New material leaked by Edward Snowden shows which Internet security protocols the NSA had beaten as of 2012 and which encryption tools were still stymying cyber spies.

Digital spies in the National Security Administration cracked Skype's encryption back in 2011 and can make quick work of the VPNs many businesses believe make their communications secure.

But more robust security protocols and encryption techniques may still be secure from prying NSA eyes, according to documents revealed by former NSA contractor Edward Snowden.

Der Spiegel has the rundown on the NSA's battle against what its training documents described as the "threat" of secure Internet communication. Snowden's documentation is several years old now, of course. Whether or not U.S. cyber spies have managed to crack some of the toughest nuts in the intervening years, like Tor network communications, isn't known.

First, the security layers that the NSA considered to be "trivial," "minor," or "moderate" challenges to get through as of 2012. These include such tasks as simply monitoring a document as it travels across the Internet, spying on Facebook chats, and decrypting mail.ru emails, according to the Snowden documents.

But there are others that NSA cryptologists have had a much tougher time defeating, Der Spiegel noted, as documented in their sorting of threats "into five levels corresponding to the degree of the difficulty of the attack and the outcome, ranging from 'trivial' to a 'catastrophic.'"

"Things first become troublesome at the fourth level," according to Der Spiegel, which culled its report from a specific NSA presentation on Internet security.

As of 2012, the agency was having "major problems in its attempts to decrypt messages sent through heavily encrypted email service providers like Zoho or in monitoring users of the Tor network," the newspaper reported. Other "major," or fourth-level challenges included open-source protocols like Truecrypt and OTR instant-messaging encryption.

"Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed," Der Spiegel noted.

The toughest method of Internet communication for the NSA to crack? It's not any one dark Internet tool but rather a bunch of them layered on top of each other, according to the Snowden documents.

See the original post:
NSA Docs Reveal Spy-Proof Encryption Tools

The NSA has been cracking encryption for years. Photo: Reuters

Australia's electronic espionage agency is a partner in a massive United States-led assault on internet security and privacy, according to top secret documents disclosed by former US intelligence contractor Edward Snowden.

The GermanDer Spiegelmagazine has published new disclosures of signals intelligence cooperation between the United States and its "5-eyes" partners the United Kingdom, Canada, Australia and New Zealand revealing that the secret agencies have broken most widely-used forms of internet encryption.

Many of the leaked documents are classified top secret, "COMINT" (communications intelligence) and releasable only to "5-eyes" agencies the US National Security Agency (NSA), the Australian Signals Directorate (ASD), the United Kingdom's Government Communications Headquarters, Canada's Communications Security Establishment and New Zealand's Government Communications Security Bureau.

Intensive efforts to overcome what is described as the "major threat" of "ubiquitous encryption" on the internet have been regularly discussed at top secret "SIGDEV" signals intelligence development conferences between the "5-eyes" agencies.

Advertisement

The leaked documents show the NSA and its allies routinely intercept supposedly secure Hypertext Transfer Protocol (Https) connections used for internet applications including banking and financial services, e-commerce or accessing webmail accounts. According to one top secret document, the NSA planned to crack 10 million intercepted https connections a day by late 2012 with a particular focus on "password based encryption systems".

Other priority intelligence targets are virtual private networks (VPN) which are used by companies and organisations operating from multiple offices and locations. NSA and its partners operate a large-scale VPN exploitation project to intercept the data exchanged inside VPNs. Examples of successful interception cited in the leaked documents include government networks in Afghanistan, Greece, Pakistan and Turkey as well as a Russian telecommunications company.

According to a 2013 NSA document leaked by Mr Snowden and previously revealed byThe New York Times, the ASD obtained nearly 1.8 million encrypted master keys, used to protect private communications, from the Telkomsel Mobile network in Indonesia, and developed a way to decrypt almost all of them.

Another supposedly secure system accessed by the NSA and its partners is Skype, which is widely used to conduct internet video chat. The newly leaked documents show Skype has been successfully intercepted since at least February 2011.

Read more here:
Revealed: the encryption tools spies can (and can't) crack

The NSA has been cracking encryption for years. Photo: Reuters

Australia's electronic espionage agency is a partner in a massive United States-led assault on internet security and privacy, according to top secret documents disclosed by former US intelligence contractor Edward Snowden.

