With the upcoming draconian Digital Surveillance Bill in the UK, that has been described as ‘worse than scary’ by the UN’s Privacy Chief, I’ve again resorted to sending all of my web traffic over VPN.
The VPN I use is Private Internet Access (PIA), for their stance on user privacy. I was curious to see what they had to say about the new Bill, so dropped them an e-mail. I got two separate responses, one from their tech support, and one from their legal team. They’re worth reproducing publicly.
Here they are. First off, the more general position from their tech team:
Thank you for contacting us. It is our current interpretation that the EU Data Retention Directive 2006/24/EG is not applicable to private VPN services such as ours and instead applies to larger public communications networks. The law requires that telephone and internet providers temporarily store data about a user such as assigned Internet Protocol (“IP”) addresses, timestamps, and more to assist law enforcement and investigations. Private VPN providers do not fall within the purview of the European definition of a public communications network, so it is our position that the EU Data Retention Directive 2006/24/EG does not apply to our business organization.
PIA absolutely does not keep any logs, of any kind, period. While this does make things harder in some cases, specifically dealing with outbound mail, advanced techniques to handle abuse issues, and things of that nature, this provides a high level of security and privacy to all of our users. Logs are never written to the hard-drives of any of our machines and are specifically written to the null device, which simply acts if the data never existed.
The Mandatory Data Retention logs in the EU and many areas applies to Telecommunications and Internet Service Providers as they are a “Public Communications Network”. This is not applicable to our VPN service as we are a private network.
Due to this, we’re unable to provide information on our customers usage of our service under any circumstance, including subpoenas and court orders, which are extremely closely reviewed before we make any response by our experienced legal team.
PrivateInternetAccess.com is a business that strives to protect privacy and the privacy rights of our clients. Although we will comply with all valid subpoena requests, our legal team scrutinizes each and every legal request that we receive for compliance with both the “spirit” and letter of the law. For invalid or overly broad subpoenas, we will often question or attempt to narrow the scope of any subject matter sought.
Moreover, when it is possible and a valid option we will provide the user an opportunity to object to any requested disclosures. We cannot provide information that we do not have. PrivateInternetAccess.com will not participate with any request that is unconstitutional.
and secondly, the more direct answer from the legal team:
Thanks for the email. We are aware of this proposed law pending in the UK. First, the law has to actually go into effect first before we will consider making any changes. We are paying close attention to this proposed law and we will make any adjustments as necessary to maintain the privacy of our users. Second, PIA will not maintain logs because we do not believe that we will be classified as an ISP under the new law. The log keeping requirements are specific to ISPs and we do not fall under that definition. We hope that helps answer your questions.
Help fight back against the Bill with the Open Rights Group:
If we ever share a WiFi network, chances are I can intercept what you’re doing.
‘Man in the middle’ attacks have been around for about as long as the Internet itself, and so those familiar with network security will already be well aware of the threat posed by ‘ARP spoofing’ or ‘poisoning’. The thing is, most people aren’t familiar with the basics of protecting their communications online, and even those who are don’t always take the precautions that they know in theory they should be.
The protection of private information, and ensuring data integrity has recently been thrown into the spotlight more than ever before, thanks to the ongoing revelations that show the mass interception of data by organisations such as the NSA. On top of that, the massive proliferation of devices that we carry around everywhere that are able to access the Internet has meant that we now have a whole new dizzying array of ways for others to access our data without our knowledge or consent. Arguably, these mobile devices are even more at risk of security vulnerabilities because of their tendency to default to insecure, public wireless networks. Specialists at the computer security conference DefCon recently warned that we could be yet to see the worst, or most sophisticated of these attacks, but the fact is that there are simple, and well known tools freely available on the Internet that allow anybody with basic technical knowledge to interfere with your connection whilst on wireless networks. It’s worth having a look again at what we can do to guard against this happening
What is a ‘man in the middle’ attack?
Without going into the technical details of how these attacks actually work, a ‘man in the middle’ attack essentially stick their hand up first when your device is looking for an appropriate router to connect to, and pretends to be where you actually want to gain access to.
Essentially, instead of connecting to the network through the route you might expect (like a wireless router) you get redirected via another device first. This means that all of your traffic is flowing through an additional step before getting onto the Internet, and allows anybody in control of that piece of equipment access to it.
This is incredibly easy to do, there are many real world examples of this in the field. One of the more infamous comes in the decidedly fruity shape of the ‘WiFi’ pineapple… a rogue device that convinces network traffic to connect to it rather than the intended, legitimate source. However, even this is bulky in comparison to the possibilities that are now on offer through mobile phone apps… which are harder to find or identify if they are ever detected.
What are the dangers?
It should hopefully be pretty obvious why you wouldn’t want wee Davey sitting in the corner of Starbucks intercepting everything that you’re doing online, but even if you’re not all that concerned about anybody knowing which websites you visit and when, there are other, more potent dangers that the man in the middle poses.
Denial of Service
Finding Internet speeds too slow on a shared network connection? Not a problem for the man in the middle! As their device is acting as an intermediary checkpoint between yourself and the glorious open highways of the Internet, then they can simply… refuse to let you go any further. After convincing all of the devices on a network to use it as a gateway, those making use of this tactic can deny every single one of them access, and make use of the entire bandwidth available on that connection themselves. In effect, the man in the middle has a master switch to your use of any network you both are trying to make use of.
URL Redirection/DNS Spoofing
Really like NyanCat? What about 80s pop sensations? Probably just as well, as redirecting every page you try to visit to these websites is a particularly favourite past-time of the mischievous man in the middle. Oh those tricksters!
This might sound harmless enough, but is actually just a tame example of what is actually possible with this sort of technology. Imagine that instead of checking out the BBC News website, you were actually logging in to your online banking account, and were instead nefariously redirected to an identical looking page that was actually run by the attacker – completely unbeknownst to you….
