NSA & GCHQ Unlock Encryption Programs that EVERYONE uses to Email and Make Purchases on their Phones and Tablets
- The NSA and Britain's Government Communications Headquarters spent at least three years trying to crack into protected traffic of the most popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail
- The intelligence agencies referred to these secret programs as 'Bullrun' and its British counterpart, 'Edgehill'
- The intelligence agencies have used a collection of methods to thwart what they see as the biggest threats to their ability to access large amounts of Internet traffic: 'the use of ubiquitous encryption across the Internet.'
Daily Mail UK, 7 September 2013
The latest round of leaks by National Security Administration whistleblower Edward Snowden reveal that U.S. and British intelligence agencies have cracked many of the online security encryptions that the general public - often unknowingly - relies on every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.
Many of these security features - like Secure Sockets Layer and virtual private networks (VPNs) - are guaranteed by Internet providers as reassurance that they're online activities will not be compromised by criminals, or governments.
Britain's Government Communications Headquarters - likely in close collaboration with the NSA - spent at least three years trying to crack into protected traffic of the most popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail. The intelligence agencies referred to these secret programs as 'Bullrun' and its British counterpart, 'Edgehill.'
Encryption: The NSA has successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect their private information online
According to leaked documents - obtained by multiple news outlets, including The Guardian and the New York Times - by 2012, GCHQ had developed 'new access opportunities' into Google’s systems.
The intelligence agencies, documents reveal, have used a collection of methods to thwart what they see as the biggest threats to their ability to access large amounts of Internet traffic: 'the use of ubiquitous encryption across the Internet.'
Some of the methods include 'covert measures' to guarantee that the NSA has control over setting international encryption standards and using supercomputers to crack encryption codes 'with brute force.' Additionally, the agencies are collaborating with tech companies and Internet providers - a practice the Guardian and the Times deems the agencies' 'most closely guarded secret of all.'
The collaborations allowed the intelligence agencies to install secret vulnerabilities - often referred to as backdoors or trap doors - to the companies' encryption programs.
Some of the previously secret information revealed in Snowden's latest leak is the existence of a program the NSA has been working on for 10 years, the goal of which was to crack encryption technologies that protected information. According to the documents, the agency had a breakthrough in 2010 that allowed for 'vast amounts' of data collection through 'exploitable' Internet cable taps.
Whistleblower: The new information was revealed in the latest round of documents leaked by former NSA analyst Edward Snowden
Documents also showed that the NSA spends roughly $250 million a year on a program designed to covertly influence tech companies' product designs.
In the documents, the NSA describes strong decryption programs as the 'price of admission for the US to maintain unrestricted access to and use of cyberspace.'
Additionally, the GCHQ has identified 'the big four' service providers as Hotmail, Google, Yahoo and Facebook, and has actively been looking for ways to get into the companies' encrypted traffic.
According to the agencies, however, the goal of such domestic spying programs is vital in counter-terrorism efforts and foreign intelligence gathering.
However, security experts say the agencies' programs aren't just part of foreign intelligence gathering, and are attacking the Internet as a whole, which effects the privacy of all users, not just criminals or terrorists.
'Cryptography forms the basis for trust online,' Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society, told the Guardian. 'By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.'
Britain's GCHQ collaborated with the NSA on the best ways to crack online encryption programs
He went on to say that classified briefings between the agencies celebrate their success at 'defeating network security and privacy.'
'For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies,' a 2010 GCHQ document stated. 'Vast amounts of encrypted internet data which have up till now been discarded are now exploitable.'
According to the documents leaked by Snowden, the key component of the NSA's war on encryption is its collaboration with large tech companies - the budget for the collaborative effort with the 'big four' is $254.9 million this year. The program 'actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs,' the document states. 'These design changes make the systems in question exploitable through Sigint collection...with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact.'
The fact that the NSA had a relationship with several tech companies was first reported in August after another round of leaks from Snowden.
According to the leaked documents, the NSA reimbursed tech companies like Google, Yahoo, Facebook and Microsoft millions of dollars each year for their participation in the agency's clandestine Prism surveillance program.each of the companies an opportunity to explain the new documents, asking each one specific questions about the payments they received from the government for their participation in the program.
'Federal law requires the US government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government. We have requested reimbursement consistent with this law,' a Yahoo! spokeswoman told the paper.
Facebook said it had 'never received any compensation in connection with responding to a government data request.'
Google provided a statement, but refused to answer any specific questions.
'We await the US government's response to our petition to publish more national security request data, which will show that our compliance with American national security laws falls far short of the wild claims still being made in the press today,' the statement said.
Microsoft - which seeks reimbursements from the government on a case-by-case basis - initially declined an on-the-record comment, but later provided a statement.
'Microsoft only complies with court orders because it is legally ordered to, not because it is reimbursed for the work. We could have a more informed discussion of these issues if providers could share additional information, including aggregate statistics on the number of any national security orders they may receive,' the statement read.
According to the Guardian, intelligence officials asked the publications not to publish information found in the released documents, claiming that it 'might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read.'
However, the news outlets 'removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide.'
END
RELATED:
NSA Can Spy on VPN Traffic
Perhaps it doesn’t come as a complete surprise, but the NSA has found a way to listen into several types of secure communication. ProPublica, The New York Times and The Guardian report that, together with other intelligence agencies, the NSA has cracked several encryption technologies and put backdoors into security software.
The articles specifically mention VPNs, and the SSL and TLS protocols are also compromised allowing the intelligence agencies to monitor Google, Facebook, Microsoft and Yahoo traffic.
The reports don’t reveal which algorithms have been compromised and where the supposed backdoors are installed.
From a technical point of view it’s nearly impossible to break the most secure forms of VPN encryption in realtime. That said, older algorithms have been cracked in the past and the NSA never ceases to amaze.