GnuTLS, an open source SSL and TLS implementation used in hundreds of software packages including Red Hat desktop and server products and all Debian and Ubuntu Linux distributions, is the latest crypto package to improperly verify digital certificates as authentic. The vulnerability, discovered and reported yesterday by engineers at Red Hat, puts any site or application dependent on GnuTLS at risk for exploit.
“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” Red Hat said in an advisory issued Monday. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”
The vulnerability has eerie similarities to a bug reported by Apple in its iOS mobile operating system and OS X for Mac computers. Now known as the goto fail bug, separate patches were issued for the vulnerability which removed SSL certificate checks from the respective operating systems.
“This really is as bad as it gets,” said Kenneth White, a security expert and principal scientist at Social & Scientific Systems in North Carolina. “An attacker can trivially forge any arbitrary domain and make it appear authoritative and trusted to the requestor. So, not only interception of sensitive channels, but [also] potentially subverting the trusted package signature process as well.”
White estimates there are more than 350 packages that rely on GnuTLS crypto libraries; in addition to popular Linux distributions, core crypto and mail libraries such as libcrypt and libmailutils, and cURL are affected.
“cURL (libcurl3-gnutls), in turn is used by the package updating system both for OpenPGP (gnupg2 and gnupg-curltransport), as well as the system package updater itself (apt-transport-https),” White said. “But what is especially difficult, is understanding the myriad downstream dependencies, such as XML parsers, etc. In general, Debian & Ubuntu have eschewed OpenSSL for license reasons, so there actually exist Nginx and Apache installs that use gnutls as well.”
GnuTLS issued an advisory, confirming the vulnerability and that it was discovered during an audit of GnuTLS for Red Hat. It urges users to upgrade to the latest GnuTLS version 3.2.12 or 3.1.22 or to apply a patch for GnuTLS 2.12x. Red Hat Enterprise Linux Desktop, HPC Node, Server and Workstation v 6, as well as Red Hat Enterprise Linux Server AUS and EUS v 6.5 are affected, Red Hat said in its advisory.
The recent Apple bug brought this issue to the forefront. Apple released a patch on Feb. 21 for iOS and days later for OS X. An attacker with man in the middle positioning on a network could present an invalid certificate that would pass checks normally designed to reject such a cert. The attacker would then be able to monitor communication and network traffic thought to be secure.
Critical infrastructure policymakers are advocating the foundation of a new entity, the Institute for Electric Grid Cybersecurity, along with a new set of guidelines, to better protect the North American electric grid from cyber-attacks and determine how to respond if the grid is ever compromised.
The initiative was described in a new report (.PDF) issued by the Bipartisan Policy Center. The report was authored by a handful of officials from across the industry, including former National Security Agency and C.I.A. Director Gen. Michael Hayden.
Hayden appeared on a panel last Friday to discuss the paper at the Bipartisan Policy Center in Washington, D.C. where the rest of the report’s authors discussed their recommendations. The group is largely encouraging government agencies and private entities to strengthen the system that’s in place before it’s inevitably attacked.
Calling it a domain that favors the attacker, Hayden called the threats “almost self-evident,” before going on to reference the adversaries who want to “degrade, disrupt, deny, destroy” networks and the hackers out there responsible for “recreational espionage.”
Hayden was joined by Curt Hébert, a partner at Mississippi law firm Brunini, Grantham, Grower & Hewes, Paul Stockton, a Managing Director at economic advisory firm Sonecon, and Scott Aaronson, the Senior Director of National Security Policy for the Edison Electric Institute.
Throughout Friday’s panel, the men made several references to the staggering $6 billion costs that were attributed to the 2003 Northeast blackout of August 2003. While that blackout was ultimately blamed on an errant tree branch, that idea, the concept of a multiday outage, is a spectre that still looms over the electrical grid.
Hébert, who formerly chaired the Federal Energy Regulatory Commission, at one point called electricity “the most critical of the infrastructures,” mentioning the blackout and the difficulties associated with restoring sectors like telecom and healthcare. Hébert insisted that the industry has to do a better job understanding the need for mandatory standards, adding that while the NERC has done a good job working with the federal regulatory commission, there are still risks that need to be mitigated.
Hébert described the new organization, claiming it would need to be independent and tackle security from a holistic angle to ensure that everything “from the burner tip all the way down to the point that the kilowatt is actually given to the consumer” is protected.