The GermanDer Spiegelmagazine has published new disclosures of signals intelligence cooperation between the United States and its "5-eyes" partners the United Kingdom, Canada, Australia and New Zealand revealing that the secret agencies have broken most widely-used forms of internet encryption.

Many of the leaked documents are classified top secret, "COMINT" (communications intelligence) and releasable only to "5-eyes" agencies the US National Security Agency (NSA), the Australian Signals Directorate (ASD), the United Kingdom's Government Communications Headquarters, Canada's Communications Security Establishment and New Zealand's Government Communications Security Bureau.

Intensive efforts to overcome what is described as the "major threat" of "ubiquitous encryption" on the internet have been regularly discussed at top secret "SIGDEV" signals intelligence development conferences between the "5-eyes" agencies.

Advertisement

The leaked documents show the NSA and its allies routinely intercept supposedly secure Hypertext Transfer Protocol (Https) connections used for internet applications including banking and financial services, e-commerce or accessing webmail accounts. According to one top secret document, the NSA planned to crack 10 million intercepted https connections a day by late 2012 with a particular focus on "password based encryption systems".

Other priority intelligence targets are virtual private networks (VPN) which are used by companies and organisations operating from multiple offices and locations. NSA and its partners operate a large-scale VPN exploitation project to intercept the data exchanged inside VPNs. Examples of successful interception cited in the leaked documents include government networks in Afghanistan, Greece, Pakistan and Turkey as well as a Russian telecommunications company.

According to a 2013 NSA document leaked by Mr Snowden and previously revealed byThe New York Times, the ASD obtained nearly 1.8 million encrypted master keys, used to protect private communications, from the Telkomsel Mobile network in Indonesia, and developed a way to decrypt almost all of them.

Another supposedly secure system accessed by the NSA and its partners is Skype, which is widely used to conduct internet video chat. The newly leaked documents show Skype has been successfully intercepted since at least February 2011.

See the rest here:
Revealed: the encryption tools spies can't crack

Most of usat least the cynical onesassume that the NSA has probably beaten most of the encryption technologies out there. But a new report from Der Spiegel that draws on documents from Edward Snowden's archive shows that this simply isn't true. There are some tools that the NSA, as recently as two years ago, couldn't crack.

"[Some users] think the intelligence agency experts are already so many steps ahead of them that they can crack any encryption program," explains the report. "This isn't true." In fact, there are several encryption technologies that gave the NSA trouble. First of all, the documents show that the NSA had "major" issues trying to break the encryption on both Tor and Zoho, the email service. Truecrypt, the now-defunct freeware service for encrypting files on your computer, was another thorn in the NSA's side, along with Off-the-Record, which encrypts instant messages.

Another good tool mentioned is Pretty Good Privacy, which is shocking given that the protocol is two decades old, originally written in 1991. But there are also combinations of tools that the NSA describes as "catastrophic" when attempting to crack. Here's how Der Spiegel describes the special sauce:

Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.

There are also plenty of seemingly secure services that the report shows are easy for the NSA to monitor, just as you might already assumeincluding VPNs and the HTTPS connections that many of us see on a daily basis when logging into banking sites and other supposedly "secure" websites. According to the report, the NSA intercepted 10 million of those https connections every day in 2012.

Then there are the details about how the NSA proactively fights encryption online, including attending meetings of groups that create the standards for encryption, like the Internet Engineering Task Force. This way, the NSA can influenceand water downthe internet-wide standards for privacy in a much longer-term way. In one of the more ironic sections of the new documents, we learn that while the NSA is responsible for recommending the best security standards to the US National Institute of Standards and Technology, at the same time it is looking for ways to break the tools it recommends.

It's a harrowing new look at the NSA's encryption-breaking prowess, but at the same time, a heartening glimpse of the freely available tools that still provide a modicum of privacy. More than anything, it's a reminder that the NSA is throwing all its weight into cracking these protocolsand none of us can ever assume that a single encryption tool is truly private. The entire report is well worth a read. [Der Spiegel]

The rest is here:
The Encryption Tools the NSA Still Can't Crack Revealed in New Leaks

A military no trespassing sign shown in front of Utah's NSA Data Center in Bluffdale, Utah.

