NSA Undermines Encrypted Communications
NSA Undermines Encrypted Communications
by Stephen Lendman
Unconstitutional spying is official US policy. Privacy no longer exists. Even encrypted communications are vulnerable.
On September 5, London's Guardian headlined "Revealed: how US and UK spy agencies defeat internet and privacy security."
They "successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden."
They show NSA and Britain's GCHQ compromised what online companies are sworn to protect. Virtually anything spy agencies want they can get. Financial, medical and other private information is gotten.
Snowden revealed "a battery of methods" used to do so. Encrypted information no longer is safe.
Covert measures "ensure NSA control over setting of international encryption standards the use of supercomputers to break encryption with 'brute force,' and - the most closely guarded secret of all - collaboration with technology companies and internet service providers themselves."
Covert business/spy agency partnerships insert "secret vulnerabilities" into commercial encryption software. They're called backdoors or trapdoors.
Information Snowden leaked reveal:
(1) In 2010, NSA's decade-long effort to breach encryption technology reached fruition. Doing so made "vast amounts" of Internet cable taps data "exploitable."
(2) NSA spends about $250 million annually working covertly with technology companies. It's done to influence their product designs.
(3) Encryption cracking capability is top secret. Analysts are warned: "Do not ask about or speculate on sources or methods."
(4) NSA calls its decryption initiative the "price of admission for the US to main unrestricted access to and use cyberspace."
(5) GCHQ's involved in developing ways into encrypted "big four" service providers' traffic. Goggle, Yahoo, Facebook and Hotmail are targeted.
NSA and GCHQ say defeating encryption is vital for counterintelligence and foreign intelligence work. Security experts accuse them of attacking the Internet and personal privacy.
According to Harvard's Bruce Schneier:
"Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet."
Classified briefings between both agencies reveal their successful "defeating(ing) (of) network security and privacy".
According to one GCHQ document:
"For the past decade, NSA (led) an aggressive, multi-pronged effort to break widely used internet encryption technologies."
"Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."
An internal agency memo said British analysts shown NSA's initiative saying: "Those not already briefed were gobsmacked!"
NSA's breakthrough wasn't explained in detail. Documents said it's able to monitor "large amounts" of decrypted world fiber-optic cable data.
It does it despite online companies claiming its decrypted data is secure. NSA's "Sigint (signals intelligence) enabling" capability is used.
Its funding dwarfs what's spent on Prism. Since 2011, over $800 million was budgeted. It's used to engage "US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs."
Companies involved aren't named. Their identity is protected by higher classification levels. NSA "insert(s) vulnerabilities into commercial encryption systems."
NSA alone knows what they are. Online customers are called "adversaries." NSA documents state:
"These design changes make the systems in question exploitable through Sigint collection with foreknowledge of the modification."
"To the consumer and other adversaries, however, the systems' security remains intact."
Documents say significant efforts are made to make encryption software "more tractable" to NSA penetration.
The agency wants the ability to crack the next generation of 4G phones.
NSA expects it'll be able to access "data flowing through a hub for a major communications provider."
It'll penetrate a "major internet peer-to-peer voice and text communications system."
Documents show NSA achieved another major goal. It influences international standards. Encryption systems rely on them.
According to the Guardian:
Independent security experts long ago "suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document."
"It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006."
"Eventually, NSA became the sole editor," document information states.
NSA's decryption program codeword is Bullrun. GCHQ's is called Edgehill. NSA's classification for employees and contractors states:
"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies."
"Bullrun involves multiple sources, all of which are extremely sensitive."
NSA's able to penetrate widely used protocols. They include HTTPS, voice-over-IP and Secure Sockets Layer (SSL). It's used to protect online shopping and banking.
Documents show NSA's Commercial Solutions Center has a clandestine role. It's used to "leverage sensitive, co-operative relationships with specific industry partners."
It does so by inserting vulnerabilities into security products. Operatives were warned about keeping this information top secret.
A more general NSA classification guide reveals more information. It explains agency/business partnerships.
Complicity permits product modifications. Analysts are told two facts must remain top secret:
- NSA modifies commercial encryption software and devices; it does so "to make them exploitable;" and
- it "obtains cryptographic details of commercial cryptographic information security systems through industry relationships."
According to Snowden, all encryption technologies haven't been penetrated. In June, he confirmed it to Guardian readers.
"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said.
He warned about NSA's ability to crack weak computer security systems. It can do it on both communication ends.
GCHQ established its own strict guidelines. Analysts were told:
"Do not ask about or speculate on sources or methods underpinning Bullrun."
Even staff with access are warned: "There will be no 'need to know.' "
"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," said GCHQ.
It calls decryption "particularly important." Its Tempora program was in danger of eroding. Decryption maintains its effectiveness.
GCHQ's Humint (human intelligence) Operations Team (HOT) refers to information gotten from undercover sources.
One document discussed GCHQ's team "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."
"This enables GCHQ to tackle some of its most challenging targets."
ACLU principle technologist/senior policy analyst Christopher Soghoian calls "backdoors fundamentally in conflict with good security."
They "expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise."
"This is because the insertion of backdoors in a software product, particularly those that can be used to obtain unencrypted user communications or data, significantly increases the difficulty of designing a secure product."
Former Justice Department prosecutor Stephanie Pell added:
"(An) encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users."
London's Guardian, The New York Times and ProPublica published the information discussed above.
The Guardian said intelligence officials asked them not do do so. Reasons given were spurious.
They were told it "might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read."
The Guardian concluded its article saying:
"The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide."
A Final Comment
On September 5, the Electronic Frontier Foundation (EFF) headlined "Leaks Show NSA is Working to Undermine Encrypted Communications, Here's How You Can Fight Back."
NSA and GCHQ programs egregiously violate privacy. Communications of "billions of people risk being perpetually insecureâ€¦"
Doing so puts a lie to fundamental rule of law protections. Take these steps to fight back, said EFF:
"Sign the petition to stop NSA spying."
"Let Congress know that It's time for a full accounting of America's secret spying programs - and an end to unconstitutional surveillance."
"If you are not in the US, please take the time to sign our international petition."
"Call your elected representative. Use the call line 1-STOP-323-NSA (1-786-732-3672). Voice opposition."
"Use secure communications tools (read some useful tips by security expert Bruce Schneier).
"Your communications are still significantly more protected if you are using encrypted communications tools such as messaging over OTR or browsing the web using HTTPS Everywhere than if you are sending your communications in the clear."
"(E)ngineers responsible for building our infrastructure can fight back by building and deploying more usable cryptosystems."
EFF issued a call to arms. Private communications are being lawlessly attacked. Every way possible must be used to fight back. At stake are fundamental freedoms. They're too important to lose.
Stephen Lendman lives in Chicago. He can be reached at firstname.lastname@example.org.
His new book is titled "Banker Occupation: Waging Financial War on Humanity."
Visit his blog site at sjlendman.blogspot.com.
Listen to cutting-edge discussions with distinguished guests on the Progressive Radio News Hour on the Progressive Radio Network.
It airs Fridays at 10AM US Central time and Saturdays and Sundays at noon. All programs are archived for easy listening.