The industry organization, tentatively titled the Institute for Electric Grid Cybersecurity is only mentioned twice in the 76-page report but the group claims that it could be loosely modeled on the Institute of Nuclear Power Operations, a group started in the wake of the accident at Three Mile Island in 1979 and involve “power sector participants” from across North America.
Those participants would ideally include local distribution utilities – there are 3,200 nationwide that delivery electricity – large generators and state utility regulators.
Still though Hayden acknowledged that to get a change to come, everyone would have to assume responsibility, most importantly the government.
“This cannot be done with just good will and executive action; it’s going to require Congress to actually face these issues and make some decisions that provide some legislative structure in terms of protection and responsibility that makes this more possible than it is today,” Hayden said.
The case for congressional action is clearly laid out in the report with one part recommending the Department of Energy allocate funds “to fully evaluate and understand systemic cyber risks” and “help regulators better evaluate the potential impacts of cyber attacks and provide needed context for weighing the benefits of utility investments in cybersecurity.”
“What permeates the report is that you can’t win this just defending the perimeter, you can’t win this with just prevention and defense ,” Hayden said.
“It’s the concept of resilience, what happens after things start to go wrong?”
As Matthew Wald, an energy reporter with the New York Times who moderated Friday’s panel reminded the audience, that’s exactly whats happening.
Things are going wrong.
Wald noted in the panel’s introduction that of the 250+ incidents reported to the Department of Homeland Security last year, two-thirds of them targeted the energy sector and grid.
One of the bigger problems with the grid came last year when two engineers Adam Crain and Chris Sistrunk discovered a vulnerability in an electrical communication protocol that’s widely used across the country. That vulnerability opened the floodgates and later led to a 20-page report “replete with vulnerabilities in 16 different system vendors.” According to a New York Times article from an October briefing the vulnerabilities, they affect a number of supervisory control and data acquisition systems (SCADA) and if used at a single, unmanned power substation, the vulnerabilities could result in “a widespread power outage.”
A team of researchers has published a paper that explains a number of attacks against websites and Web-based applications running TLS. The researchers’ techniques do not exploit implementation errors, the most common attack vector against encryption securing online communication, instead focus on exploiting features of the protocol that include session resumption followed by client authentication during session renegotiation.
The paper, called “Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS,” describes in detail how an attacker can use a man-in-the-middle attack to successfully impersonate a TLS client in attacks against TLS renegotiations, wireless networks, challenge-response protocols and channel-bound cookies.
Written by Karthikeyan Bhargavan, Antoine Delignat-Lavaud and Alfredo Pironti of the Prosecco research team at INRIA Paris-Rocquencourt, C’edric Fournet at Microsoft Research, Cambridge, and Pierre-Yves Strub of the IMDEA Software Institute, the paper demonstrates how an attacker could force a client running TLS to connect to an attacker-controlled server with an authenticated credential. The attacker’s server will then be able to impersonate the client at another server accepting the same credential, via single sign-on, for example.
“Concretely, the malicious server performs a man-in-the-middle attack on three successive handshakes between the honest client and server, and succeeds in impersonating the client on the third handshake,” the researchers wrote.
The researchers said their attacks work against leading browsers, VPN applications, and HTTPS libraries; different takes on the attacks that do not rely on renegotiation, for example, can enable spoofing of other TLS authentication such as PEAP, SASL and Channel ID.
“Our attacks exploit a lack of cross-connection binding when TLS sessions are resumed on new connections,” the researchers wrote. “Moreover, our attacks do not require an active network adversary but can be mounted only with a malicious server or website.”
The researchers dug into four TLS weaknesses, starting with a problem in the RSA handshake that enables impersonation via an unknown key-share attack, as well as another weakness in the Diffie-Hellman Exchange handshake where an attacker can use a man-in-the-middle attack between the client and server to steal sessions sharing the same keys, a different take on the same unknown key-share attack.
Session resumption on a new connection exhibits another weak link exploiting the fact that it uses an abbreviated handshake that can be forwarded between connections and accepted because it does not re-authenticate the client and server identities.
The fourth TLS issue happens during renegotiation, the researchers said, where the server and client certificates can change and applications are not properly instructed how to deal with changes and may not implement the best cert for the situation.
The researchers disclosed the vulnerabilities to a number of vendors, including the major browser vendors Apple, Google, Microsoft and Mozilla, all of which implemented a patch or some mitigation. OpenSSL, GnuTLS and GNU SASL said mitigations are pending.
Google has fixed 19 security flaws in its Chrome browser, including more than a dozen high-risk bugs. The company paid out $3,500 in rewards to security researchers who reported flaws.
