Skip to main content

'FLYING PIG' Soars Over Internet Privacy Protections

If you've ever consoled yourself by saying that the government will compromise secure email and browser servers "when pigs fly," take a deep a deep breath: that day has arrived. The British government has devised a method dubbed "FLYING PIG" to access encrypted Internet communications.

The National Security Agency (NSA) in the United States and the Government Communications Headquarters (GCHQ) in the United Kingdom have collaborated to gain unfettered access to citizens' private data. One of the only things standing in their way is data encryption.

A very common type of encryption, SSL (Secure Socket Layer), ensures secure communication between a user and the website that needs his or her information. If you send an email, the server needs to route the document; if you buy something online, the vendor needs your credit card information. SSL encryption renders this information unreadable in transit.

From a user standpoint, if you access an HTTPS version of a website, the site is using SSL (or TLS, a very close SSL relative) protocols to keep your data secure.

MORE: NSA Poisoned Internet Security from the Beginning

FLYING PIG can bypass SSL through what is known as a man-in-the-middle attack. By interposing itself between the user and the user's intended destination during such an attack, GCHQ can redirect the user to a spoof site, usually almost indistinguishable from the genuine article.

For example, a man-in-the-middle attack on an online store can steal a user's credit card information by making it appear that the order has gone through as planned.

FLYING PIG, in particular, takes advantage of SSL's modus operandi, which requires a "handshake." SSL makes both the end user and the server provide security certificates before transmitting data. GCHQ can provide fake security certificates, rendering both a user and his or her system unaware that a third party has acquired the information.

Yahoo, Google and Hotmail all employ SSL encryption in their email servers. Even the purportedly secure Tor protocol uses SSL certificates to guarantee its users' safety and privacy. According to leaked GCHQ documents, the U.K. organization has compromised those three email providers as well as the specialized Tor browser.

Man-in-the-middle attacks — especially sophisticated ones like those GCHQ employs — are generally difficult to avoid, as the average user (and even the average browser) cannot detect subtle redirection.

Users have only limited recourse against such attacks, but changing a router's default password to something stronger is a start. Use an administrator on your PC or Mac account to install and uninstall programs, and a more limited-access user account for everyday computing. Install an Internet security suite on your computer, and ensure that a firewall is active at all times.

Note that these steps will not stop GCHQ or the NSA from acquiring your data, especially if they have you, specifically, in their crosshairs. But these moves may make the average user more trouble than he or she is worth for the government to target.

Follow Marshall Honorof @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

  • Sooooo, they're literally conning you in order to steal your data? Please remind me how this is legal.
    Reply
  • MANOFKRYPTONAK
    People should read 1984.
    Reply
  • a20052020
    This type of MITM attack only works if you control the certificates (you have to get the companies certs or get a cert authority to give you ones otherwise the users will know for sure that they are under attack). Companies do this regularly to monitor internet access (It is also very legal in most areas and has even been tested in court) as company workstations (their network, their hardware, their property, so its pretty clear cut for corporate monitoring) can have root certificates installed that are required and trusted for network access as well as transparent http/https proxy monitoring.

    Companies even install keyloggers, video recorders, time tracking software, remote admin/wipe/lockdown... (It is quite surprising that the NSA didn't have that in their network)
    Reply
  • Spooderman
    1984 here we come!
    Reply
  • Shaun o
    There banking on the fact people don`t read 1984 to be honest.
    Until it is too late to see that fiction, has become a fact.


    Reply
  • ddpruitt
    Please check your article's for technical accuracy.

    This isn't an SSL attack this is a spoofing attack, this isn't a problem with the SSL protocol. And this isn't used by the NSA or GCHQ, this is mostly a hacker tactic to gain access to financial information. The advice is good but it applies to general hacking attacks. If the government wants your financials all they have to do is ask, very few banks will refuse this type of request. On top of that they already have access to most of this information, there are a number of companies that have made billions providing this type of information (think about it for minute will you?).
    Reply
  • agnickolov
    The only way this type of attack can work for the general public is when a Certificate Authority company (like VeriSign as the best known of the lot) is compromised so a third party can generate a malicious certificate. This most famously happened a couple of years ago to a less known CA courtesy of the Iranian Revolutionary Guard's cyber division and was used to target Iranian dissidents. Of course in the case of NSA they could very well control a few of the Certificate Authority companies directly, considering the biggest ones are American-based...
    Reply
  • fixxxer113
    @athulajp

    Yeah, It's nice to see governments will even resort to using criminal methods in order to "protect us"... I feel so safe now, don't you??
    Reply
  • Someone Somewhere
    Yep. Certificates are a guarantee that the other end is who you think you are. If the CAs hand out spoof certificates to the spies, it's all over.
    Reply
  • freddyk1
    What if you keep your data in an encrypted storage like SaluSafe?
    Reply