LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

NSA surveillance and "foreigners"

By Jake Edge
July 17, 2013
Akademy 2013

A keynote that is not directly related to KDE and the work that it does is a tradition at Akademy. While that tradition was upheld again this year, Eva Galperin of the Electronic Frontier Foundation gave a talk that was both timely and applicable to everyone in the room: US National Security Agency (NSA) surveillance and what it means for non-US people. There was plenty of interest in her talk for the largely European audience, but the overview of the NSA "surveillance state" was useful to those from the US as well.

[Eva Galperin]

The US government, in conjunction with the telecommunications carriers and large internet companies like Facebook, Yahoo, Google, and Microsoft, has been carrying out "illegal surveillance" on internet and other communication for quite some time, Galperin said. We started hearing about it in 2005 from news reports that AT&T had allowed the NSA access to its network. The collection of records of phone calls was being done at an AT&T facility that is, coincidentally, just blocks from her house in San Francisco.

That led the EFF to file lawsuits against AT&T and, eventually, the NSA, over this warrantless wiretapping. The AT&T lawsuit was dismissed on national security grounds, but the other case EFF filed, Jewel v. NSA, is still ongoing. In fact, in the week prior to her talk, the courts rejected the US government request that the suit be dismissed because of national security issues. The Jewel case moving forward is "great news", she said.

The "rest of us"

But, "what about the rest of us?", she asked. For people outside of the US, whose data traverses the US or is stored there, what protections exist? The surveillance is governed by the US Foreign Intelligence Surveillance Act (FISA), which created a secret court (FIS Court, or FISC) to oversee the surveillance operations. Since it targets "foreign intelligence", FISA has "zero protections" for foreigner's data in the US. It contains "slim protections" for those in the US, but those outside are "out in the cold".

The recently released PRISM information (by way of Edward Snowden) shows that these agencies talk of the US "home field advantage" in that much of the internet's information passes through US facilities. The data stored by US cloud storage facilities as well as internet services, such as Twitter, Facebook, Skype, and those from Google, are all fair game for "extra-territorial" people.

It is not just the US that is doing this kind of surveillance, she said; "lots of countries" are doing it. There are various malware-based attacks that we know about, which have not been proved to be state-sponsored but are strongly suspected to be. She mentioned China, Libya, and Syria as countries suspected of targeting both citizens and foreigners. The German government is known to have an email-based malware attack that targets foreigners. Increasingly, domestic laws are allowing this kind of extra-territorial surveillance and those laws are increasing their reach.

FISA is cloaked in secrecy, such that internet companies like Google and Microsoft can't even report on the kinds of information they have been required to produce. Some of the most recent Snowden leaks (as of the time of Galperin's talk) have shown a great deal of cooperation between Microsoft and the NSA.

"Just" metadata

In addition, US phone carrier Verizon has reportedly turned over seven years worth of "metadata" on all calls that it handled which started or ended in the US. Metadata is defined "quite broadly" to include routing information, phone numbers, call durations, and so on, but not the actual contents of the calls. That it is "only metadata" is the justification used by the NSA, but it is no real protection, she said, noting that US Central Intelligence Agency chief David Petraeus resigned based on evidence gathered from metadata. As an example, Galperin said: "We know you called the phone sex line, and we know you talked for 30 minutes, but we don't know what you said."

The PRISM surveillance was initially suspected of being a "back door" for the NSA into various internet services. It still is not clear if any exist, but internet services do have to respond to FISA orders and may do so via these back door portals—possibly in realtime. Even without realtime access, PRISM targets email, online chats (text, audio, and video), files downloaded, and more. It only requires 51% confidence that the target is not a US citizen, which is quite a low standard.

The NSA is building a data center "the size of a small village" to analyze and store this information. In one recent month, it collected some 97 billion intelligence data items; 3 billion for US citizens, the rest is for people in the rest of the world. This data isn't only being used by US agencies, either. The UK GCHQ signals intelligence agency made 197 requests for PRISM data (that we know of). It's not clear that GCHQ is allowed to set up its own PRISM system, but it can access US PRISM data. And, as Galperin noted, it is not at all clear that the US can legally set up a system like PRISM.

