Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Government Communications Encryption Privacy United States

Snowden Documents Show How Well NSA Codebreakers Can Pry 278

Der Spiegel has published today an excellent summary of what some of Edward Snowden's revelations show about the difficulty (or, generally, ease) with which the NSA and collaborating intelligence services can track, decrypt, and correlate different means of online communication. An interesting slice: The NSA and its allies routinely intercept [HTTPS] connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month. For its part, Britain's GCHQ collects information about encryption using the TLS and SSL protocols -- the protocols https connections are encrypted with -- in a database called "FLYING PIG." The British spies produce weekly "trends reports" to catalog which services use the most SSL connections and save details about those connections. Sites like Facebook, Twitter, Hotmail, Yahoo and Apple's iCloud service top the charts, and the number of catalogued SSL connections for one week is in the many billions -- for the top 40 sites alone. ... The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.
This discussion has been archived. No new comments can be posted.

Snowden Documents Show How Well NSA Codebreakers Can Pry

Comments Filter:
  • this is disgusting (Score:5, Insightful)

    by Anonymous Coward on Sunday December 28, 2014 @04:01PM (#48685843)

    this is truly disgusting

  • Hysteria (Score:4, Insightful)

    by MightyMartian ( 840721 ) on Sunday December 28, 2014 @04:07PM (#48685879) Journal

    Before we all get too hysterical, from the article itself:

    The digitization of society in the past several decades has been accompanied by the broad deployment of cryptography, which is no longer the exclusive realm of secret agents. Whether a person is conducting online banking, Internet shopping or making a phone call, almost every Internet connection today is encrypted in some way. The entire realm of cloud computing -- that is of outsourcing computing tasks to data centers somewhere else, possibly even on the other side of the globe -- relies heavily on cryptographic security systems. Internet activists even hold crypto parties where they teach people who are interested in communicating securely and privately how to encrypt their data.

    In other words, the NSA, GCHQ and other intelligence services are probably only able to crack badly configured or unpatched and badly out of date systems. That doesn't stop them from using out of band vulnerabilities like hacking into someone's PC or forcing some online service to open up the decrypted data, but it seems likely that if you have a well-managed cert chain and your systems are kept up to date and patched, the odds of anyone, government or otherwise, busting into your encrypted data seems pretty low.

    My big fear out of all this isn't the unlikely hacking of mainstream encryption schemes, but rather that those that do use encryption may end up being targets of other methods; like malware, to get at their critical data.

    • Re:Hysteria (Score:5, Interesting)

      by phantomfive ( 622387 ) on Sunday December 28, 2014 @04:38PM (#48686015) Journal
      The article is merely listing tools. I expect that if we have a spy agency, they will use the tools available to spy. That is what a spy agency does. If you're outraged that a spy agency actually does spy, then you're probably addicted to outrage or something.

      The problem with the NSA isn't that they are spying, it isn't that they know how to decrypt SSL or mount a MITM attack; the problem with the NSA is they are spying on everybody. Limit the spying to only enemies of the US, and only the paranoid will be outraged.
      • by fnj ( 64210 )

        Limit the spying to only enemies of the US

        Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into. And it's only an easy step for tyrants and their dogs to turn "opposed to the entrenched shadow regime and its sickening views and practices" into "enemy of the state". So I don't get quite such a rosy feeling from "spying on the enemies of the US" as you seem to.

        • Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into

          What a purely coherent basis and sound philosophical foundation from which to make decisions. I'll bet you're a whole bundle of good ideas.

  • by DMJC ( 682799 ) on Sunday December 28, 2014 @04:12PM (#48685905)
    It's time to stop sending keys using dumb methods. Time to start generating keys and physically swapping/installing them.
  • by phantomfive ( 622387 ) on Sunday December 28, 2014 @04:23PM (#48685957) Journal
    If you ever get the warning:

    The authenticity of host '...' can't be established. RSA key fingerprint is .... Are you sure you want to continue connecting (yes/no)?

    That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

    • by AmiMoJo ( 196126 ) *

      This attack looks like something else though, judging by the numbers they are attacking. I speculate:

      - They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, a

      • by phantomfive ( 622387 ) on Sunday December 28, 2014 @04:54PM (#48686067) Journal

        They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, as well as distributed certificate checks (to make sure the one you get is the same one everyone else gets).

        I don't think so because not many people use trusted authorities with SSH. (In fact I've never heard of anyone doing that, but surely there are people who do). Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

        • by fnj ( 64210 )

          Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

          Do you have slightest idea how ssh logon works?

          • Do you have slightest idea how ssh logon works?

            Why yes, yes I do.

        • by Uecker ( 1842596 )

          I doubt this. There are people who verify the fingerprints. And even if you do this only sometimes this is useful. So a large scale MITM attack on ssh would be very obvious. Also if you do a MITM on ssh you would not be able to obtain the password, because it is not transmitted. So to expand the attack they would need to MITM the ssh connections and then use this to install a backdoor. I would say this is far to intrusive to do on a large scale.

          • It doesn't say they are doing SSH attacks on a large scale. It says sometimes they can do it.
    • That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

      ssh issues that message for other reasons, too, such as when you install a new network adapter. In that case, there is nothing wrong.

      • The message is there when you install a new network adapter. SSH is telling you that when you install a new network adapter like that, it has no way of detecting if the NSA is doing a MITM attack. You're on your own in that case.
    • Protecting SSH communications for your organization is fairly straightforward if you do some work. You need to use multiple layers. Here is our guide to protecting SSH:

      https://it.wiki.usu.edu/ssh_de... [usu.edu]

      We try to use multiple overlapping security layers to protect SSH:

      • * If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
      • * Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
      • * If possible, treat the SSH Port as a shared
      • by elgaard ( 81259 )

        * SSH users should verify the identity of their systems when they first connect. ...
        * We have SSH Honeypots that help us track, understand and respond to SSH attack.

        You should have user honeypots. Once in a while present a fake certificate. If the user ignore the wrong fingerprint and type in the correct password, reset the account password.

  • by account_deleted ( 4530225 ) on Sunday December 28, 2014 @05:26PM (#48686173)
    Comment removed based on user account deletion
    • by Bengie ( 1121981 )
      Nope, you're at more risk because of the common password changes. I think it's 3-6 months. Should be using 2 factor.
  • by Anonymous Coward on Sunday December 28, 2014 @05:31PM (#48686191)

    those protocols or programs have a major rating (major according to the article means impossible unless someone made a mistake or malware was used)
    OTR
    TrueCrypt

    those protocols have a catastrophic rating (catastrophic for the NSA is a win for US)
    ZRTP
    PGP

    about the SSH thing, it all depend on the cipher used, if you use ssh with a MD2-DES cypher expect it to be decrypted
    if you use something like twofish or salsa20 your probably quite secure

  • by mrflash818 ( 226638 ) on Sunday December 28, 2014 @07:38PM (#48686737) Homepage Journal

    The article mentions:

    Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.

  • Say, I further "encrypt" my https sessions using ROT13. If NSA is on to me specifically, they will have no problem figuring it out. But if they opportunistically monitor main internet pipes for vulnerable traffic, I should be safe. What if web browsers encrypted data with one of hundreds of algorithms independently developed by smart people worldwide *before* standard https? At least some of them will prove resistent to cryptanalysis and even vulnerable ones will consume some of NSA's computing power and em

On a clear disk you can seek forever. -- P. Denning

Working...