Gogo Inflight Internet is intentionally issuing fake SSL certificates

In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.

For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites. Looking at the issuer of the certificate, rather than being issued by Google, it was being issued by Gogo.

via Gogo Inflight Internet is intentionally issuing fake SSL certificates – Neowin.

Issuing fake SSL certificates is clearly a deceptive practice that should be illegal for providers of wifi.  This article shows a good reminder that an attacker must get your permission from your system to grant the fake certificate and pop up windows explaining this on most systems are very clear.  Never click yes when this window pops up unless on a secure network with prior knowledge as to the purpose for the certificate issuance.

Past reports on Gogo from this blog here and here.

Apparently Gogo’s Terms of Service may claim hijacking SSL connections is an acceptable form of “filtering.”   Beware of any open wifi system that does this.  It’s bad enough with third party script kiddies hijacking your sessions let alone the provider of your network.

Acknowledgement of Filtering and Restriction of Access to Pornography or Other Offensive or Objectionable Material. You specifically acknowledge and agree that Gogo may, as a necessary incident of providing the Service, or as required or permitted by law, by law enforcement authorities or by the host airline, or as hereby expressly contemplated by this Agreement, use any advanced blocking technologies and other technical, administrative or logical means available to it, to identify, inspect, remove, block, filter, or restrict any uses, materials or information (including but not limited to emails) that we consider to be actual or potential violations of the restrictions on use set forth in this Agreement, including, but not limited to, those activities that may subject Gogo or its customers to liability or danger, or material that may be obscene, lewd, lascivious, filthy, excessively violent, pornographic, harassing, or otherwise objectionable.

A Close Look at the NSA’s Most Powerful Internet Attack Tool

Rather than go through the bureaucratic fight to move the attack logic into “system low” (and co-located on the wiretap), the NSA sought to work around it in the case of QUANTUMHAND. Instead of targeting just any web connection for exploitation, it targeted persistent “push” connections from Facebook, where a user’s browser would leave an idle connection open, waiting for a command from the server.

This way, even the slow, broken, classified architecture could exploit Facebook users. Sadly for NSA and GCHQ (and FSB, and DGSE, and every other spy agency), Facebook turned on encryption a few months ago, which should thwart this attack.

via A Close Look at the NSA’s Most Powerful Internet Attack Tool | Wired Opinion | Wired.com.

The biggest limitation on QUANTUM is location: The attacker must be able to see a request which identifies the target. Since the same techniques can work on a Wi-Fi network, a $50 Raspberry Pi, located in a Foggy Bottom Starbucks, can provide any country, big and small, with a little window of QUANTUM exploitation. A foreign government can perform the QUANTUM attack NSA-style wherever your traffic passes through their country.

No, I Don’t Trust You! — One of the Most Alarming Internet Proposals I’ve Ever Seen

The technical details get very complicated very quickly, but what it all amounts to is simple enough. The proposal expects Internet users to provide “informed consent” that they “trust” intermediate sites (e.g. Verizon, AT&T, etc.) to decode their encrypted data, process it in some manner for “presumably” innocent purposes, re-encrypt it, then pass the re-encrypted data along to its original destination.

via Lauren Weinstein’s Blog: No, I Don’t Trust You! — One of the Most Alarming Internet Proposals I’ve Ever Seen.

In essence it’s a kind of sucker bait. Average users could easily believe they were “kinda sorta” doing traditional SSL but they really wouldn’t be, ’cause the ISP would have access to their unencrypted data in the clear. And as the proposal itself suggests, it would take significant knowledge for users to understand the ramifications of this — and most users won’t have that knowledge.

This editorial illustrates that Man In The Middle (MITM) attacks cannot happen without user consent.  This blogger fears that ISPs will require consent for all SSL sessions  making all users’ end to end encryption vulnerable to a “trusted” proxy.  Here is a blurb in the draft.

From the IETF draft:  Explicit Trusted Proxy in HTTP/2.0 draft-loreto-httpbis-trusted-proxy20-01

This document describes two alternative methods for an user-agent to automatically discover and for an user to provide consent for a Trusted Proxy to be securely involved when he or she is requesting an HTTP URI resource over HTTP2 with TLS. The consent is supposed to be per network access. The draft also describes the role of the Trusted Proxy in helping the user to fetch HTTP URIs resource when the user has provided consent to the Trusted Proxy to be involved.

The consent is supposed to be on a per network (or destination) basis which means there may be a reason the user agent will want to use a trusted proxy — perhaps they do not trust the destination network.  The blogger implies ISPs will want blanket consent over all destinations which 1) they could implement now without this standard and 2) this would not make for a good PR move because it would not go unnoticed.

Setting up a man-in-the-middle device with Raspberry Pi, Part 1

The regular install on a Raspberry Pi is NOOBS (new out-of-box software) and contains several pre-packaged operating systems. However for the purpose of our MITM device we’ll be using a different Linux distro for our Pi: PwnPi. PwnPi is a distribution of the Raspbian OS that contains many pre-installed packages for security and penetration testing which is naturally right up our alley. So, go ahead and download PwnPi. Once it’s downloaded we’ll need to load it onto our SD card. First, format your SD card using the SD card formatter from the SD association. If the “size” value shown in the formatter is less than the size of your card, be sure to choose “format size adjustment” in the card.

via Setting up a man-in-the-middle device with Raspberry Pi, Part 1 | jeffq, published.

Targeted Internet Traffic Misdirection

In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes.

This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.

via The New Threat: Targeted Internet Traffic Misdirection – Renesys.

Sslstrip Tutorial

Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:

via Sslstrip Tutorial.

This tool assumes a man in the middle setup and that http traffic (port 80) gets redirected to a port sslstrip listens to on the attacker’s machine (port 10000 in this video).  Sslstrip then intercepts https traffic and returns to the victim http traffic.  The victim thinking his traffic is encrypted is  transmitting in plain text while sslstrip manages the ssl session with the victim’s destination (i.e. bank).  Since this attack is using http the victim does not need to validate an ssl certificate thus it’s transparent.  Detecting this attack is simple because the browser returns http in the displayed url instead of https so an alert victim should know.  But not everyone may notice this.

Nokia’s MITM on HTTPS traffic from their phone

From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.

via Nokia’s MITM on HTTPS traffic from their phone « Treasure Hunt.

Flaws allow 3G devices to be tracked

Two attacks were conducted using off-the-shelf kit and a rooted — or modified — femtocell unit which broadcasted a 3G signal. The attacks were made by intercepting, altering and injecting 3G Layer-3 messages into communication between the base station and mobile phones in both directions.

via Flaws allow 3G devices to be tracked – Networks – SC Magazine Australia – Secure Business Intelligence.

The researchers wrote that the attacks could be used to track staff movements within a building.

“[The employer] would first use the femtocell to sniff a valid authentication request. This could happen in a different area than the monitored one. Then the employer would position the device near the entrance of the building. Movements inside the building could be tracked as well by placing additional devices to cover different areas of the building,” they wrote.