A recent piece by Der Spiegel, released several new pdf documents, revealing information about NSA and its status on cracking various internet security measures. Although the leaked documents are two or more years old, it does provide some insight into which measures were causing the most trouble, and where the NSA was focusing its efforts.
One of the major goals of the NSA is to crack the TOR network, and documents show potential techniques to remove anonymity from TOR users. However in spite of these techniques the documents indicate that intelligence agencies are still having major problems monitoring users on the TOR network.
Another security measure that has posed a serious problem for the NSA is a tool called TrueCrypt, an open source tool for encrypting files. However development on TrueCrypt ended in May of this year, leading to speculation of government pressure to cease development. OTR, a protocol for encrypting instant messages, has also given the NSA some major problems, and they had no way of decrypting OTR messages, at the time these documents were created.
Another major target for intelligence agencies are VPNs. The NSA is conducting massive operations to intercept data being sent through VPNs. Several large VPNs around the world are compromised, and it seems that the underlying protocols used by the VPNs posed little difficulty in cracking. The most widely used protocols, PPTP and Ipsec, have both been defeated by the NSA.
Other casualties of the NSA war on security include SSL/TLS a common protocol for communicating securely across the internet, and is used in a wide variety of services including email and text messaging. SSH, another protocol for secure communication, has also been cracked by the NSA.
One of the most disturbing things, is that the NSA may be having such great success in cracking security measures because it is deliberately undermining cryptographic standards. The NSA takes part in meetings with the Internet Engineering Task Force, an international organization to develop such standards. While the NSA is certainly learning about the standards to better combat them, there is evidence that they are even influencing the standards to make them less secure.
The NSA is also responsible for developing guidelines and security standards for US National Institute of Standards and Technology. The NSA is recommending standards that it is actively working to undermine, which poses a clear conflict of interest. The NSA having any influence on security standards represents a clear threat to internet security and privacy.
Do you think the NSA has cracked TOR in the two years since these documents were created? Leave your thoughts below.
