NSA And GCHQ ‘Covertly Plant Vulnerabilities In Internet Encryption’

security vulnerability Shutterstock - © Andy Dean Photography

Intelligence agencies working inside tech companies to insert flaws in modern encryption, according to more of Snowden’s leaks

The latest leaks from Edward Snowden have hinted US and UK intelligence have covertly implanted zero-day flaws in widely used security software and broken encryption used by the most popular websites and online services.

A 10-year NSA programme called Bullrun has involved “an aggressive, multi-pronged effort” to break Internet encryption, including SSL, which many companies like Google, Facebook and Twitter use to protect users’ communications with HTTPS. Banks and most e-commerce sites also use SSL, a method of encryption proven to have been flawed numerous times in the past.

GCHQ doughnutThanks to a breakthrough in 2010, “vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” a GCHQ document read.

Cracking modern web encryption

The NSA also “actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs”, whilst inserting “vulnerabilities into commercial encryption systems”, according to leaks to the Guardian.

The intelligence agencies are able to “leverage sensitive, cooperative relationships with specific industry partners” to sneak backdoors into software.

GCHQ, as part of its Edgehill programme, is hoping to have broken encryption used by 15 major Internet companies and 300 VPNs by 2015, the leaks suggested.

One internal document also suggested GCHQ was “responsible for identifying, recruiting and running covert agents in the global telecommunications industry”.

The fact that NSA and GCHQ are breaking encryption should come as no surprise. It has been the aim of intelligence agencies to do just that for years, the most famous operation being that of the Enigma during World War Two. They have also created encryption methods. GCHQ created what is now known as public key cryptography.

But targeting technology that businesses claim provides total security for the general public is a new paradigm, one that threatens the security and trust in the Internet.

“It has a long history, from Crypto AG (a Swiss crypto company that non-aligned countries used to source their government comsec kit) which turned out in the early 1990s to have been covertly owned by the NSA for forty years; to the attempts to declare all crypto research “born classified”; to the Clipper chip and key escrow; to tussles over export control,” Professor Ross Anderson, cryptography expert from the University of Cambridge, told TechWeekEurope.

“We thought we’d won the crypto wars, but they just went underground.

“The response to this can be partly an engineering one (creating hard-to-subvert tools, scrutinising standards more carefully) but it must be largely political. In the end it will have to involve something like a peace treaty. Killing people is easy, now we have drones and missiles and atom bombs and stuff, so we have agreements that governments and others don’t do it.

“Hacking computers is similarly easy and it’s not sensible to expect everyone to run military-grade defences any more than it’s reasonable for me to have to mount anti-aircraft missiles on the roof of my house.”

Shhh! Do our whistleblowers quiz, but keep it quiet…