FISA basics

FISA was enacted in the late 1970s in reaction to a US Supreme Court ruling in 1972 that required a warrant to do surveillance even for national security reasons. The "Church committee" of the US Senate had found widespread abuse of surveillance within the US. It illegally targeted journalists, activists, and others during the 1960s and 1970s. Initially, there were fairly strong provisions against domestic surveillance, but these have been weakened by amendments to FISA over the years.

There are two main powers granted to agencies under FISA: the "business records" and "general acquisition" powers. The business records power allows the government to compel production of any records held by a business as long as it is in furtherance of "foreign intelligence". That has been secretly decided to cover metadata. The general acquisition power allows the government to request (and compels anyone to produce) "any tangible thing" for foreign intelligence purposes.

One of the biggest problems is the secretive way that these laws and powers are interpreted. Because there is a non-adversarial interpretation process (i.e. no one is empowered to argue against the government's interpretation) the most favorable reading is adopted. The request must be "reasonably believed" to be related to foreign intelligence, which has been interpreted to mean a 51% likelihood, for example. Beyond that, the restrictions (such as they are) only apply to US citizens. The safeguards are few and it is unlikely that a foreigner could even take advantage of any that apply.

FISC is required to minimize the gathering and retention of data on US citizens, but the government "self-certifies" that any data is foreign-intelligence-oriented. The general acquisition power allows the government to request "just about anything" with low standards for "reasonable grounds" and "relevance". To challenge any of this surveillance, one must show that they have been actively targeted. With these low standards, the requests made to FISC are rarely turned down; of the 31,000 requests over the last 30 years, eleven have been declined, Galperin said.

The "tl;dr" of her talk is that there is a broad definition of intelligence, and the laws apply to foreigners differently than to US citizens. The fourth amendment to the US Constitution (which covers searches and warrants) may not apply to foreigners, for example. The congressional oversight of FISA is weak and the executive branch (US President and agencies) handles it all secretly so the US people (and everyone else) are in the dark about what is being done. Galperin mentioned a US congresswoman who recently said that everything that has been leaked so far is only "the tip of the iceberg" in terms of these surveillance activities.

What can be done?

A group of foreign non-profits has gathered together to ask the US Congress to protect foreign internet users. They also expressed "grave concern" over sharing the intelligence gathered with other governments including the Netherlands, UK, and others. Human rights include the right to privacy, Galperin said, and standing up for that right is now more important than ever. The US government was caught spying in the 1960s and 1970s, so Congress had a committee look into it and curb some of the abuses; that needs to happen again, she said.

For individuals, "use end-to-end encryption", she said. It is rare that she speaks to a group where she doesn't have to explain that term, but Akademy is one of those audiences. Encryption "does not guarantee privacy", but it makes the NSA's job much harder.

The most useful thing that people in the audience could do is to make tools that are secure—make encryption standard. The EFF is making the same pitch to Silicon Valley companies, but it is counting on free software: "Help us free software, you are our last and only hope". Please build new products, and "save us", she concluded.

[Thanks to KDE e.V. for travel assistance to Bilbao for Akademy.]

Comments (29 posted)

Brief items

Security quotes of the week

And in the meantime, my distrust of Intel's crypto has moved from "standard professional paranoia" to "actual legitimate concern".
Matt Mackall

And while you're lying awake at night worrying whether the Men in Black have backdoored the CPU in your laptop, you're missing the fact that the software that's using the random numbers has 36 different buffer overflows, of which 27 are remote-exploitable, and the crypto uses an RSA exponent of 1 and AES-CTR with a fixed IV.
Peter Gutmann

But it would be naive for anyone -- for any of us -- to assume that Russia would not attempt to leverage a situation like this for their own purposes of Internet control. Whether or not they succeed is a wholly different question, and all of us will have a say in that, one way or another.

Yes, planned or not, incidental or not, actions do have consequences, and it would be ironic indeed if Edward Snowden's stated quest to promote the cause of freedom around the world, had the unintentional effect of helping to crush Internet freedoms at the hands of his benefactors of the moment.

