The principles I established when I set up this website was to promote Cyber Security and Personal Privacy and how individuals as well as companies (large and small) can ensure their cyber security and privacy. This is an ever changing landscape and I feel I will never be out of a job, especially if what I heard today on the Security Now Podcast is anything to go by.
So, what did the venerable Steve Gibson talk about as one of his headline topics?
Kazakhstan and their Certificate Authority
Kazakhstan are repeating an effort they initially tried in 2016 to establish a root certificate provided by their own certificate authority. This will have to be installed by any web browser trying to access the Internet from within the country.
A root certificate is a public key certificate that identifies a root certificate authority (CA). Any website accessible over https needs to be signed by a root certificate to ensure its authenticity. If you want the technical detail I suggest you look at this Wikipedia Page.
By installing such a root certificate, anything signed against it is automatically trusted by your web browser, unless that certificate authority has been black listed (which is the case with a few I have come across like Dark Matter). The cryptography associated with this is quite complex, so I am not going to go into the details here – there are many good references on the internet if you want the detail. It looks like Kazakhstan are also re-issuing certificates for popular websites (like Facebook) against their own certificate authority – which as you can imagine these services are not that happy about.
By having access to the root certificate, the effect is that the country would be able to decrypt any network traffic encrypted using it – specifically any https traffic. All the reputable certificate authorities (e.g. DigiCert, Entrust, GlobalSign) will undertake to keep this traffic private and keep the private keys just that – private. However, this means that with the Kazakhstan certificate authority they do not necessarily provide that undertaking and are able to decrypt any https traffic originating within the country.
The Kazakhstan population (including anyone visiting the country) could be asked to install the certificate (and therefore lose all privacy), or not have the Internet.
It should be noted that at the time of writing (27 July 2019) this has not been made mandatory and quite rightly so the internet community at large is up in arms about it.
However, there are a load of other instances where nation states are imposing rules around accessing the internet:
- Russia is doing its best to stop western VPN’s from operating in the country unless they agree to install back-doors so that the cyber police can decrypt any traffic passing through them
- VPN’s are outlawed in Saudi Arabia, while there are some exceptions for companies these have to be registered and permitted by the authorities
- China also has strict rules around VPN’s and encrypted messenger apps, in fact so does Russia and other countries
- Foreigners crossing certain Chinese borders into the Xinjiang region are being forced to install an app that allows the authorities to eavesdrop on your phone/device since they have a massive campaign of surveillance and oppression against the local Muslim population (more details here)
- The US border police are taking mobile devices and imaging them to search for illegal activity, but have recently been found to be retaining the images of your system beyond a reasonable time period
- The UK government want developers of encrypted messaging apps (e.g. Facebook Messenger, WhatsApp, Telegram) to install back-doors so that law enforcement can eavesdrop on these encrypted conversations (see my blog Encrypted Messaging and the “Ghost Protocol” for more details).
These are just a few of the reports I have seen over the past year. Needless to say if you are visiting some countries, you really need to understand their cyber laws and what is permitted and what is not. A good source is the UK Governments Foreign Office Travel Advise Website. There will be a similar resource in your home country.
If I was visiting China, Russia, etc. I would take a burner phone which I would destroy on exiting the country. I would simply not take my regular phone or for that matter any device I would not be happy destroying on exit.
What is happening in the UK?
Currently we do not have any laws similar to the Kazakhstan case in the UK, but we do have the ‘Investigatory Powers Act 2016’ (often called the ‘Snoopers Charter’), which does have provisions to force ISP’s to retain browsing histories and other information about your activity through them. Under court order the law enforcement and intelligence agencies can request this information, but the ISP’s have to record it and retain it for a number of years even if not asked to disclose it. You can read more about this in my blog entitled ‘Going Dark – The Problem with Full Encryption‘.
In my opinion it isn’t beyond this law for the government to request a root certificate to be installed on all web browsers in the UK giving the same access as the Kazakhstan case. However, to the best of my knowledge this is not currently the case. They are, however, already using this law to limit access to adult websites (see my blog ‘Privacy & Cyber Security Concerns around Changes to Adult Site Age Verification in the UK‘ for more details).
The UK government is also unhappy about the rising use of secure DNS, which defeats a lot of the surveillance activities employed by ISP’s and the government (see my blog ‘Encrypted Website Lookup‘ for details).
I also saw a tweet this week about how the Russian government is trying to de-anonomise the TOR network (be aware that this article also goes into a lot more). For those who don’t know what the TOR network is, I suggest you look at the dedicated website for the TOR Project (I have been meaning to write a blog about this for some time).
I am all for controlled access to encrypted messaging and websites under the controls offered by the courts (namely court orders). However laws requiring citizens to give up their privacy either at the border, or by being one of its citizens, is totally unacceptable in an enlightened world (IMHO).
My opinion is that with the rising fervor of nationalism in the world (specifically in the US and the UK around the very divisive subject of Brexit), my feeling is that the Kazakhstan case is on the radar as are stricter laws around VPN’s and encrypted messaging. In the US there is the constitution together with a number of amendments that sort of safeguard US citizens. In the UK we have a number of privacy laws, as do other countries in the EU and elsewhere. However, it is not beyond the realm of possibility that this sort of invasion of privacy could be enacted in the west in the name of safeguarding the countries citizens.
I for one will be monitoring these events and will report anything I find via this blog.
I also urge everyone to do your homework when visiting other countries (whether for business or pleasure) to ensure you don’t fall foul of the local cyber laws. A simple internet search along the lines of ‘VPN Saudi Arabia’ for example will bring back a trove of info. I also recommend looking at the UK Governments Foreign Office Travel Advise Website. There will be a similar resource in your home country.
If your device ever leaves your possession at a country border (most of the time phones are not put through X-Ray scanners at airports), then treat this with suspicion especially if a member of the border staff inspects the device, requires login details/pass-codes or attaches anything to it. If it is a company device, hand it in to your company’s security team and keep it switched off. If is your own device, at least do a factory reset when you get it back although this may not totally remove any implants since they could have installed a new version of the OS while in their possession. In this case the phone would need to be totally reset by the manufacturer, or you just destroy the device.
With Windows you can always re-install the OS from a protected backup or using installation media. However this does not fully protect you if something has been installed into the BIOS and in particular in the Trusted Platform Module (TPM) or they have installed a rootkit (a form of malware). You can often re-flash the BIOS in your PC, clear the TPM and scan for rootkits using Internet Security software (e.g. the default on Windows being Defender).
A lot to take in, but as the holiday season is starting in the UK, hopefully some food for thought as we travel with our ever present devices.