You can see the problem here.
‘Psht, so what?’, I hear you cry! ‘I always use SSL when I’m logging in anyway.’
Sorry, but in practice, this alone doesn’t make a whole lot of difference when it comes to man in the middle attacks.
For those not familiar with what SSL (or Secure Socket Layer) means, it is essentially what the little padlock displayed by the browser when you’re online (usually making a payment) represents. This means that all of the traffic between you and that website, at that point, is encrypted. Even if somebody is monitoring what you’re doing remotely, then they can’t see any of what you submit.
So… problem solved?
Whilst SSL is widely used for financial transactions (such as over PayPal), in practice, it’s far from perfect. Many websites still do not offer SSL connections by default, requiring you instead to specifically turn them on. Many simply require encryption for the login process, and not anything afterwards (which we’ll get to in the next section). Even those that do default to a secure connection, often still run the insecure service as well. It wasn’t too long ago that Facebook were operating precisely in this fashion.
Since most people take this for granted, it is fairly easy to redirect a computer under the spell of this sort of poisoning attack to the non-SSL version of a website, without it ever occurring to the user to check.
Ahhh, session hijacking. That old favourite!
Ever left your Facebook profile logged in on a friend’s computer, only to return home and find some oh-so-hilarious status update that they’ve chosen to ‘frape’ you with?
Imagine this, but with people you don’t know, and without ever logging onto their computer… and you’ve got the gist of session hijacking.
When you login to a website, it remembers who you are for the duration of that ‘session’. This can be for varying lengths of time, depending on whether you decide to have them ‘keep you logged in’ or not, and can use different mechanisms for doing so, but the details are largely unimportant. What matters is, when these sessions are not secured, anybody with access to the flow of traffic can reach in, and pick up where you left off. Logged into Youtube recently? Nice… So has the man in the middle! At the time of writing, Youtube does not default to SSL connections, and so dropping in to read your messages (or worse) is as easy as walking through an open door.
How can I protect myself?
Without a doubt, these attacks are something that everybody should be aware of, but most people aren’t – partly because of the technical nature of the problem. However, there are some simple things you can do to avoid this type of attack.
HTTPS Everywhere is a plugin for Google Chrome and Firefox which automatically forces the browsers to go to the secure version of a website where available, and send all of the traffic over SSL. No need to fiddle about with the settings of individual settings on different services, or working out where offers SSL and where doesn’t. HTTPSEverywhere does the work for you.
Use an encryption service
There are various different services that you can use to route all of your network traffic through that will prevent the man in the middle from being able to simply intercept your data like in the above explanation. If configured correctly, it won’t matter whether a website has SSL enabled or not, the attacker using this method won’t see anything but scrambled information.
The ‘Tor’ service is free, and will effectively anonymise your activity online – but can have a significant effect on the speed of your connection. Whole academic papers can (and have been) written on what Tor is, and how it works, so see here for a good introduction.
A good quality VPN service will encrypt all of your network traffic when configured correctly, with no meaningful impact on your connection speed. It’s also a quick and easy way to bypass local network restrictions, such as the upcoming proposed UK Internet filter. Premium services aren’t free, but there are alternatives available. I’ve written in more detail about VPN in the past, so check out this blog post for more information.
Both Tor, and VPN services can be used on your laptop, desktop, or mobile devices.
Further Securing against the man in the middle
Using an encryption services will keep the data you transmit over a network secure, which is the primary concern of man in the middle attacks. However, they won’t necessarily stop the denial of service attack that was explained above. Whilst there isn’t many, there are a few utilities that Android, Windows, and Mac users can make use of to kill off an attempt completely, or at least be notified of it happening. If anybody is aware of any other effective utilities – especially for Windows/the iPhone – please get in touch!
One of the highest rated is for Android phones is: WiFi Protector. As well as blocking against common man in the middle attacks such as session hijacking, it appears to manage to also protect against attempts at denial of service. At the time of writing, this is only available for users who are familiar with the technical side of phones (e.g. those who have their device rooted), and can be found at the XDA-Developer forum.
Again for Android, DroidSheep Guard is a free app that alerts of possible man in the middle attacks, and is available in Google Play. This is one of the easiest to use, with one of the nicest interfaces that I’ve come across. Always a bonus!
Mocha is a small tool for Mac users that will run in the background and alert you to any changes to the network configuration that may suggest a man in the middle attack. If you are connected to a WiFi hotspot and the physical address (MAC address) changes, it is possible that someone is attempting to redirect your traffic via their device. (Note that this will not work if you connect to a new hotspot which is already subject to ARP spoofing). It can be found via MacUpdate here.
CUTe ARP Protector is a tool for the more technically minded, and is available for Windows on their own website. Another useful Windows tool that has both free and premium versions is XArp, or ARP AntiSpoof (Windows/Linux).
There is no single way to completely prevent man in the middle attacks from impacting your network connectivity. Most of the advice that is given from people who skim the surface of this topic boils down to “don’t use open wireless networks”. Uhh, right. Nice idea pal, but not a practical reality. As we rely more and more on disparate WiFi networks, we all need to be aware of the dangers of insecure communications, and take steps to reduce the risks. These aren’t limited solely to open networks, but any that are shared – such as in a workplace or University. Just because they are secured with a keyphrase, doesn’t mean they are any more secure than a public hotspot in an Internet cafe. Some types of wireless network are more secure than others, but it’s up to you to ensure the integrity of your own data.
If you only do one thing after reading this blog, then sign up for a VPN service and start using it on shared networks. Make sure you check that you’re connected to websites in SSL when you expect to be, and if something doesn’t seem right, disconnect and login somewhere else. It’s a first step towards keeping your personal information safe.