Lauren Weinstein

Comments (2 posted)

An overview of Linux security features (Linux.com)

Kernel security subsystem maintainer James Morris has posted an overview of Linux security features on the Linux.com site. "A simpler approach to integrity management is the dm-verity module. This is a device mapper target which manages file integrity at the block level. It's intended to be used as part of a verified boot process, where an appropriately authorized caller brings a device online, say, a trusted partition containing kernel modules to be loaded later."

Comments (3 posted)

New vulnerabilities

ansible: man in the middle attack

Package(s):ansible CVE #(s):CVE-2013-2233
Created:July 15, 2013 Updated:July 17, 2013
Description: From the Red Hat bugzilla:

A security flaw was found in the way Ansible, a SSH-based configuration management, deployment, and task execution system, performed remote server's SSH host key management (previously ability to store known SSH server's host keys to local cache was not supported). A remote attacker could use this flaw to conduct man-in-the-middle (MiTM) attacks against the Ansible task execution system user.

Alerts:
Fedora FEDORA-2013-12389 2013-07-15
Fedora FEDORA-2013-12400 2013-07-15
Fedora FEDORA-2013-12394 2013-07-15

Comments (none posted)

apache: denial of service

Package(s):apache2 CVE #(s):CVE-2013-1896
Created:July 15, 2013 Updated:August 14, 2013
Description: From the CVE entry:

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

Alerts:
Ubuntu USN-1903-1 2013-07-15
Mandriva MDVSA-2013:193 2013-07-11
Slackware SSA:2013-218-02 2013-08-06
Fedora FEDORA-2013-13994 2013-08-09
Red Hat RHSA-2013:1156-01 2013-08-13
CentOS CESA-2013:1156 2013-08-13
CentOS CESA-2013:1156 2013-08-13
openSUSE openSUSE-SU-2013:1337-1 2013-08-14
openSUSE openSUSE-SU-2013:1340-1 2013-08-14
openSUSE openSUSE-SU-2013:1341-1 2013-08-14
Oracle ELSA-2013-1156 2013-08-13
Oracle ELSA-2013-1156 2013-08-13
Scientific Linux SLSA-2013:1156-1 2013-08-13
Fedora FEDORA-2013-13922 2013-08-16
Gentoo 201309-12 2013-09-23

Comments (none posted)

file-roller: path traversal

Package(s):file-roller CVE #(s):CVE-2013-4668
Created:July 16, 2013 Updated:July 31, 2013
Description: From the Fedora advisory:

The File Roller archive manager for the GNOME desktop suffers from a path traversal vulnerability caused by insufficient path sanitization.

A specially crafted archive file can be used to trigger creation of arbitrary files in any location, writable by the user executing the extraction, outside the current working directory. This behaviour is triggered when the option 'Keep directory structure' is selected from the application 'Extract' dialog.

Alerts:
Fedora FEDORA-2013-12667 2013-07-16
Ubuntu USN-1906-1 2013-07-16
Fedora FEDORA-2013-12653 2013-07-24
openSUSE openSUSE-SU-2013:1281-1 2013-07-31

Comments (none posted)

gallery3: information disclosure

Package(s):gallery3 CVE #(s):CVE-2013-2240 CVE-2013-2241
Created:July 16, 2013 Updated:July 17, 2013
Description: From the Fedora advisory:

A security flaw was found in the way flowplayer SWF file handling functionality of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, processed certain URL fragments passed to this file (certain URL fragments were not stripped properly when these files were called via direct URL request(s)). A remote attacker could use this flaw to conduct replay attacks.

Multiple information exposure flaws were found in the way data rest core module of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, used to previously restrict access to certain items of the photo album. A remote attacker, valid Gallery 3 user, could use this flaw to possibly obtain sensitive information (file, resize or thumb path of the item in question).

Alerts:
Fedora FEDORA-2013-12384 2013-07-16
Fedora FEDORA-2013-12424 2013-07-16
Fedora FEDORA-2013-12441 2013-07-16

Comments (none posted)

libxml2: denial of service

Package(s):libxml2 CVE #(s):CVE-2013-2877
Created:July 15, 2013 Updated:July 24, 2013
Description: From the CVE entry:

parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.