Image: Rick Bowmer/Associated Press

By Rex Santus2014-12-29 21:13:57 UTC

A new report on documents leaked to the press by whistleblower Edward Snowden highlights some security tools the National Security Agency has cracked and those it hasn't in its widespread surveillance of digital communication.

The NSA had trouble breaking some forms of encryption, according to a report in the German newsmagazine Der Spiegel that listed seven coauthors, including Laura Poitras, who directed the Snowden documentary Citizenfour. The encryption and security-breaking problems the NSA encountered were ranked on a scale of 1 to 5, from "trivial" to "catastrophic." Facebook chat, for example, was considered "trivial."

The NSA had "major" problems (the fourth level) with Zoho, an encrypted email service, as well as Tor, the network and software that helps users browse the Internet anonymously. Tor sends information through a variety of a relay nodes, managed by volunteers, that make it difficult to tell who or where the web traffic originated from.

Government security specialists also had trouble with Truecrypt, a software program used for file encryption that was shuttered earlier this year. PGP, an early encryption program for email that was founded in 1991, still proved a formidable opponent to the NSA.

The situation only became "catastrophic" when a user constructed a sort of Frankenstein's monster of privacy protection: The Tor network atop other anonymizing services, certain instant messengers and phone encryption apps like RedPhone, for example.

Some combinations rendered a "near-total loss/lack of insight to target communications, presence," according to Der Spiegel's review of the NSA documents, which was also presented at Berlin-based hacking group Chaos Computer Club's annual conference this weekend in Germany.

Nothing is bulletproof, of course. The government has found its way into Tor before, and malicious hackers targeted the anonymity network just last week. Using a combination of privacy methods is the best way to avoid NSA surveillance.

Read more:
Snowden leaks reveal encryption programs that NSA couldn't break

Ken Colburn, Special for The Republic| azcentral.com 10:03 p.m. MST December 26, 2014

Encryption can provide an excellent level of security.(Photo: Getty Images/iStockphoto)

Question: One of the things I keep hearing about because of the Sony hack is encryption. How exactly do I get it set up for my business?

Answer: There isn't enough space in this column to cover all the lessons that can be learned from what continues to come out of the Sony Pictures massive hacking event.

The use of encryption is a big one because it can provide an excellent level of security even if cyberthieves make off with thousands of sensitive files via a compromised computer.

Anytime everyone has access to everything on a business network without any real security, hackers need only compromise one user to wreak havoc for everyone (the likely scenario in the Sony hack).

Encryption acts as another security barrier that will generally cause the hackers to move on because of the time that it will take to break the encryption.

Encryption technology is built into most operating systems; Windows has BitLocker for workstations and servers (http://goo.gl/N0vPuy). Mac OS X has FileVault (http://goo.gl/4SpCBe). Or you can use encryption programs from many third-party companies.

Before you make any decisions to start encrypting your data, you should review all of the options, pros, cons, security and backup measures to make sure you don't inadvertently lock yourself out of your own data.

Encryption strategy needs to be thought through, so make sure you consult your IT support group before you get started.

View original post here:
Encryption can help ramp up your IT security

Inadequate data encryption is making insurers across the industry vulnerable to security breaches.

The insurance industry has a reputation for stability, expertise, and thoroughness.These strengths are the product of time. Longevity has its purpose in insurance, which has a history punctuated by economic calamity, war, and social and political upheaval. The great insurers of yesteryear remain the great insurers of today.

The institutional integrity of many of our most recognizable insurers is solid.Individual agents provide steady reassurance, thorough marketing, advertising and professionalism that are assets to the industry and provide a favorable impression to policyholders.

However, despite this sense of security, policies cannot just be protected by thick stainless steel doors and stacked certificates of indemnification, alphabetized and aligned in symmetrical rows. Beyond the physically dense climate-controlled bunkers and vaults, where room temperature prevents the yellowing of these documents and insurers protect against fires and floods, the cleverest thieves -- armed with the most valuable intelligence -- can destroy an insurance company in a few minutes or hours. This is where all the standard operating procedures of the insurance industry collapse.

