Friday, 6 September 2013

US and UK intelligence services cracked encryption standards for spying efforts

nsa
US and British intelligence services have reportedly cracked some of the most widely used encryption methods used to secure the web, according to leaked intelligence revealed by NSA whistleblower Edward Snowden.
The information, published in The Guardian and The New York Times, alleges that protocols including HTTPS and SSL – both widely used to protect user data when making secure transactions on the web – have been compromised.
Perhaps more worryingly, the documents state that the NSA "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" in a bid to insert vulnerabilities into commercial encryption systems to bypass encryption entirely.
However, the businesses involved were not revealed, creating a further atmosphere of distrust in an already paranoid industry.
A separate document also alleges the NSA had been introducing weaknesses into the security standards themselves, with the agency having its own modified version of a security standard approved for worldwide use in 2006 by the US National Institute of Standards and Technology.
Hotmail, Google, Yahoo and Facebook are all mentioned, with the UK's GCHQ agency tasked with accessing the encrypted traffic of these "big four" service providers.
The encryption-busting tactics used by the NSA reportedly receive in excess of $250m funding per year, with a decade-long programme of brute force supercomputer-based hacking making a major decryption breakthrough in 2010.
Another program codenamed "Operation Cheesy Name" was aimed at discovering vulnerable security certificates, which could then be exploited further.
The latest revelations will both vindicate the companies first implicated in the PRISM scandal – including Microsoft and Google – which repeatedly claimed that they had not been working with the security services to insert back-door code into their servers.
However, the news will in all likelihood raise big questions about which IT service providers and equipment manufacturers can be truly trusted with confidential data.
Vice president of the European Commission, Neelie Kroes, repeated the sentiment in July, saying previous revelations would damage parts of the US IT industry.
"If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either. If I were an American cloud provider, I would be quite frustrated with my government right now," she said.
The publications that broke the story also stated that they had removed some of the information about specific compromised security standards at the request of intelligence officials who were concerned that foreign targets would change their encryption methods.

No comments:

Post a Comment