Security
NSA surveillance and "foreigners"
A keynote that is not directly related to KDE and the work that it does is a tradition at Akademy. While that tradition was upheld again this year, Eva Galperin of the Electronic Frontier Foundation gave a talk that was both timely and applicable to everyone in the room: US National Security Agency (NSA) surveillance and what it means for non-US people. There was plenty of interest in her talk for the largely European audience, but the overview of the NSA "surveillance state" was useful to those from the US as well.
![[Eva Galperin]](https://static.lwn.net/images/2013/akad-galperin-sm.jpg)
The US government, in conjunction with the telecommunications carriers and large internet companies like Facebook, Yahoo, Google, and Microsoft, has been carrying out "illegal surveillance" on internet and other communication for quite some time, Galperin said. We started hearing about it in 2005 from news reports that AT&T had allowed the NSA access to its network. The collection of records of phone calls was being done at an AT&T facility that is, coincidentally, just blocks from her house in San Francisco.
That led the EFF to file lawsuits against AT&T and, eventually, the NSA, over this warrantless wiretapping. The AT&T lawsuit was dismissed on national security grounds, but the other case EFF filed, Jewel v. NSA, is still ongoing. In fact, in the week prior to her talk, the courts rejected the US government request that the suit be dismissed because of national security issues. The Jewel case moving forward is "great news", she said.
The "rest of us"
But, "what about the rest of us?", she asked. For people outside of the US, whose data traverses the US or is stored there, what protections exist? The surveillance is governed by the US Foreign Intelligence Surveillance Act (FISA), which created a secret court (FIS Court, or FISC) to oversee the surveillance operations. Since it targets "foreign intelligence", FISA has "zero protections" for foreigner's data in the US. It contains "slim protections" for those in the US, but those outside are "out in the cold".
The recently released PRISM information (by way of Edward Snowden) shows that these agencies talk of the US "home field advantage" in that much of the internet's information passes through US facilities. The data stored by US cloud storage facilities as well as internet services, such as Twitter, Facebook, Skype, and those from Google, are all fair game for "extra-territorial" people.
It is not just the US that is doing this kind of surveillance, she said; "lots of countries" are doing it. There are various malware-based attacks that we know about, which have not been proved to be state-sponsored but are strongly suspected to be. She mentioned China, Libya, and Syria as countries suspected of targeting both citizens and foreigners. The German government is known to have an email-based malware attack that targets foreigners. Increasingly, domestic laws are allowing this kind of extra-territorial surveillance and those laws are increasing their reach.
FISA is cloaked in secrecy, such that internet companies like Google and Microsoft can't even report on the kinds of information they have been required to produce. Some of the most recent Snowden leaks (as of the time of Galperin's talk) have shown a great deal of cooperation between Microsoft and the NSA.
"Just" metadata
In addition, US phone carrier Verizon has reportedly turned over seven years worth of "metadata" on all calls that it handled which started or ended in the US. Metadata is defined "quite broadly" to include routing information, phone numbers, call durations, and so on, but not the actual contents of the calls. That it is "only metadata" is the justification used by the NSA, but it is no real protection, she said, noting that US Central Intelligence Agency chief David Petraeus resigned based on evidence gathered from metadata. As an example, Galperin said: "We know you called the phone sex line, and we know you talked for 30 minutes, but we don't know what you said."
The PRISM surveillance was initially suspected of being a "back door" for the NSA into various internet services. It still is not clear if any exist, but internet services do have to respond to FISA orders and may do so via these back door portals—possibly in realtime. Even without realtime access, PRISM targets email, online chats (text, audio, and video), files downloaded, and more. It only requires 51% confidence that the target is not a US citizen, which is quite a low standard.
The NSA is building a data center "the size of a small village" to analyze and store this information. In one recent month, it collected some 97 billion intelligence data items; 3 billion for US citizens, the rest is for people in the rest of the world. This data isn't only being used by US agencies, either. The UK GCHQ signals intelligence agency made 197 requests for PRISM data (that we know of). It's not clear that GCHQ is allowed to set up its own PRISM system, but it can access US PRISM data. And, as Galperin noted, it is not at all clear that the US can legally set up a system like PRISM.
FISA basics
FISA was enacted in the late 1970s in reaction to a US Supreme Court ruling in 1972 that required a warrant to do surveillance even for national security reasons. The "Church committee" of the US Senate had found widespread abuse of surveillance within the US. It illegally targeted journalists, activists, and others during the 1960s and 1970s. Initially, there were fairly strong provisions against domestic surveillance, but these have been weakened by amendments to FISA over the years.
There are two main powers granted to agencies under FISA: the "business records" and "general acquisition" powers. The business records power allows the government to compel production of any records held by a business as long as it is in furtherance of "foreign intelligence". That has been secretly decided to cover metadata. The general acquisition power allows the government to request (and compels anyone to produce) "any tangible thing" for foreign intelligence purposes.
One of the biggest problems is the secretive way that these laws and powers are interpreted. Because there is a non-adversarial interpretation process (i.e. no one is empowered to argue against the government's interpretation) the most favorable reading is adopted. The request must be "reasonably believed" to be related to foreign intelligence, which has been interpreted to mean a 51% likelihood, for example. Beyond that, the restrictions (such as they are) only apply to US citizens. The safeguards are few and it is unlikely that a foreigner could even take advantage of any that apply.
FISC is required to minimize the gathering and retention of data on US citizens, but the government "self-certifies" that any data is foreign-intelligence-oriented. The general acquisition power allows the government to request "just about anything" with low standards for "reasonable grounds" and "relevance". To challenge any of this surveillance, one must show that they have been actively targeted. With these low standards, the requests made to FISC are rarely turned down; of the 31,000 requests over the last 30 years, eleven have been declined, Galperin said.
The "tl;dr" of her talk is that there is a broad definition of intelligence, and the laws apply to foreigners differently than to US citizens. The fourth amendment to the US Constitution (which covers searches and warrants) may not apply to foreigners, for example. The congressional oversight of FISA is weak and the executive branch (US President and agencies) handles it all secretly so the US people (and everyone else) are in the dark about what is being done. Galperin mentioned a US congresswoman who recently said that everything that has been leaked so far is only "the tip of the iceberg" in terms of these surveillance activities.
What can be done?
A group of foreign non-profits has gathered together to ask the US Congress to protect foreign internet users. They also expressed "grave concern" over sharing the intelligence gathered with other governments including the Netherlands, UK, and others. Human rights include the right to privacy, Galperin said, and standing up for that right is now more important than ever. The US government was caught spying in the 1960s and 1970s, so Congress had a committee look into it and curb some of the abuses; that needs to happen again, she said.
For individuals, "use end-to-end encryption", she said. It is rare that she speaks to a group where she doesn't have to explain that term, but Akademy is one of those audiences. Encryption "does not guarantee privacy", but it makes the NSA's job much harder.
The most useful thing that people in the audience could do is to make tools that are secure—make encryption standard. The EFF is making the same pitch to Silicon Valley companies, but it is counting on free software: "Help us free software, you are our last and only hope". Please build new products, and "save us", she concluded.
[Thanks to KDE e.V. for travel assistance to Bilbao for Akademy.]
Brief items
Security quotes of the week
Yes, planned or not, incidental or not, actions do have consequences, and it would be ironic indeed if Edward Snowden's stated quest to promote the cause of freedom around the world, had the unintentional effect of helping to crush Internet freedoms at the hands of his benefactors of the moment.
An overview of Linux security features (Linux.com)
Kernel security subsystem maintainer James Morris has posted an overview of Linux security features on the Linux.com site. "A simpler approach to integrity management is the dm-verity module. This is a device mapper target which manages file integrity at the block level. It's intended to be used as part of a verified boot process, where an appropriately authorized caller brings a device online, say, a trusted partition containing kernel modules to be loaded later."
New vulnerabilities
ansible: man in the middle attack
| Package(s): | ansible | CVE #(s): | CVE-2013-2233 | ||||||||||||
| Created: | July 15, 2013 | Updated: | July 17, 2013 | ||||||||||||
| Description: | From the Red Hat bugzilla:
A security flaw was found in the way Ansible, a SSH-based configuration management, deployment, and task execution system, performed remote server's SSH host key management (previously ability to store known SSH server's host keys to local cache was not supported). A remote attacker could use this flaw to conduct man-in-the-middle (MiTM) attacks against the Ansible task execution system user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
apache: denial of service
| Package(s): | apache2 | CVE #(s): | CVE-2013-1896 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2013 | Updated: | August 14, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
file-roller: path traversal
| Package(s): | file-roller | CVE #(s): | CVE-2013-4668 | ||||||||||||||||
| Created: | July 16, 2013 | Updated: | July 31, 2013 | ||||||||||||||||
| Description: | From the Fedora advisory:
The File Roller archive manager for the GNOME desktop suffers from a path traversal vulnerability caused by insufficient path sanitization. A specially crafted archive file can be used to trigger creation of arbitrary files in any location, writable by the user executing the extraction, outside the current working directory. This behaviour is triggered when the option 'Keep directory structure' is selected from the application 'Extract' dialog. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gallery3: information disclosure
