7

In recent news, CNET has reported requests for passwords, hashing and/or encryption algorithms and salts from U.S. government agencies:

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

While I'm only mildly worried that they can impersonate users at will, it strikes me as a major concern that enterprising private or non-U.S. APT-affiliated blackhats may attempt to impersonate U.S. government and get access to the data. Maybe I'm overthinking this...

Related:

Deer Hunter
  • 5,327
  • 5
  • 34
  • 50

1 Answers1

5

Impersonating law enforcement agents is an old trick used by criminals to fool honest people. This is a mechanism used in numerous movies, e.g. this one.

Though it has been revealed that the US government requested (and presumably obtained) some user password dumps from Internet companies, the exact details of the used protocols for that exchange are not known. We can imagine that it involved a face-to-face meeting with some government agents, probably in a discreet way (the whole operation was supposed to be secret, so no warrant or uniformed officers), but the responsible people at the target Internet companies were somehow convinced that they were talking to genuine US agents.

If I were in the position of the government agency officer trying to setup this interception, I would first invite the ISP CEO to meet me in a very official-looking building, say the Pentagon or the CIA headquarters at Langley. The guy would then see me and be convinced that I really am an official member of the hidden US forces, by virtue of me being able to secure an office in the main CIA building. Then, I could later meet the guy again, at his office, and he would recognize me and accept to hand me a fresh batch of passwords.

The important point in all this is that the vulnerability is not the US government; it is that ISP are apparently willing to hand passwords over to someone who could convince them that he operates under a direct mandate of the US government. The vulnerability would still be there even if the US government had never been involved at all !


Another attack vector is afterwards. Assume that a real government agent obtained the passwords. Then he will store them. Somewhere. Will they be well protected there ? US taxpayers certainly hope that expensive intelligence agencies are competent and won't store sensitive data on hackable servers. But can they be sure of that ?

Tom Leek
  • 170,038
  • 29
  • 342
  • 480