Latest in Bullrun

Image credit:

American and British spy agencies can thwart internet security and encryption

17 Shares
Share
Tweet
Share
Save

Sponsored Links

As reporters at the New York Times, the Guardian and ProPublica dig deeper into the documents leaked by Edward Snowden, new and disturbing revelations continue to be made. Two programs, dubbed Bullrun (NSA) and Edgehill (GCHQ), have just come to light, that focus on circumventing or breaking the security and encryption tools used across the internet. The effort dwarfs the $20 million Prism program that simply gobbled up data. Under the auspices of "Sigint (signals intelligence) enabling" in a recent budget request, the NSA was allocated roughly $255 million dollars this year alone to fund its anti-encryption program.

The agencies' efforts are multi-tiered, and start with a strong cracking tool. Not much detail about the methods or software are known, but a leaked memo indicates that the NSA successfully unlocked "vast amounts" of data in 2010. By then it was already collecting massive quantities of data from taps on internet pipelines, but much of it was safely protected by industry standard encryption protocols. Once that wall fell, what was once simply a torrent of scrambled ones and zeros, became a font of "exploitable" information. HTTPS, VoIP and SSL are all confirmed to have been compromised through Bullrun, though, it appears that some solutions to the NSA's "problem" are less elegant than others. In some cases a super computer and simple brute force are necessary to peel back the layers of encryption.

More alarming than work by the NSA and Government Communications Headquarters (GCHQ) to simply break popular encryption methods are its efforts to work with companies and standard-setting bodies to weaken protection schemes. Though no particular companies are named in the leaked documents, the NSA expects to gain access to a hub for a "major communications provider" and a "major internet peer-to-peer voice and text communications system" by the end of 2013. Some companies may have complied with the agency's requests willing, but it's clear from the documents that the NSA exerted pressure on many, forcing them to create backdoors in security and encryption tools. According to another memo, the NSA was even the primary editor of a set of security standards passed by the US National Institute of Standards and Technology in 2006.

The GCHQ for its part has been focusing heavily on email providers and VPN networks. In fact, Hotmail, Google, Yahoo and Facebook are singled out as targets that need to be cracked. Its efforts also go well beyond simple hacking and strong-arming: the documents also reveal that the British agency has covert operatives inside the telecommunications industry.

These capabilities do not mean that the NSA is actively intercepting and decrypting your most embarrassing Amazon purchases or reading your emails. The law still prevents the agency from targeting the communications of American citizens without a warrant. But, it does mean that almost none of your data is truly private or safe from prying eyes. And it may only be a matter of time before a criminal or terrorist organization discovers and exploits these same vulnerabilities theoretically left in place so the NSA could combat such adversaries.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
17 Shares
Share
Tweet
Share
Save

Popular on Engadget

The best consoles, games and accessories for students

The best consoles, games and accessories for students

View
'Dota 2' champions won more money than top Wimbledon players

'Dota 2' champions won more money than top Wimbledon players

View
Razer's largest store yet opens in Las Vegas on September 7th

Razer's largest store yet opens in Las Vegas on September 7th

View
Google search pays tribute to 'Wizard of Oz' with a dizzying Easter egg

Google search pays tribute to 'Wizard of Oz' with a dizzying Easter egg

View
FAA: Please don't weaponize your drone

FAA: Please don't weaponize your drone

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr