NSA Shown to Operate a MITM Hack in Brazil

The majority of Edward Snowden's leaked documents have been aired by the Guardian and The Washington Post in the UK and US, and Spiegel in Germany. But Glen Greenwald, the journalist entrusted by Snowden, lives in Brazil; and a few Brazil-centric leaks have been released there first.

This happened last weekend, when a Brazilian television company broadcast details from new documents, and followed this with an online report in Fantastico. It has taken some time for the full import of these reports to be felt in America and Europe, but three elements are particularly noteworthy.

The first is that the documents make it clear that Brazilian oil company, Petrobras, has been a major surveillance target. At the end of last month the Washington Post reported, “The Department of Defense does engage” in computer network exploitation, according to an e-mailed statement from an NSA spokesman, whose agency is part of the Defense Department. “The department does ***not*** engage in economic espionage in any domain, including cyber.”

These latest leaks seem to deny this, and indicate that the NSA clearly engages in economic espionage.

The second is that the spy agency appears to have set up a man-in-the-middle attack against Google; or more specifically, specific Google users. One particular slide, purportedly from the NSA documents, has been made available by TechDirt. If correct, it shows targeted users being redirected from a router to a server labeled 'MITM', and only after that to the 'Legitimate Google Server'.

The router could either be with an ISP, who willingly or under legal coercion is collaborating with the NSA, or a hacked router belonging to the target network. MITM is an NSA server used to harvest the Google credentials of those being targeted; and the legitimate server is Google proper. If this system actually exists, it means that targeted users are likely to hand their Google account details to the NSA without ever realizing it.

This methodology would require the use of fake certificates; but it is not considered that this would be a problem for an organization with the NSA'a resources. In an additional twist, Bruce Schneier commented this morning, "Another screenshot implies that the 2011 DigiNotar hack was either the work of the NSA, or exploited by the NSA."

The third revelation undermines the world's banking system. Fantastico reports, "Other targets include French diplomats – with access to the private network of the Ministry of Foreign Affairs of France – and the SWIFT network, the cooperative that unites over ten thousand banks in 212 countries and provides communications that enable international financial transactions. All transfers of money between banks across national borders goes through SWIFT."

This led Cecilia Malmström, EU Commissioner for Home Affairs, to tweet yesterday, "Spoke to US counterparts last night and conveyed strong concerns about alleged NSA tapping. Following up with a letter today, requesting consultation under the TFTP agreement. We need clear, satisfactory answers. /CM"

In theory, reports Reuters, "In the absence of such satisfactory answers, the EU could revoke an agreement that allows the United States to access information under its Terror Finance Tracking Programme (TFTP)."

What’s hot on Infosecurity Magazine?