Feeds

Reports: NSA has compromised most internet encryption

There goes the neighborhood

SANS - Survey on application security programs

The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports.

In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their job, ProPublica, The New York Times, and The Guardian, disclosed on Thursday a wide-ranging campaign by the spies to smash internet crypto methods so to better slurp data from the world+dog.

The NSA "has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show," the NYT reports.

Though thin on specifics, the stories clearly outline that the agencies have developed a variety of methods to attack and gain access to data secured by either SSL, or inside a virtual private network (VPN). They also imply that they have put backdoors into crypto-systems and potentially widely used digital components, as well.

The spies have also worked with technology companies to gain a direct line to data stored in their servers, though the documents do not specify which companies in particular. Analysts can slurp away at the decrypted data through a highly classified program named "Bullrun".

"For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. ... Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable," one memo from 2010 given to the spies at GCHQ, says.

New "groundbreaking capabilities" have also let the agencies inspect data that is intercepted from submarine cables, the reports state.

The gist of the reports is that the agencies have probably compromised SSL via gaining certificates and encryption keys to the point where they can perform man-in-the-middle attacks on widely used applications. GCHQ is alleged to have broken the security on some 30 VPN systems, and has plans to get into 300 by 2015.

Though mega-leaker Edward Snowden has previously claimed end-to-end encryption can protect users, the thorough ways in which the agencies have worked to compromise endpoints makes it unlikely that users on either end of a communication have access to clean hardware.

So it goes. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.