NSA Undermines Encrypted Communications

Unconstitutional spying is official US policy. Privacy no longer exists.
Even encrypted communications are vulnerable.
On September 5, London's Guardian headlined "Revealed: how US and
UK spy agencies defeat internet and privacy security."
They "successfully cracked much of the online encryption relied upon
by hundreds of millions of people to protect the privacy of their
personal data, online transactions and emails, according to top-
secret documents revealed by former contractor Edward Snowden."
They show NSA and Britain's GCHQ compromised what online
companies are sworn to protect. Virtually anything spy agencies want
they can get. Financial, medical and other private information is
gotten.
Snowden revealed "a battery of methods" used to do so. Encrypted
information no longer is safe.
Covert measures "ensure NSA control over setting of international
encryption standards the use of supercomputers to break encryption
with 'brute force,' and - the most closely guarded secret of all -
collaboration with technology companies and internet service
providers themselves."
Covert business/spy agency partnerships insert "secret vulnerabilities"
into commercial encryption software. They're called backdoors or
trapdoors.
Information Snowden leaked reveal:
(1) In 2010, NSA's decade-long effort to breach encryption technology
reached fruition. Doing so made "vast amounts" of Internet cable taps
data "exploitable."
(2) NSA spends about $250 million annually working covertly with
technology companies. It's done to influence their product designs.
(3) Encryption cracking capability is top secret. Analysts are warned:
"Do not ask about or speculate on sources or methods."
(4) NSA calls its decryption initiative the "price of admission for the
US to main unrestricted access to and use cyberspace."
(5) GCHQ's involved in developing ways into encrypted "big four"
service providers' traffic. Goggle, Yahoo, Facebook and Hotmail are
targeted.
NSA and GCHQ say defeating encryption is vital for counterintelligence
and foreign intelligence work. Security experts accuse them of
attacking the Internet and personal privacy.
According to Harvard's Bruce Schneier:
"Cryptography forms the basis for trust online. By deliberately
undermining online security in a short-sighted effort to eavesdrop, the
NSA is undermining the very fabric of the internet."
Classified briefings between both agencies reveal their successful
"defeating(ing) (of) network security and privacy".
According to one GCHQ document:
"For the past decade, NSA (led) an aggressive, multi-pronged effort to
break widely used internet encryption technologies."
"Vast amounts of encrypted internet data which have up till now been
discarded are now exploitable."
An internal agency memo said British analysts shown NSA's initiative
saying: "Those not already briefed were gobsmacked!"
NSA's breakthrough wasn't explained in detail. Documents said it's
able to monitor "large amounts" of decrypted world fiber-optic cable
data.
It does it despite online companies claiming its decrypted data is
secure. NSA's "Sigint (signals intelligence) enabling" capability is
used.
Its funding dwarfs what's spent on Prism. Since 2011, over $800
million was budgeted. It's used to engage "US and foreign IT
industries to covertly influence and/or overtly leverage their
commercial products' designs."
Companies involved aren't named. Their identity is protected by
higher classification levels. NSA "insert(s) vulnerabilities into
commercial encryption systems."
NSA alone knows what they are. Online customers are called
"adversaries." NSA documents state:
"These design changes make the systems in question exploitable
through Sigint collection with foreknowledge of the modification."
"To the consumer and other adversaries, however, the systems'
security remains intact."
Documents say significant efforts are made to make encryption
software "more tractable" to NSA penetration.
The agency wants the ability to crack the next generation of 4G
phones.
NSA expects it'll be able to access "data flowing through a hub for a
major communications provider."
It'll penetrate a "major internet peer-to-peer voice and text
communications system."
Documents show NSA achieved another major goal. It influences
international standards. Encryption systems rely on them.
According to the Guardian:
Independent security experts long ago "suspected that the NSA has
been introducing weaknesses into security standards, a fact confirmed
for the first time by another secret document."
"It shows the agency worked covertly to get its own version of a draft
security standard issued by the US National Institute of Standards
and Technology approved for worldwide use in 2006."
"Eventually, NSA became the sole editor," document information
states.
NSA's decryption program codeword is Bullrun. GCHQ's is called
Edgehill. NSA's classification for employees and contractors states:
"Project Bullrun deals with NSA's abilities to defeat the encryption
used in specific network communication technologies."
"Bullrun involves multiple sources, all of which are extremely
sensitive."
NSA's able to penetrate widely used protocols. They include HTTPS,
voice-over-IP and Secure Sockets Layer (SSL). It's used to protect
online shopping and banking.
Documents show NSA's Commercial Solutions Center has a
clandestine role. It's used to "leverage sensitive, co-operative
relationships with specific industry partners."
It does so by inserting vulnerabilities into security products.
Operatives were warned about keeping this information top secret.
A more general NSA classification guide reveals more information. It
explains agency/business partnerships.
Complicity permits product modifications. Analysts are told two facts
must remain top secret:
NSA modifies commercial encryption software and devices; it
does so "to make them exploitable;" and
it "obtains cryptographic details of commercial cryptographic
information security systems through industry relationships."
According to Snowden, all encryption technologies haven't been
penetrated. In June, he confirmed it to Guardian readers.
"Encryption works. Properly implemented strong crypto systems are
one of the few things that you can rely on," he said.
He warned about NSA's ability to crack weak computer security
systems. It can do it on both communication ends.
GCHQ established its own strict guidelines. Analysts were told:
"Do not ask about or speculate on sources or methods underpinning
Bullrun."
Even staff with access are warned: "There will be no 'need to know.' "
"Loss of confidence in our ability to adhere to confidentiality
agreements would lead to loss of access to proprietary information
that can save time when developing new capability," said GCHQ.
It calls decryption "particularly important." Its Tempora program was
in danger of eroding. Decryption maintains its effectiveness.
GCHQ's Humint (human intelligence) Operations Team (HOT) refers to
information gotten from undercover sources.
One document discussed GCHQ's team "responsible for identifying,
recruiting and running covert agents in the global
telecommunications industry."
"This enables GCHQ to tackle some of its most challenging targets."
ACLU principle technologist/senior policy analyst Christopher
Soghoian calls "backdoors fundamentally in conflict with good
security."
They "expose all users of a backdoored system, not just intelligence
agency targets, to heightened risk of data compromise."
"This is because the insertion of backdoors in a software product,
particularly those that can be used to obtain unencrypted user
communications or data, significantly increases the difficulty of
designing a secure product."
Former Justice Department prosecutor Stephanie Pell added:
"(An) encrypted communications system with a lawful interception
back door is far more likely to result in the catastrophic loss of
communications confidentiality than a system that never has access
to the unencrypted communications of its users."
London's Guardian, The New York Times and ProPublica published
the information discussed above.
The Guardian said intelligence officials asked them not do do so.
Reasons given were spurious.
They were told it "might prompt foreign targets to switch to new forms
of encryption or communications that would be harder to collect or
read."
The Guardian concluded its article saying:
"The three organisations removed some specific facts but decided to
publish the story because of the value of a public debate about
government actions that weaken the most powerful tools for
protecting the privacy of internet users in the US and worldwide."
A Final Comment
On September 5, the Electronic Frontier Foundation (EFF) headlined
"Leaks Show NSA is Working to Undermine Encrypted
Communications, Here's How You Can Fight Back."
NSA and GCHQ programs egregiously violate privacy.
Communications of "billions of people risk being perpetually insecureâ
€¦"
Doing so puts a lie to fundamental rule of law protections. Take these
steps to fight back, said EFF:
"Sign the petition to stop NSA spying ."
"Let Congress know that It's time for a full accounting of America's
secret spying programs - and an end to unconstitutional
surveillance."
"If you are not in the US, please take the time to sign our
international petition."
"Call your elected representative. Use the call line 1-STOP-323-NSA
(1-786-732-3672). Voice opposition."
"Use secure communications tools (read some useful tips by security
expert Bruce Schneier).
"Your communications are still significantly more protected if you are
using encrypted communications tools such as messaging over OTR
or browsing the web using HTTPS Everywhere than if you are sending
your communications in the clear."
"(E)ngineers responsible for building our infrastructure can fight back
by building and deploying more usable cryptosystems."
EFF issued a call to arms. Private communications are being
lawlessly attacked. Every way possible must be used to fight back. At
stake are fundamental freedoms. They're too important to lose.
Stephen Lendman lives in Chicago. He can be reached at
lendmanstephen@sbcglobal.net.