Two of the high-risk vulnerabilities fixed in Chrome 33 are use-after-free flaws, one in SVG images and the other in speech recognition. There’s also a heap buffer overflow in the software rendering. The full list of flaws that earned rewards from Google:
[$1000] High CVE-2013-6663: Use-after-free in svg images. Credit to Atte Kettunen of OUSPG.
[$500] High CVE-2013-6664: Use-after-free in speech recognition. Credit to Khalil Zhani.
[$2000] High CVE-2013-6665: Heap buffer overflow in software rendering. Credit to cloudfuzzer.
 Medium CVE-2013-6666: Chrome allows requests in flash header request. Credit to netfuzzerr.
In addition to the bugs found by external researchers, Google’s internal security team also found a large number of bugs that were fixed in this release. Google’s researchers found 11 high-risk bugs and four medium-risk vulnerabilities.
Verizon updated its transparency report yesterday, breaking down National Security Letter and Foreign Intelligence Surveillance Act (FISA) orders for the first and second halves of 2013.
The telecommunications giant released its first transparency report in late January, responding to pressure from privacy advocates to publish law enforcement and government requests for data in the wake of the Snowden leaks. AT&T has also published its first transparency report, though both AT&T and Verizon lag behind Internet companies such as Google, Facebook and Twitter that have been sharing data for more than a year.
Verizon’s update doesn’t radically stray from the numbers it shared in January; during the first six months of 2013, the telecom received between 0-999 National Security Letters and 0-999 FISA Orders for content and customer information. The same range of requests was true for the period between July 1 and Dec. 31, the company said.
This is the first time Verizon reported on FISA orders since a Department of Justice ruling eased a gag order on companies that prevented publishing of such data. The ruling was a concession after months of lobbying and lawsuits from Internet companies requesting greater transparency and to dispel the notion that they were complicit with government snooping on users by providing intelligence agencies and law enforcement direct access to company servers.
Now companies are allowed two reporting options, in ranges of 0-999 or specific numbers up to 250 requests and then in ranges of 250 thereafter. The DOJ also requires a six-month quiet period on FISA order requests.
“We welcome greater transparency in this area by telecommunications and internet companies, in the absence of broader information by the government collecting the data,” said Verizon general counsel Randal Milch. “We once again call on all governments to make public the number of demands they make for customer data from such companies, because that is the only way to provide the public with an accurate data set.”
Verizon also reported that between 4,000 and 4,999 customer selectors were targeted by National Security Letters and FISA Orders for content and user information. Selectors, Verizon said, are customer identifiers used by the company and that identifier is generally a phone number.
“The number of selectors is generally greater than the number of customer accounts,” Verizon said in a statement. “An NSL might ask for the names associated with two different telephone numbers; even if both phone numbers were assigned to the same customer account, we would count them as two selectors.”
Verizon reported on Jan. 22 that it also received 36,000 warrants requesting location information or stored content data from its landline, Internet and wireless services; the court-ordered location data requests, Verizon said, are growing in frequency every year.
“Verizon only produces location information in response to a warrant or order; we do not produce location information in response to a subpoena,” Verizon said in a statement at the time. Of the 35,000 requests, 24,000 were through court orders and the rest through warrants. It also received about 3,200 warrants or court orders for “cell tower dumps” where under a warrant or court order Verizon was compelled to identify the phone numbers of all phones that connected to a specific cell tower during a given period of time.
As seemingly every new gadget and electronic device is coming retrofitted with an Internet connection these days – appliances, cars and medical devices a few chief examples, the floodgates have opened ever wider for an alarming number of new attack vectors.
The burgeoning evolution of “Internet of Things,” (IoT) as the concept has colloquially become known over the last few years, has prompted Cisco Systems to issue a challenge to programmers to address these security issues before they go on to become bigger problems.
In what its dubbed the Internet of Things Security Grand Challenge the company is offering up to $300,000 in prize money to members of the global security community who propose the best practical security solutions “across the markets being impacted daily by the IoT.”
Cisco Security Group Senior VP Chris Young explains the contest of sorts on the company’s main blog, writing that $50,000 to $75,000 will be awarded to up to six recipients. According to the challenge’s site, the deadline for submissions will be June 17 and the winners will be announced at the company’s second annual Internet of Things World Forum in Barcelona, Spain later this year.
Young notes that proposals will be based on four criteria:
- Feasibility, scalability, performance and ease-of-use
- Applicability to address multiple IoT verticals (manufacturing, mass transportation, healthcare, oil and gas, smart grid, etc.
