NSA & GCHQ Covertly Took Over Security Standards, Recruited Telco Employees To Insert Backdoors

from the not-so-secure dept

And the latest report on the Ed Snowden leak documents has come out and it's yet another big one: the NSA and GCHQ have basically gotten backdoors into various key security offerings used online, in part by controlling the standards efforts, and in part by sometimes covertly introducing security vulnerabilities into various products. They haven't "cracked" encryption standards, but rather just found a different way in. The full report is worth reading, but a few key points are worth highlighting.

First, the NSA spends $250 million per year to "covertly" influence tech product designs. The report suggest two ways this is happening. First by infiltrating standards-bodies:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.
That's disturbing enough, but it gets worse. While the Guardian report suggests that unnamed tech companies are "collaborating" in inserting these kinds of backdoors, that's not entirely clear, because later in the document, they suggest that the NSA is recruiting covert operatives within telco firms to insert vulnerabilities:
To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents.

This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."

"This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn."
Did you get that? Rather than recruiting spies from, say, governments, the NSA and GCHQ are recruiting employees at telcos to help them suck up and access all your data.

All of this activity has apparently led to some major breakthroughs, allowing them to access plenty of data they didn't have access to previously. Just last week we'd written about major successes by the NSA having to do with encryption, and this report reveals more details:
"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."

An internal agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!" The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.
Once again, we're seeing rather extreme behavior on the part of the NSA and GCHQ as they try to basically be able to dig into every possible communication.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    DannyB (profile), 6 Sep 2013 @ 6:32am


    Open Source software is a different issue than choice of encryption algorithm.

    The book Applied Cryptography discusses this and many other subjects.

    I'll try to summarize several important points.

    To design a good algorithm requires talent, a background of attacking encryption algorithms, and scrutiny of other people with similar talent and background. (The background of attacking algorithms is probably the single most important prerequisite.) Anyone can design an algorithm they themselves cannot break, but that doesn't mean someone else cannot break it.

    In the early days of digital cryptography national governments had the only large enough pool of talented people to design great algorithms. (I'll call them the "secret group".) Eventually the "open group" of everyone else got large enough to design good algorithms.

    In order for an algorithm to get good scrutiny the algorithm must be known to everyone. There should not be any secrets -- including even magic numbers used in the algorithm with no explanation of why and how they were chosen. The openness is important only so that enough people can scrutinize the algorithm and see that it withstands analysis over a period of time.

    If an algorithm is kept secret, this doesn't mean it isn't secure, it may simply be 'open' to the "secret group" of people who scrutinize and analyze it. If that pool is large enough, then it really is 'open' in some sense and had sustained analysis over a period of time -- just in secret.

    If the NSA publishes an algorithm, and it contains no secrets, and has been studied for years by the open community, then it is probably safe to use.

    Remember the NSA has a dual mission.
    1. To spy on foreign bad guys
    2. To protect domestic "good" guys from being spied on

    Giving us good encryption algorithms, and giving us source code such as the SELinux patches, falls under number 2. Giving banks good encryption, for example, is in the national interest. Making sure ATMs can securely communicate with the bank is important. But it's always wise to remember the number 1 part of their mission. They may give us encryption that is just 'good enough' so that nobody but themselves (and possibly other major national efforts) can crack or even merely attack it.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.