People who care about crypto should read CDT’s new post, What the heck is going on with NIST’s cryptographic standard, SHA-3?
Category Archives: Cryptography
You rarely see a MITM attack in real life, but the Miami Heat (that’s 2-time champion basketball for the foreign readers) big man Chris Andersen, known as ‘Birdman’ for his Mohawk and many tattoos, appears to have been the victim of one:
Andersen’s lawyer and agent, Mark Bryant, said his client was duped by a woman in Canada who sought a relationship and gifts and who threatened a female acquaintance of Andersen’s in California while impersonating the tattoo-covered fan favorite known as “Birdman.”
Bryant said neither Andersen nor his acquaintance realized they weren’t communicating with each other online or via cellphone texts but rather were communicating with the woman in Canada, who impersonated one to the other.
The article at Huffington isn’t clear about all the messy details; more oddly it calls the scam a “Catfishing Hoax” but that doesn’t seem appropriate because (as I understand it) in a Catfishing scenario the other person doesn’t exist. Here, it sounds like both parties existed but an intermediary was able to insert herself into their communications. The Man in the Middle (MITM) attack is one of the things that security professionals worry about a great deal when assessing purportedly secure communications mechanisms.
Please feel free to correct me in comments if I misunderstood something.
Update: Much clearer article at ESPN.com, Heat’s Chris Andersen cleared:
“We were always confident that Chris was innocent but we just couldn’t figure out what had happened,” Andersen’s lawyer, Mark Bryant, told ESPN.com. “It turned out that it was a Manti Te’o situation. It was Manti Te’o on steroids.”
Te’o, the former Notre Dame football star, was caught up in a scheme last year when several individuals created a fake person and started a relationship with Te’o over the Internet, something known as “catfishing.”
In Andersen’s case, a woman in the middle used social media to dupe two people without their knowledge, according to police.
The woman, identified by the Denver Post as Shelly Lynn Chartier of Easterville, Manitoba, posed as Andersen in electronic conversations with a woman in California. Then she posed as the California woman in electronic conversations with Andersen.
Along the way, police told Andersen, she made threats pretending to be Andersen and attempted extortion pretending to be the woman from California. Chartier was arrested by Canadian authorities in January.
“When they searched Chris’ house they were basically looking for an I.P. address,” Bryant said. “But it wasn’t there. They kept investigating but it took time because it ended up involving two countries.”
More than a year after sheriffs from Douglas Country, Colo., searched Andersen’s home, they asked for a meeting with him. ….
… Using charts and slowly explaining their case, the authorities informed Andersen what had happened to him.
“It was right out of CSI with all the charts,” Bryant said. “When we walked in there both pretty hostile, it had been 15 months since this happened and we were cooperating but we hadn’t heard anything. Chris had a pretty good scowl.”
As the police started showing him what took place, Andersen unfolded his arms and then moved closer to the table. He and Bryant just looked at each other, stunned by what they were being told had taken place.
Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor. This sort of sabotage is undetectable by functional testing or optical inspection. And it can be done at mask generation — very late in the design process — since it does not require adding circuits, changing the circuit layout, or anything else. All this makes it really hard to detect.
The paper talks about several uses for this type of sabotage, but the most interesting — and devastating — is to modify a chip’s random number generator.
Which means that the crypto is sabotaged.
Neither Bruce nor I is willing to say the NSA isn’t doing this.
CNET News, NSA disguised itself as Google to spy, say reports. It seems they are talking about a man-in-the-middle attack, based on a fake cryptographic certificate, which isn’t when you think about it so surprising. But when I read the headline, I imagined they’d run around with fake business cards impersonating Google staff.
And then there’s this one: Former Intelligence Analyst: Obama Was Wiretapped By NSA In 2004. I’d have marked this as ‘tinfoil’ a month ago. I still want to as the details seem pretty skimpy. But anything seems possible now.
Alexander was fond of building charts that showed how a suspected terrorist was connected to a much broader network of people via his communications or the contacts in his phone or email account.
“He had all these diagrams showing how this guy was connected to that guy and to that guy,” says a former NSA official who heard Alexander give briefings on the floor of the Information Dominance Center. “Some of my colleagues and I were skeptical. Later, we had a chance to review the information. It turns out that all [that] those guys were connected to were pizza shops.”
A retired military officer who worked with Alexander also describes a “massive network chart” that was purportedly about al Qaeda and its connections in Afghanistan. Upon closer examination, the retired officer says, “We found there was no data behind the links. No verifiable sources. We later found out that a quarter of the guys named on the chart had already been killed in Afghanistan.”
Those network charts have become more massive now that Alexander is running the NSA. When analysts try to determine if a particular person is engaged in terrorist activity, they may look at the communications of people who are as many as three steps, or “hops,” removed from the original target. This means that even when the NSA is focused on just one individual, the number of people who are being caught up in the agency’s electronic nets could easily be in the tens of millions.
We could debate that “barely legal” part. But then again, like the Daily Show said way back at the beginning of this long strange trip, the biggest scandal might be that all this spying is in fact legal.
Bruce Schneier, explaining to Financial Times why US tech companies will get hurt by news that NSA got some of them to put back doors into their products while others complied with the FISA court orders — even setting up automated systems transfer the data:
“How would it be if your doctor put rat poison in your medicine? Highly damaging,” said Bruce Schneier, a US computer security expert.
Might make you shop around a just a little bit. When the dust settles though, it’s not clear what other country’s tech providers will seem more trustworthy. China? Korea? UK? France? Unlikely all. Not Switzerland. Certainly not Russia. Who then? Can Iceland grow a big enough tech sector?