- Technical maturity/viability of proposed approach
- Proposers’ expertise and ability to feasibly create a successful outcome
“As our connected lives grow and become more richer, the need for a new security model becomes even more critical,” Young wrote.
The security instabilities of cars and medical devices have been made clear over the past several years. In 2013 researchers Chris Valasek and Charlie Miller published a thorough paper describing how they were able to hack some Ford and Toyota brand cars to control the steering, braking and other functions while they were driving. Meanwhile the Food and Drug Administration urged medical device manufacturers to take security more seriously last year, handing down a series of suggestions intended on shoring up often vulnerable devices like insulin pumps, pacemakers, and defibrillators.
More than 300,000 small office and home office routers, most in Europe and Asia, were compromised in a campaign that started in mid-December, continuing a rash of security incidents involving home and small business networking equipment.
Researchers at Team Cymru published a report today on the pharming attacks. The attackers are overwriting DNS settings on the devices and redirecting DNS requests to attacker-controlled sites via extensive man-in-the-middle attacks.
Routers from a number of manufacturers, including TP-Link, D-Link, Micronet, Tenda, and others, are involved and victims are concentrated in Vietnam, India, Italy and Thailand. Team Cymru said it notified the affected vendors, none of which responded to its outreach. In addition, the researchers said they had notified law enforcement.
The researchers identified the IP addresses involved: 5[.]45[.]75[.]11 and 5[.]45[.]75[.]36. Since the routers’ primary DNS IP addresses are overwritten in the attacks, the victims are susceptible to denial of service if the attackers’ servers are taken down, Team Cymru said.
The attacks were detected in January on several TP-Link routers redirecting victims to the two IP addresses; the TP-Link routers were not accessible via default passwords, Team Cymru said. Instead, the hackers exploited a cross-site request forgery vulnerability on the devices and a version of the ZyXEL ZynOS firmware that was vulnerable to attacks where a hacker would be able to download a saved configuration file that included admin credentials from a URL in the web interface that did not require authentication.
Team Cymru said it observed more than 300,000 unique IP addresses sending DNS requests to the attack servers, which were acting as open resolvers, thus responding to any external request.
The researchers said in the report that the campaigns are similar to the attacks against a number of banks in Poland recently, but are likely being conducted by separate hacker groups. Poland’s mBank was targeted by similar DNS redirection attacks, which attackers used to steal credentials for online accounts. In those attacks, SMS messages were sent to victims, enticing them to approve transfers to the attackers’ accounts. The IP addresses involved in the mBank attacks were 95[.]211[.]241[.]94 and 95[.]211[.]205[.]5. Unlike the latest router attacks, only 80 or so were observed by Team Cymru.
“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability. The more manually-intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group,” the report said.
Attackers have been targeting home networking gear with relative success for a bit of time now. The most recent incident was the so-called Moon worm identified by the SANS Institute. Moon spread over Linksys home and SMB routers, exploiting a CGI script vulnerability that allowed it to spread over the HNAP protocol used in Cisco devices. It was unclear at the time whether there was a malicious payload, or what kind of command-and-control communication was happening.
“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” said SANS CTO Johannes Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”
Schneider Electric Mitigates Vulnerabilities in OPC Factory Server and Floating License Manager Products
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) last week issued advisories warning of serious vulnerabilities in Schneider Electric SCADA gear.
Schneider Electric is a supplier of energy management control products that are used in a number of critical industries in North America, including energy, water and wastewater, food, agriculture, and transportation systems.
The company reported two vulnerabilities that could allow attackers to execute malicious code. Product upgrades have been developed by Schneider Electric that mitigate the vulnerabilities.
The first affects the Schneider Electric OPC Factory Server, which provides an interface for client applications that require access to production data in real time. Versions TLXCDSUOFS33 – V3.35, TLXCDSTOFS33 – V3.35, TLXCDLUOFS33 – V3.35, TLXCDLTOFS33 – V3.35, and TLXCDLFOFS33 – V3.35 contain a buffer overflow vulnerability when a malicious configuration file is sampled, the ICS-CERT advisory said.
“When a malformed configuration file is parsed by the demonstration client, it may cause a buffer overflow allowing the configuration file to start malicious programs or execute code on the PC,” the advisory said.
The vulnerability is not remotely exploitable, keeping its severity score down.
“The exploit is only triggered when the demonstration client opens a specially modified sample client configuration file to execute malicious programs or execute code on the PC,” the advisory said.
