NSA has 'circumvented or cracked' internet encryption exposing banking systems, medical records and more
You really do have no privacy on the internet, even if you use encryption, due to secret NSA and GCHQ spying activities
Newly disclosed documents show how the US National Security Agency (NSA) is winning its "war" against encryption.
According to the latest documents released by whistleblower Edward Snowden and published in the New York Times newspaper, the security agency has "circumvented or cracked much of the encryption... that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the emails, web searches, internet chats and phone calls of Americans and others around the world".
The latest revelations show that spying on internet users and activity around the world by both the US NSA and the UK's GCHQ spying agency goes much further and deeper than originally suspected when Snowden first revealed the existence of the NSA's Prism programme.
It continues: "The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents."
The programme commenced in 2000 in response to a proliferation of encryption tools and, especially, with the emergence of public key infrastructure (PKI) encryption at that time.
"The NSA invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own "back door" in all encryption, it set out to accomplish the same goal by stealth," claims the New York Times.
The organisation has built its own supercomputers for the sole purpose of cracking encryption algorithms, and working with US technology companies to build "back doors" into their products - these might include security software applications, as well as networking hardware.
The NSA has also targeted servers to capture messages before they are encrypted. According to the New York Times, some companies were coerced into handing over master encryption keys or building in back doors.
"For the past decade, NSA has led an aggressive, multi-pronged effort to break widely used internet encryption technologies," reads a leaked 2010 memo describing a briefing about NSA activities prepared for counterparts at GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted internet data, which have up till now been discarded, are now exploitable."
The New York Times reports that the GCHQ analysts briefed on the NSA encryption-breaking programme were "gobsmacked".
The NSA's efforts have, in particular, targeted secure sockets layer (SSL) and virtual private networking (VPN) technology, widely used by companies that need to keep their communications secure - especially from rivals and the threat of industrial espionage perpetrated either by other companies or by national governments.
4G telecoms networks have also been targeted, but the status of the Advanced Encryption Standard (AES) algorithm is unclear. However, it was devised in a contest overseen by a US government agency and may be considered tainted.
[Please turn to page 2]
NSA has 'circumvented or cracked' internet encryption exposing banking systems, medical records and more
You really do have no privacy on the internet, even if you use encryption, due to secret NSA and GCHQ spying activities
The latest western government spying revelations have drawn a sharp response from security expert Bruce Schneier, who has started working with the journalist that broke the story, Glenn Greenwald, after joining the board of the Electronic Frontier Foundation as the accusations mounted.
"Government and industry have betrayed the internet, and us," he wrote in an opinion article for The Guardian newspaper.
He continued: "By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards."
At the same time, however, Schneier has also offered some practical advice for maintaining security against such threats.
Schneier identifies a number of weaknesses, including deliberate flaws in mass-market encryption products and poor endpoint security, and has five main pieces of advice for improving corporate and personal internet security:
1) Implement hidden services and use Tor to anonymise your internet activity. Although the NSA targets Tor users, it still creates extra work for them;
2) Encrypt communications. While the NSA targets encrypted connections and may have its own exploits that it can use against standard protocols and software packages, "you're much better protected than if you communicate in the clear";
3) If you have something really important, use an "air gap". Schneier used a new PC that has never been connected to the internet to do his work for the EFF, transferring files using an encrypted USB stick. The Russian government, meanwhile, reverted to typewriters early on when the first Snowden revelations emerged;
4) Be suspicious of commercial encryption software, especially from large vendors. "My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors."
Furthermore, adds Schneier, "closed-source software" is easier for the NSA to install backdoors in than open-source software, where the code is open to inspection. "Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means."
5) Use public-domain encryption compatible with other implementations. It is more difficult for the NSA to install a backdoor in software based on transport layer security (TLS) than BitLocker, a commercial security application, because one vendor's TLS has to be compatible with every other vendor's.
Schneier also recommends using Linux instead of Windows, and suggested that concerned internet users investiestigate secure email like SilentCircle, encryption such as GPG and TrueCrypt and live non-persistant operating systems such as Tails that leave no trace of their use on the machine on which they are used.