| Package(s): | gallery3 | CVE #(s): | CVE-2013-2240 CVE-2013-2241 | ||||||||||||
| Created: | July 16, 2013 | Updated: | July 17, 2013 | ||||||||||||
| Description: | From the Fedora advisory:
A security flaw was found in the way flowplayer SWF file handling functionality of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, processed certain URL fragments passed to this file (certain URL fragments were not stripped properly when these files were called via direct URL request(s)). A remote attacker could use this flaw to conduct replay attacks. Multiple information exposure flaws were found in the way data rest core module of Gallery version 3, an open source project with the goal to develop and support leading photo sharing web application solutions, used to previously restrict access to certain items of the photo album. A remote attacker, valid Gallery 3 user, could use this flaw to possibly obtain sensitive information (file, resize or thumb path of the item in question). | ||||||||||||||
| Alerts: |
| ||||||||||||||
libxml2: denial of service
| Package(s): | libxml2 | CVE #(s): | CVE-2013-2877 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2013 | Updated: | October 14, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libzrtpcpp: multiple vulnerabilities
| Package(s): | libzrtpcpp | CVE #(s): | CVE-2013-2221 CVE-2013-2222 CVE-2013-2223 | ||||||||||||||||||||||||||||||||||||||||
| Created: | July 16, 2013 | Updated: | October 29, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla [1, 2, 3]:
A heap-based buffer overflow flaw was found in the way libzrtpcpp, a ZRTP support library for the GNU ccRTP stack, processed certain ZRTP packets (overly-large ZRTP packets of several types). A remote attacker could provide a specially-crafted ZRTP packet that, when processed in an application linked against libzrtpcpp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running that application. (CVE-2013-2221) Multiple stack-based buffer overflows were found in the way libzrtpcpp, a ZRTP support library for the GNU ccRTP stack, processed certain ZRTP Hello packets (ZRTP Hello packets with an overly-large value in certain fields, including the count of public keys). A remote attacker could provide a specially-crafted ZRTP packet that, when processed in an application linked against libzrtpcpp would lead to that application crash. (CVE-2013-2222) Multiple information (heap memory content) exposure flaws were found in the way libzrtpcpp, a ZRTP support library for the GNU ccRTP stack, processed truncated ZRTP Ping packets. A remote attacker could provide a specially-crafted ZRTP Ping packet that, when processed in an application linked against libzrtpcpp would potentially reveal sensitive information stored on the heap. (CVE-2013-2223) | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
java: information disclosure
| Package(s): | java-1.6.0-ibm | CVE #(s): | CVE-2013-3743 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 16, 2013 | Updated: | July 26, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 45 and earlier and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2013-2128 | ||||||||||||||||||||||||
| Created: | July 17, 2013 | Updated: | July 18, 2013 | ||||||||||||||||||||||||
| Description: | From the CVE entry:
The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
nagstamon: information disclosure
| Package(s): | nagstamon | CVE #(s): | CVE-2013-4114 | ||||||||||||||||||||
| Created: | July 16, 2013 | Updated: | January 7, 2014 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
An user details information exposure flaw was found in the way Nagstamon, Nagios status monitor for desktop, performed automated requests to get information about available updates. Remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request, when the HTTP Basic authentication scheme was used. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
php: code execution
| Package(s): | php | CVE #(s): | CVE-2013-4113 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2013 | Updated: | July 23, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xml_parse_into_struct() function to parse untrusted XML content, an attacker able to supply specially-crafted XML could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the PHP interpreter. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php5: denial of service
| Package(s): | php5 | CVE #(s): | CVE-2013-4635 | ||||||||||||||||||||||||||||||||||||
| Created: | July 16, 2013 | Updated: | July 17, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
python-suds: symbolic link attack
| Package(s): | python-suds | CVE #(s): | CVE-2013-2217 | ||||||||||||||||
| Created: | July 17, 2013 | Updated: | October 13, 2016 | ||||||||||||||||
| Description: | From the bug report:
An insecure temporary directory use flaw was found in the way python-suds, a Python SOAP web services client library, performed initialization of its internal file-based URL cache (predictable location was used for directory to store the cached files). A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability for example the SOAP .wsdl metadata to redirect queries to a different host, than originally intended. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
qpid: SSL certificate spoofing
| Package(s): | qpid | CVE #(s): | CVE-2013-1909 | ||||
| Created: | July 12, 2013 | Updated: | July 17, 2013 | ||||
| Description: | From the Red Hat advisory: It was discovered that the Qpid Python client library for AMQP did not properly perform TLS/SSL certificate validation of the remote server's certificate, even when the 'ssl_trustfile' connection option was specified. A rogue server could use this flaw to conduct man-in-the-middle attacks, possibly leading to the disclosure of sensitive information. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>