The second vulnerability, an unquoted service path vulnerability, was found in the Schneider Electric Floating License Manager; it too cannot be exploited remotely, the ICS-CERT advisory said. Versions V1.0.0 through V1.4.0 which is used in five products from the company: Power Monitoring Expert; Struxurware process Expert; Struxureware process Expert libraries; Vijeo Citect (SCADA); and Vijeo Citect Historian.
“This vulnerability could allow attackers to start malicious programs as Windows services,” the advisory said. “When the executable path of a service contains blanks, attackers can exploit this to execute malicious programs.”
The advisory said the exploit is triggered only when a local user runs the vulnerable application and the path contains blanks; to mitigate, service paths in the registry must be surrounded with quotes, ICS-CERT said.
Schneider Electric products using the vulnerable license manager are automatically updated via the company’s update system.
Apple rarely offers anyone a glimpse inside its walled-off security garden. The last time it did was in the spring of 2012 when it released a detailed paper on the security of its iOS operating system for iPhones and iPads. The company also presented a much-anticipated if not anticlimactic presentation at the Black Hat Briefings that summer summarizing the high points of the paper.
Now, scant days after the revelation that a stunningly simple coding mistake led to emergency updates for iOS and OS X in order to close a cavernous SSL certificate-validation vulnerability, Apple has released an updated iOS security guide.
The 33-page document explains in a helpful degree of detail the inner workings of iOS system security, encryption and data protection capabilities, network security, device controls, application security and security around its Internet services such as iCloud, iCloud Keychain, iMessage and more.
The application security and Internet services sections are new additions to the paper. The services, in particular, are key hubs for iOS users’ data, not only as it’s shared via messaging applications and services, but at rest in storage services such as iCloud.
Rich Mogull, founder of consultancy Securosis, wrote in an analysis of the paper that this is the first time Apple has shared any level of noteworthy detail on iCloud and said the mechanisms deployed by Apple would make it difficult for intelligence agencies to intercept data such as iCloud Keychain passwords. Keychain allows users to sync passwords between devices running iOS and computers running OS X.
Apple said in the paper that iCloud Keychain and Keychain Recovery services are designed so that passwords are protected regardless if an account has been compromised, whether iCloud is compromised, or third parties have access to user accounts.
The paper describes an elaborate encryption scheme used by iCloud Keychain involving asymmetric cryptography in which the private key signs the public key, yet never leaves the user’s device.
“Each keychain item is sent only to each device that needs it, the item is encrypted so only that device can read it, and only one item at a time passes through iCloud,” Mogull wrote. “To read it, an attacker would need to compromise both the key of the receiving device and your iCloud password. Or re-architect the entire process without the user knowing. Even a malicious Apple employee would need to compromise the fundamental architecture of iCloud in multiple locations to access your keychain items surreptitiously.”
Apple also uses a secure infrastructure for keychain escrow allowing only authorized users and devices to recover a keychain. The escrow records are protected by clusters of hardware security modules, Apple said. Again, another complex series of events, protect the escrow record and ultimately keychain recovery.
The timing of the paper keeps the security of Apple devices in the news a bit longer. Apple’s release on iOS 7.06 late on the afternoon of Friday Feb. 21 corrected a coding mistake that removed SSL certificate checks from iOS—and later it was revealed to affect OS X as well. Attackers who successfully had pulled off a man-in-the-middle attack on the victim’s wireless network could intercept and read communication in clear text because of the goto fail bug as it has come to be known.
In an analysis of the vulnerability, Google expert Adam Langley said a server could send a valid certificate chain to the client and not have to sign the handshake. Langley summarized:
“This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying ‘here’s the ephemeral key and here’s a signature, from my certificate, so you know that it’s from me’,” Langley wrote in his analysis. “Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It’s possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There’s no proof that the server possesses the private key matching the public key in its certificate.”
Oracle’s Demantra, part of the company’s Value Chain Planning suite of software, is fraught with vulnerabilities according to several bug disclosures issued over the weekend.
Researchers at the London-based computer security firm Portcullis claim the application is plagued by a four vulnerabilities that could allow an attacker to extract sensitive information, carry out phishing attacks, and modify content within the application, among other attacks.
The first problem, a local file vulnerability (CVE: 2013-5877) in the app could let an attacker harvest useful information from the web.xml configuration file or “download the whole web application source code,” according to a warning published Saturday.
