Saturday, September 07, 2013

NSA and British counterpart cracking Internet codes


The Guardian, in partnership with The New York Times and ProPublica.org,reports on how the National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ) have successfully cracked much of the code that people rely on to guard security across the Internet.   The NSA has been working for 10 years, concentrating on eliminating encryption algorithms as a possible source of security risks to the country.  In 2010, they made a breakthrough with allowed them to "exploit" vast amounts of Internet traffic which previously was inaccessible.  And now, both the NSA and the GCHQ are working in some collaboration with Yahoo, Google, Hotmail and Facebook to build "backdoors" to these systems and insert exploitable vulnerabilities into their encrypted traffic. From the Guardian article:

The agencies insist that the ability to defeat encryption is vital to their core missions of counter-terrorism and foreign intelligence gathering.

But security experts accused them of attacking the internet itself and the privacy of all users. "Cryptography forms the basis for trust online," said Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society. "By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet." Classified briefings between the agencies celebrate their success at "defeating network security and privacy".

Chillingly, the documents from the NSA refer to the regular customers of the commercial systems such as Google or Facebook as "adversaries" and seeks to make the exploitable vulnerabilities in the system invisible to such persons. The NSA lists a number of goals in the document, several of which it has achieved. For instance, it has successfully introduced major weaknesses into international standards for encryption systems. The NSA continues to "shape" the worldwide marketplace, and attempts to make commercial encryption software 'more tractable" to NSA attacks.  They continue to try to break the encryption for 4G phones. The funding for the program, more than $250 million, dwarfs Prism, which looks like a bargain at $20 million. They have not yet cracked all encryption, and have not yet subverted all of the Internet.

The other danger is that by building in backdoors, the NSA and GCHQ are opening the door to others who may gain entrance besides themselves.  From the Guardian article:

"Backdoors are fundamentally in conflict with good security," said Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union. "Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise." This is because the insertion of backdoors in a software product, particularly those that can be used to obtain unencrypted user communications or data, significantly increases the difficulty of designing a secure product."

Read the 3 articles in depth.  They overlap a good deal, but are somewhat different from each other.


No comments: