Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

The NSA's War on Internet Security

January 8, 2015

Keeping up with revelations about the prying eyes of the NSA isn't easy. Der Spiegel has done a great job, and its latest story is sobering. While I had been aware that the NSA had access to Skype communications, I had not realized that Microsoft, Skype's owner, has been under order from the secret U.S. Foreign Intelligence Surveillance Court (FISC) to not only supply information to the NSA but to make itself accessible as a source of data for the agency.

As Snowden has said many times, strong encryption is still the best way of protecting data – and we know it drives the NSA crazy. In 2013, the NSA had a budget of more than $10 billion with $34.3 million allocated for the NSA's Cryptanalysis and Exploitation Services.

The article gives you a good sense of what the NSA can and cannot crack. I am happy to report that it appears that PGP (Pretty Good Privacy) is still a mystery to the NSA. In a supreme irony, the Five Eyes alliance sometimes uses PGP itself to protect its own data. That must give developer Phil Zimmermann a wry chuckle.

As the article points out, virtual private networks are not secure from the NSA – though most people think they are.

TLS and SSL connections are routinely intercepted by the NSA according to the story. So much for the security of our financial services – among many others.

The NSA notoriously works to weaken cryptographic systems – which makes encrypted data easy to decrypt using supercomputers. The following information from the article is a nightmare for privacy:

"The NSA maintains a system called Longhaul, an "end-to-end attack orchestration and key recovery service for Data Network Cipher and Data Network Session Cipher traffic." Basically, Longhaul is the place where the NSA looks for ways to break encryption. According to an NSA document, it uses facilities at the Tordella Supercomputer Building at Fort Meade, Maryland, and Oak Ridge Data Center in Oak Ridge, Tennessee. It can pass decrypted data to systems such as Turmoil — a part of the secret network the NSA operates throughout the world, used to siphon off data. The cover term for the development of these capabilities is Valientsurf. A similar program called Gallantwave is meant to "break tunnel and session ciphers."

In other cases, the spies use their infrastructure to steal cryptographic keys from the configuration files found on Internet routers. A repository called Discoroute contains "router configuration data from passive and active collection" one document states. Active here means hacking or otherwise infiltrating computers, passive refers to collecting data flowing through the Internet with secret NSA-operated computers.

An important part of the Five Eyes' efforts to break encryption on the Internet is the gathering of vast amounts of data. For example, they collect so-called SSL handshakes — that is, the first exchanges between two computers beginning an SSL connection. A combination of metadata about the connections and metadata from the encryption protocols then help to break the keys which in turn allow reading or recording the now decrypted traffic.

If all else fails, the NSA and its allies resort to brute force: They hack their target's computers or Internet routers to get to the secret encryption — or they intercept computers on the way to their targets, open them and insert spy gear before they even reach their destination, a process they call interdiction.

The NSA is also tasked with providing the US National Institute of Standards and Technology (NIST) with "technical guidelines in trusted technology" that may be "used in cost-effective systems for protecting sensitive computer data." One encryption standard NIST explicitly recommends is the Advanced Encryption Standard (AES). The standard is used for a large variety of tasks, from encrypting the PIN numbers of banking cards to hard disk encryption for computers. One NSA document shows that the NSA is actively looking for ways to break the very standard it recommends.

Nothing in this in-depth article is fun reading for privacy advocates. But it is a pretty comprehensive look at the threat to data security. Depressing, to say the least.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

The NSA's War on Internet Security

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer