The National Security Agency, the U.S. government organization tasked with gathering intelligence from adversaries’ communications and protecting domestic communications, has the capability to peer into far more Internet communications than previously thought, according to a report published on Sept. 6 and based on documents leaked by former NSA contractor Edward Snowden.
Using a variety of tactics—including coercing vendors to provide access to their products, compromising corporate network infrastructure, or hunting down and exploiting vulnerabilities—the secretive agency can access content that had previously been considered safely protected by encryption, a New York Times article stated.
While the leaked memos do not indicate a break in any specific encryption technology, the various strategies, collectively known under the code name “Bullrun,” have allowed the NSA to effectively circumvent much of the security protecting communications. Messages that could not be broken have been stored until the agency is able to decrypt them, the memos stated.
“For the past decade, NSA has led an aggressive, multi-pronged effort to break widely used Internet encryption technologies,” said a 2010 memo distributed among employees of England’s Government Communications Headquarters (GCHQ), the British counterpart to the NSA, according to the New York Times. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
The NSA’s Bullrun program allows the NSA to effectively target protected information and find ways to either collect the information before it’s encrypted or exploit vulnerabilities in the technology used to encrypt the data, including the browser encryption Security Sockets Layer (SSL), virtual private networks used by almost all companies and the security protecting smartphone communications, according to the memos leaked by Snowden. Such revelations will likely hurt U.S. companies abroad, according to recent studies.
The attacks are not thought to be a single capability, but a collection of tactics that allow the NSA to cobble together an effective decryption strategy on a case-by-case basis.
Many makers of security and networking products, for example, have a way for their support staff to get into a customer’s product to update the appliance or device. While not considered a backdoor, if the NSA is able to get access to that functionality, it could easily be used to access communications, says Chris Wysopal, chief technology officer for Veracode, an application security firm.
The document describing Bullrun discusses “implants” in vendor technology, but it is not clear whether the NSA has worked with vendors to access the technology or compromised the technology on its own, he said.
“It could be that they are putting an implant in on a network where they can then access things in the clear, or it could be putting an implant somewhere in the supply chain where they can get at keys or other parts of the technology—it’s vague,” Wysopal said. “If it’s at the vendor, then that’s pretty scary.”
The NSA’s apparent goal to store mass quantities of encrypted data from the Internet for later decryption is a laudable goal to combat terrorism, but worrisome for the average citizen, Pierluigi Stella, chief technology officer of managed security services provider Network Box USA, said in an email to eWEEK.
“The point here isn’t whether we should worry about consumers or not; we should consider this from the ‘citizens’ point of view,” he said. “The NSA can and will store everything we send on the internet, not only in clear text but also encrypted. … If we are to give away a bit of our freedom, it’d better be for very, very good reason, and in a very well controlled way, to ensure no one can ever abuse this collection of information.”