I refer, specifically, to the inadequate encryption that makes every insurervulnerable to massive data breaches. Please note that I issue this statement based on experience, not exaggeration or an appetite for sensationalism. In my role as founder of Impervio E-IRM System (Enhanced Information Rights Management), I seek to empower insurers against these threats. Impervio is a testament to this commitment because it is, by the strictest definition of the word, impenetrable.

[3 Ways Mobility Will Shape Auto Insurance in 2015]

While insurers do a commendable job of trying to educate the public about security, they do not have the encryption necessary to win the battle against hackers and cyber criminals. Put a different way, the existing form of encryption -- the system that governs so many industries -- relies on the false assertion that it would take someone 3,000 years to break this code.

This presumption is seriously inaccurate because, in reality, the trained eye can spot gaping holes and points of weakness within this theory. Sophisticated thieves already know when and how to exploit these security vulnerabilities, which act as gateways to confidential client data, electronic medical records, intra-office communications, personal checking account codes and credit card numbers.

To better appreciate the gravity of this situation, think of current forms of encryption as four massive walls that surround a vital piece of intellectual property. From a distance, like its physical corollary between East and West Berlin, or its even lengthier cousin known as the Maginot Line, this wall looks impressive -- and imposing -- until you see all the cracks and barren sections previously covered by concrete now exposed with a thin pane of asbestos and chicken wire.

The cyber equivalent to these frayed walls and abandoned outposts is the model of encryption insurers continue to use. Indeed, the best example of the need for a superior method of encryption involves what we see and hear every day, particularly advertisements from security experts who claim they have the latest patch (for a patch, on top of another patch) to fix a breach.

Here is the original post:
The Future of Data Encryption in Insurance

Q: One of the things I keep hearing about because of the Sony hack is encryption, but how exactly do I get it setup for my business?

A: There isnt enough space in this column to cover all the lessons that can be learned from what continues to come out of the Sony Pictures massive hacking event.

The use of encryption is a big one because it can provide an excellent level of security even if cyber thieves make off with thousands of sensitive files via a compromised computer.

Anytime everyone has access to everything on a business network without any real security, hackers need only compromise one user to wreak havoc for everyone (the likely scenario in the Sony hack).

Encryption acts as another security barrier that will generally cause the hackers to move on because of the time that it will take to break the encryption.

Encryption technology is built into most operating systems; Windows has BitLocker for workstations and servers while Mac OS X has FileVault or you can use encryption programs from many third party companies.

But before you make any decisions to start encrypting your data, you really should review all of the options, pros, cons, security and backup measures to make sure you dont inadvertently lock yourself out of your own data.

Encryption strategy needs to be thought through, so make sure you consult your IT support group before you get started.

Another simple step that Sony could have taken to protect data was to create individual passwords for sensitive data files.

Just about every type of business program you use has an option to password protect the individual files.

The rest is here:
Data Doctors: Lessons for all from the Sony hack

Reverse countdown: A digital clock at thepiratebay.se marks the amount of time since The Pirate Bay has been out of action. Photo: Screenshot: thepiratebay.se

Renegade torrent site The Pirate Bay has added a digital clock and a line of scrambled text, which may be an encryption key, to its website at thepiratebay.se.

On Monday the site, shut down by Swedish police on December 9, showed the first signs of a potential resurrection when it added a looping video of a black pirate flag.

Now a digital clock has been added, showing roughly the amount of time the site has not been available to search for pirated files 14 days and counting.

Another addition is a line of jumbled characters at the bottom of the screen: "JyO7wNzc8xht47QKWohfDVj6Sc2qH+X5tBCT+uetocIJcjQnp/2f1ViEBR+ty0Cz".

Advertisement

Exactly what it means (if anything), or what it's doing there, is anyone's guess.

The URL of the image of the text is "http://thepiratebay.se/aes.png", which may be a referenceto Advanced Encryption Standard (AES).

AES is aninternationally agreed-upon standard for encrypting transactions, and is widely used by secure websites such as online banking services, among other things.

If this is an AES key, one theory is that it could be a way for people involved with The Pirate Bay to communicate with each other, or send data including pirated material privately.

See the original post:
Pirate Bay publishes mysterious 'encryption' key

What is the Public Key Encryption?
A 1976, two Stanford researchers devised an encryption method that revolutionized cryptography by making it easier to send encrypted information without havi...

By: World Science Festival

Read more:
What is the Public Key Encryption? - Video