hacker
Hushmail keeps your emails private by encoding each message using encryption. Encryption is a way of transforming a message so that it is unreadable to anyone but the sender and its recipients. Hushmail makes encryption seamless and transparent – we encrypt your message automatically before it is sent, and then restore it back to its original form when the recipient reads it.

And from another section on their site:

In some countries, government sponsored projects have been set up to collect massive amounts of data from the Internet, including emails, and store them away for future analysis. This data collection is done without any search warrant, court order, or subpoena. One example of such a program was the FBI’s Carnivore project. By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.

You’ll notice they chose their wording very carefully. They imply their service will prohibit government surveillance but only so long as it’s warrantless. That page also describe in detail the fact that they will surrender information upon lawful request. Of course there is a reason they disclose this information now:

Zimmermann, who sits on Hushmail’s advisory board, spoke to THREAT LEVEL after we published a piece contrasting the site’s promises that it had no access to the contents of customers’ encrypted emails stored on their servers with a court case showing that the Canadian company turned over 12 CDs of readable emails to U.S. authorities.

At one point Hushmail advertised itself as not being able to access user’s e-mails. Of course they eventually turned over 12 CDs worth of customer e-mails and then backtracked. Mr. Zimmermann makes a very good point that everybody should realize:

“If your threat model includes the government coming in with all of force of the government and compelling service provider to do things it wants them to do, then there are ways to obtain the plaintext of an email ,” Zimmermann said in a phone interview. “Just because encryption is involved, that doesn’t give you a talisman against a prosecutor. They can compel a service provider to cooperate.”

It should go without saying that if the company can get access to the plain text of the e-mails stored on its servers then somebody else can as well. Needless to say even if an online service proclaims they securely store your data and it can not be accessed that is not usually true. The only secure option is to encrypt the data while it’s still on your machine and then send it out. For instance I backup much of my data to an online store service. Before the data leaves my system it’s put into a TrueCrypt partition. Only I have the key to decrypt the partition so even if a government entity forced my storage provider to hand over my data there is no way for that provider nor the government to decrypt it (obviously I mean before I die, they could brute force the key but it would take practically a century and I doubt I’ll still be alive when they find out my encrypted partition contained nothing important nor incriminating).

So that’s one example that was cited in the paper. The next one is even more insidious in my opinion but has a happier ending. I’m sure everybody who is reading this is at least familiar with OnStar. It’s an in vehicle service provided with Government General Motors produced vehicles. It allows such services as calling somebody via the press of a button or getting help in an emergency. It also allows law enforcement personnel to track and find the vehicle should it get stolen. To do it’s services there are two things that it needs: The ability to output vocal data which is provided by the car’s stereo system, and a microphone so you can communicated with OnStar employees.

People buying GM cars see this services as a convenience but government sees it as something else, a mechanism of spying on the citizenry:

The court did not reveal which brand of remote-assistance product was being used but did say it involved “luxury cars” and, in a footnote, mentioned Cadillac, which sells General Motors’ OnStar technology in all current models. After learning that the unnamed system could be remotely activated to eavesdrop on conversations after a car was reported stolen, the FBI realized it would be useful for “bugging” a vehicle, Judges Marsha Berzon and John Noonan said.

Yes the FBI decided OnStar was a great service. You simply flip on the microphone remotely and you can monitor conversations taking place inside the vehicle. Great! Fortunately after doing this the courts decided it was a no-no:

In a split 2-1 rulingthe majority wrote that “the company could not assist the FBI without disabling the system in the monitored car” and said a district judge was wrong to have granted the FBI its request for surreptitious monitoring.

But not for the reasons you’re thinking:

David Sobel, general counsel at the Electronic Privacy Information Center, called the court’s decision “a pyrrhic victory” for privacy.

“The problem (the court had) with the surveillance was not based on privacy grounds at all,” Sobel said. “It was more interfering with the contractual relationship between the service provider and the customer, to the point that the service was being interrupted. If the surveillance was done in a way that was seamless and undetectable, the court would have no problem with it.”

See in order to activate the microphone remotely without the vehicle occupants knowing OnStar’s recovery mode had to be disabled. This presented a violation of the service agreement between OnStar and the vehicle owner:

Under current law, the court said, companies may only be ordered to comply with wiretaps when the order would cause a “minimum of interference.” After the system’s spy capabilities were activated, “pressing the emergency button and activation of the car’s airbags, instead of automatically contacting the company, would simply emit a tone over the already open phone line,” the majority said, concluding that a wiretap would create substantial interference.

Personally I don’t trust any system in my vehicle that can be remotely activated and for good reason. Having a remotely activated microphone in your vehicle is just asking to be eavesdropped on. This also includes cellular phones but Tam pointed out a simple solution for that.

The final cited source I’m going to bring up from that paper (seriously go read it [PDF]) deals with RIM’s Blackberry phones. In this case the problem wasn’t related to RIM but a cellular phone carrier who cells their devices. I know the United Arab Emirates aren’t known for their love of basic human rights but when you get carriers to install spyware on phones to monitor all users of Blackberry devices that’s simply shitting all over privacy.

Details on the spyware application itself can be found here. Although the spyware did appear to be actively monitoring peoples’ communications by default it was capable of being remotely activated at any time. Of course the expected activation would be done by law enforcement personnel but anything they can activate a resourceful malicious hacker can activate. Now I do want to make it clear RIM didn’t have any knowledge of this and did release the following public statement:

In the statement, RIM told customers that “Etisalat appears to have distributed a telecommunications surveillance application… independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user’s smartphone”.

It adds that “independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server”.

This was a case of the UAE government getting a local carrier, Etisalat, to cooperate and install the spyware. The scariest thing here is the software wouldn’t have even been noticed if it wasn’t for the fact it was poorly coded and causing phone instabilities. Needless to say the phrase trust no one is very relevant everywhere in the world.

These stories exemplify that security is something you need to take into your own hands. You can’t expect other people to do it nor can you expect your government to do it. Nobody is going to protect your life, property, or privacy except you. This requires you obtain pertinent knowledge on the technology you use. Take time to understand the technology and devices you use in your everyday life and try to come up with ways those things can be used against you. Once you realize how those things can be used you can develop countermeasures.

One thought on “In Security the Key Phrase is Trust No One”

Comments are closed.