Thursday, March 25, 2010

PacketForensics - Something Smells Funny...

No doubt by now you've seen the story on Wired's "Threat Level" segment on Packet Forensics titled "Law Enforcement Applicance Subverts SSL"?  I won't re-iterate what was written in the story, you can read it yourself but this is what captured my interest:

"At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania."
Of course, I wanted to know more.  I wanted to talk to those Packet Forensics folks myself!  Well, apparently that's a lot tougher than you'd think.

First off, I tried calling several times during business hours to their Tempe, AZ office and got a "Press 1 for sales, 2 for technical support" ...when I pressed 1 for "sales" I got a message system asking me to leave a message and someone would call me back.  Pressing 2 for "support" got me a live support person who was kind enough to tell me that if I wasn't a current customer I'd need to buzz off.  Hrmm...

Also, apparently their system doesn't think my email address (which is my real email address) is real ...

So ... Packet Forensics folks ... I swear my email address is real.  Will someone reply either privately or here on the blog?  I have many, many questions!

Here are some of those questions...
  1. Are Packet Forensics products using an exploit to perform their duties, or are the devices using legitimately purchased (but cloned) certificates of real sites?
  2. Are these devices being used on commercial carrier networks (ISPs) here in the US?
As you can guess there are many more questions, but I can't even see the products on their page without a login name and password ...geeze!

1 comment:

Scott said...

I can't imagine that they'd go through the effort to get the actual cert used by the org they're spoofing. It's far easier to have a trusted CA in the box that generates whatever cert it needs on the fly.

Remember, SSL certs don't guarantee who you're talking to - only that someone "vouched" that they are who they said they are, and that it's encrypted. The trust in SSL comes from the CA, not the cert holder.