A SQL injection vulnerability (CVE: 2014-0372) in Demantra could allow an attacker to extract authentication credentials and personal details from the app, along with the ability to modify content. From there, if an attacker added malicious code, they could deliver malware or target other exploits in client browsers. The security firm claims modifying content might be a bit more difficult because the attacker would have to execute a “blind” SQL injection attack and request many pages to get it to work, but still says it “does not prevent exploitation.”
A cross site scripting vulnerability (CVE: 2014-0379) in the app’s TaskSender could let an attacker execute script code in an authenticated user’s browser, which could lead to session hijacking.
This might be the most troublesome of all the bugs because it can open up a whole can of worms on top of the session hijacking.
With those credentials an attacker could then access the site as that user and perform actions as them, such as viewing and changing personal data and making transactions. The vulnerability can also be leveraged in a phishing attack in which an attacker can create a fake log-in page and get a genuine user to log in without knowing the site had been compromised.
Portcullis notes that in a worst-case scenario the attacker could even gain full control of a user’s computer if they used the XSS vulnerability to exploit any further vulnerabilities in browsers.
The last big vulnerability, a problem with the app’s backend is something the firm calls a Database Credentials Disclosure vulnerability (CVE: 2013-5795) and can let anyone retrieve the database instance name and corresponding credentials. This means that they could combine this issue with some of the others to steal database credentials.
Oliver Gruskovnjak, the chief technical officer at Portcullis pointed out all the vulnerabilities on Saturday on the company’s site and via seclists.org’s Full Disclosure mailing lists.
All issues are present in version 12.2.1 of Demantra, an analytical engine that Oracle produces that allows its users to keep track of demand management, trade planning and sales/operation planning.
Oracle just patched Demantra in January as part of its quarterly Critical Patch Update (CPU), fixing six bugs in the app, four of which were remotely exploitable without authentication. While Oracle didn’t immediately respond to a request on Monday it’s probably safe to say the company is busy working on patching these issues for its next CPU scheduled for release on April 15.
CloudFlare claims government requests for user data are affecting fewer than .017 percent of their two million global customers
The Web performance and security company yesterday issued the report in accordance with the Department of Justice’s new regulations for publishing information pertaining to law enforcement requests for user data. While the figure is necessarily a bit off – given that current law bars companies from including specific figures regarding domains affected by National Security Letters (NSLs) – the report suggests that the government has sought information on perhaps as many as 3400 of CloudFlare’s clients.
Their data reflect all requests as of December 31, 2013.
The company says it received 18 subpoenas last year, complying with only one of those requests. Another one request is still in process. The requests pertained to 17 separate domains but only affected one customer account.
CloudFlare says it pushed back on 16 subpoenas, all of which were rescinded. In some instances, the company claims court orders were issued in lieu of the original subpoena. In other cases, CloudFlare was simply not able to provide any information.
The company says it received 28 court orders, complying with 25 such orders. Two of the government requests remain in process. In total, court orders affected 227 domains under 38 customer accounts. For one of these court orders, CloudFlare was incapable of providing any information.
The company says it received three search warrant requests, one of which was eventually rescinded. They only ended up complying with one of the orders, though a second remains in process. The warrants affected four domains under one user account.
“In the rare instances where law enforcement has sought content such as abuse complaints or support communications, CloudFlare has insisted on a warrant for those electronic communications,” the company says. “To date, we have received no such warrants.”
The company received and complied with just one request for a pen register/trap and trace order that affected only one domain under one customer account.
In both 2012 and 2013, CloudFlare claims it received between 0-249 NSLs.
“Even assuming the high end of the range at 249 accounts affected,” the company wrote in its transparency report, “such national security orders would affect fewer than 0.02% of CloudFlare customer accounts.”
Under the new Justice Department rules, companies are allowed to report the reception of NSLs in batches of 250, starting with 0-249. In other words, no company is permitted to say that they received zero NSLs.
The company notes that the new rules are an improvement on the old ones, but “still consider[s] these new regulations to be an undue prior restraint on the freedom of speech.”
CloudFlare is also clear that has never turned over its SSL keys or its customers’ SSL keys to anyone; it’s never installed any law enforcement software or equipment anywhere on its network; it’s never terminated a customer or taken down content due to political pressure; nor has it ever provided any law enforcement organization a feed of its customers’ content transiting its network.
“If CloudFlare were asked to do any of the above,” the company claims, “we would exhaust all legal remedies, in order to protect its customers from what we believe are illegal or unconstitutional requests.”
CloudFlare’s report follows similar ones by AT&T, which received more than 2,000 NSLs, as well as Twitter, and various of the other tech giants, all of which seem to indicate that government requests for user data are on the rise.