Certified Lies: Big Brother In Your Browser

You probably feel safe when you see the padlock on your browser window indicating secure communication with your bank or e-mail account. You probably think your users are safe if they are accessing your network over your SSL VPN. What if instead of worrying about man-in-the-middle attacks, it became government-spy-in-the middle eavesdropping? Is Big Brother spying on you? Before I'm done showing you these surveillance products, you will probably be ticked for both security and privacy reasons.

Remote Control System V6 (RCS) is a premier, integrated, multi-OS platform for remotely attacking, infecting and controlling target computers and mobile phones. RCS FULLY SUPPORTS XP, Vista, 7, MacOS, iPhone and Symbian - It is INVISIBLE to most protection systems available in the market - It is a PROVEN technology: it is being used by Agencies worldwide since 2003 - Target monitoring includes Skype, chat, mail, web, removable media, encrypted communications, PGP, GSM-cell GEO-tracking, GPS GEO-tracking, voice calls, etc.

The Packet Forensics flyer

According to the Packet Forensics flyer: "Packet Forensics' devices are designed to be inserted-into and removed-from busy networks without causing any noticeable interruption [. . . ] This allows you to conditionally intercept web, e-mail, VoIP and other traffic at-will, even while it remains protected inside an encrypted tunnel on the wire [. . . ] To use our product in this scenario, [government] users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate `look-alike' keys designed to give the subject a false sense of confidence in its authenticity [. . . ] Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption [. . . ] In under five minutes, they can be configured and installed [. . . ] they're disposable -- that means less risk to [government] personnel."

Microsoft's documentation shows that it has adopted a more cautious approach in trusting CAs than its competitors; a fresh installation of Windows 7 will list 15 CAs in the operating system's Trusted Root Store. Sadly, however, this interface is terribly misleading as it doesn't reveal the fact that Microsoft has opted to trust 264 different CAs. This means any web browser that depends upon Microsoft's Trusted Root Store (such as Internet Explorer, Chrome and Safari for Windows) ultimately trusts 264 different CAs to issue certificates without warning. Firefox is the only major browser to maintain its own database of trusted CAs. Each of the 264 root CAs trusted by Microsoft, the 166 root CAs trusted by Apple, and the 144 root CAs trusted by Firefox are capable of issuing certificates for any website, in any country or top level domain. You don't think the government will use their own CA which could be tracked back to them if discovered, do you?

To be fair, however, all encrypted streams that travel over the Internet are susceptible to government spying, not just those that use Microsoft technology.

How does this affect you?

How does this affect you? Many information-hungry governments routinely compel companies to assist them with surveillance. ISPs and telecommunications carriers are frequently required to violate their customers' privacy by providing the government with email communications, telephone calls, search engine records, financial transactions and geo-location information. A few examples of this electronic surveillance by law enforcement include: a consumer electronics company that was forced to remotely enable the microphones in a suspect's auto-mobile dashboard GPS navigation unit in order to covertly record their conversations, as well as a secure email provider that was required to place a covert back door in its product in order to steal users' encryption keys. And who can forget the NSA's wiretapping?

According to Cisco, there are 35 billion devices connected to the Internet. How many of those are being eavesdropped upon? Next time you see the padlock on your browser, will you still feel like your important communications are secure? Do you feel like your privacy is truly private?