Alerts:
Ubuntu USN-1904-1 2013-07-15
Ubuntu USN-1904-2 2013-07-17
Debian DSA-2724-1 2013-07-18
openSUSE openSUSE-SU-2013:1221-1 2013-07-19
Mageia MGASA-2013-0218 2013-07-21
Mandriva MDVSA-2013:198 2013-07-24
openSUSE openSUSE-SU-2013:1246-1 2013-07-24
Gentoo 201309-16 2013-09-24

Comments (none posted)

libzrtpcpp: multiple vulnerabilities

Package(s):libzrtpcpp CVE #(s):CVE-2013-2221 CVE-2013-2222 CVE-2013-2223
Created:July 16, 2013 Updated:September 25, 2013
Description: From the Red Hat bugzilla [1, 2, 3]:

A heap-based buffer overflow flaw was found in the way libzrtpcpp, a ZRTP support library for the GNU ccRTP stack, processed certain ZRTP packets (overly-large ZRTP packets of several types). A remote attacker could provide a specially-crafted ZRTP packet that, when processed in an application linked against libzrtpcpp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running that application. (CVE-2013-2221)

Multiple stack-based buffer overflows were found in the way libzrtpcpp, a ZRTP support library for the GNU ccRTP stack, processed certain ZRTP Hello packets (ZRTP Hello packets with an overly-large value in certain fields, including the count of public keys). A remote attacker could provide a specially-crafted ZRTP packet that, when processed in an application linked against libzrtpcpp would lead to that application crash. (CVE-2013-2222)

Multiple information (heap memory content) exposure flaws were found in the way libzrtpcpp, a ZRTP support library for the GNU ccRTP stack, processed truncated ZRTP Ping packets. A remote attacker could provide a specially-crafted ZRTP Ping packet that, when processed in an application linked against libzrtpcpp would potentially reveal sensitive information stored on the heap. (CVE-2013-2223)

Alerts:
Fedora FEDORA-2013-12479 2013-07-16
Fedora FEDORA-2013-13019 2013-07-24
Fedora FEDORA-2013-13018 2013-07-24
Fedora FEDORA-2013-13019 2013-07-24
Fedora FEDORA-2013-13018 2013-07-24
Fedora FEDORA-2013-13019 2013-07-24
Fedora FEDORA-2013-13018 2013-07-24
Gentoo 201309-13 2013-09-24

Comments (none posted)

java: information disclosure

Package(s):java-1.6.0-ibm CVE #(s):CVE-2013-3743
Created:July 16, 2013 Updated:July 26, 2013
Description: From the CVE entry:

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 45 and earlier and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.

Alerts:
Red Hat RHSA-2013:1059-01 2013-07-15
Red Hat RHSA-2013:1081-01 2013-07-16
Ubuntu USN-1908-1 2013-07-23
SUSE SUSE-SU-2013:1255-1 2013-07-25
SUSE SUSE-SU-2013:1256-1 2013-07-25
SUSE SUSE-SU-2013:1257-1 2013-07-25
SUSE SUSE-SU-2013:1263-1 2013-07-27
SUSE SUSE-SU-2013:1255-2 2013-07-27
SUSE SUSE-SU-2013:1263-2 2013-07-30
SUSE SUSE-SU-2013:1255-3 2013-07-30
SUSE SUSE-SU-2013:1293-1 2013-08-02
SUSE SUSE-SU-2013:1305-1 2013-08-06

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2013-2128
Created:July 17, 2013 Updated:July 18, 2013
Description: From the CVE entry:

The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.

Alerts:
Red Hat RHSA-2013:1051-01 2013-07-16
Red Hat RHSA-2013:1080-01 2013-07-16
CentOS CESA-2013:1051 2013-07-17
Oracle ELSA-2013-1051 2013-07-16
Scientific Linux SL-kern-20130717 2013-07-17

Comments (none posted)

nagstamon: information disclosure

Package(s):nagstamon CVE #(s):CVE-2013-4114
Created:July 16, 2013 Updated:September 3, 2013
Description: From the Red Hat bugzilla:

An user details information exposure flaw was found in the way Nagstamon, Nagios status monitor for desktop, performed automated requests to get information about available updates. Remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request, when the HTTP Basic authentication scheme was used.

Alerts:
Fedora FEDORA-2013-12526 2013-07-16
Fedora FEDORA-2013-12541 2013-07-16
openSUSE openSUSE-SU-2013:1235-1 2013-07-23
Mageia MGASA-2013-0262 2013-08-30

Comments (none posted)

php: code execution

Package(s):php CVE #(s):CVE-2013-4113
Created:July 15, 2013 Updated:July 23, 2013
Description: From the Red Hat advisory:

A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xml_parse_into_struct() function to parse untrusted XML content, an attacker able to supply specially-crafted XML could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the PHP interpreter.

Alerts:
Red Hat RHSA-2013:1049-01 2013-07-12
Red Hat RHSA-2013:1050-01 2013-07-12
CentOS CESA-2013:1049 2013-07-12
CentOS CESA-2013:1049 2013-07-12
CentOS CESA-2013:1050 2013-07-12
Mandriva MDVSA-2013:195 2013-07-15
Oracle ELSA-2013-1049 2013-07-12
Oracle ELSA-2013-1049 2013-07-13
Oracle ELSA-2013-1050 2013-07-13
Scientific Linux SL-php-20130712 2013-07-12
Scientific Linux SL-php5-20130712 2013-07-12
Red Hat RHSA-2013:1061-01 2013-07-15
Red Hat RHSA-2013:1063-01 2013-07-15
Red Hat RHSA-2013:1062-01 2013-07-15
Ubuntu USN-1905-1 2013-07-16
Slackware SSA:2013-197-01 2013-07-16
Debian DSA-2723-1 2013-07-17
Fedora FEDORA-2013-12977 2013-07-18
Mageia MGASA-2013-0216 2013-07-18
Fedora FEDORA-2013-12315 2013-07-23
Fedora FEDORA-2013-12354 2013-07-23
Oracle ELSA-2013-1063 2013-07-22
openSUSE openSUSE-SU-2013:1249-1 2013-07-24
SUSE SUSE-SU-2013:1285-1 2013-08-01
SUSE SUSE-SU-2013:1315-1 2013-08-09
SUSE SUSE-SU-2013:1316-1 2013-08-09
SUSE SUSE-SU-2013:1285-2 2013-08-09
SUSE SUSE-SU-2013:1317-1 2013-08-09
SUSE SUSE-SU-2013:1351-1 2013-08-16

Comments (none posted)

php5: denial of service

Package(s):php5 CVE #(s):CVE-2013-4635
Created:July 16, 2013 Updated:July 17, 2013
Description: From the CVE entry:

Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

Alerts:
Ubuntu USN-1905-1 2013-07-16
openSUSE openSUSE-SU-2013:1249-1 2013-07-24
SUSE SUSE-SU-2013:1285-1 2013-08-01
SUSE SUSE-SU-2013:1315-1 2013-08-09
SUSE SUSE-SU-2013:1316-1 2013-08-09
SUSE SUSE-SU-2013:1285-2 2013-08-09
SUSE SUSE-SU-2013:1317-1 2013-08-09
SUSE SUSE-SU-2013:1351-1 2013-08-16

Comments (none posted)

python-suds: symbolic link attack

Package(s):python-suds CVE #(s):CVE-2013-2217
Created:July 17, 2013 Updated:July 22, 2013
Description: From the bug report:

An insecure temporary directory use flaw was found in the way python-suds, a Python SOAP web services client library, performed initialization of its internal file-based URL cache (predictable location was used for directory to store the cached files). A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability for example the SOAP .wsdl metadata to redirect queries to a different host, than originally intended.

Alerts:
openSUSE openSUSE-SU-2013:1208-1 2013-07-17
Mageia MGASA-2013-0224 2013-07-21

Comments (none posted)

qpid: SSL certificate spoofing

Package(s):qpid CVE #(s):CVE-2013-1909
Created:July 12, 2013 Updated:July 17, 2013
Description:

From the Red Hat advisory:

It was discovered that the Qpid Python client library for AMQP did not properly perform TLS/SSL certificate validation of the remote server's certificate, even when the 'ssl_trustfile' connection option was specified. A rogue server could use this flaw to conduct man-in-the-middle attacks, possibly leading to the disclosure of sensitive information.

Alerts:
Red Hat RHSA-2013:1024-01 2013-07-11

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds