New material leaked by Edward Snowden shows which Internet security protocols the NSA had beaten as of 2012 and which encryption tools were still stymying cyber spies.

Digital spies in the National Security Administration cracked Skype's encryption back in 2011 and can make quick work of the VPNs many businesses believe make their communications secure.

But more robust security protocols and encryption techniques may still be secure from prying NSA eyes, according to documents revealed by former NSA contractor Edward Snowden.

Der Spiegel has the rundown on the NSA's battle against what its training documents described as the "threat" of secure Internet communication. Snowden's documentation is several years old now, of course. Whether or not U.S. cyber spies have managed to crack some of the toughest nuts in the intervening years, like Tor network communications, isn't known.

First, the security layers that the NSA considered to be "trivial," "minor," or "moderate" challenges to get through as of 2012. These include such tasks as simply monitoring a document as it travels across the Internet, spying on Facebook chats, and decrypting mail.ru emails, according to the Snowden documents.

But there are others that NSA cryptologists have had a much tougher time defeating, Der Spiegel noted, as documented in their sorting of threats "into five levels corresponding to the degree of the difficulty of the attack and the outcome, ranging from 'trivial' to a 'catastrophic.'"

"Things first become troublesome at the fourth level," according to Der Spiegel, which culled its report from a specific NSA presentation on Internet security.

As of 2012, the agency was having "major problems in its attempts to decrypt messages sent through heavily encrypted email service providers like Zoho or in monitoring users of the Tor network," the newspaper reported. Other "major," or fourth-level challenges included open-source protocols like Truecrypt and OTR instant-messaging encryption.

"Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed," Der Spiegel noted.

The toughest method of Internet communication for the NSA to crack? It's not any one dark Internet tool but rather a bunch of them layered on top of each other, according to the Snowden documents.

See the original post:
NSA Docs Reveal Spy-Proof Encryption Tools

The NSA has been cracking encryption for years. Photo: Reuters

Australia's electronic espionage agency is a partner in a massive United States-led assault on internet security and privacy, according to top secret documents disclosed by former US intelligence contractor Edward Snowden.

The GermanDer Spiegelmagazine has published new disclosures of signals intelligence cooperation between the United States and its "5-eyes" partners the United Kingdom, Canada, Australia and New Zealand revealing that the secret agencies have broken most widely-used forms of internet encryption.

Many of the leaked documents are classified top secret, "COMINT" (communications intelligence) and releasable only to "5-eyes" agencies the US National Security Agency (NSA), the Australian Signals Directorate (ASD), the United Kingdom's Government Communications Headquarters, Canada's Communications Security Establishment and New Zealand's Government Communications Security Bureau.

Intensive efforts to overcome what is described as the "major threat" of "ubiquitous encryption" on the internet have been regularly discussed at top secret "SIGDEV" signals intelligence development conferences between the "5-eyes" agencies.

Advertisement

The leaked documents show the NSA and its allies routinely intercept supposedly secure Hypertext Transfer Protocol (Https) connections used for internet applications including banking and financial services, e-commerce or accessing webmail accounts. According to one top secret document, the NSA planned to crack 10 million intercepted https connections a day by late 2012 with a particular focus on "password based encryption systems".

Other priority intelligence targets are virtual private networks (VPN) which are used by companies and organisations operating from multiple offices and locations. NSA and its partners operate a large-scale VPN exploitation project to intercept the data exchanged inside VPNs. Examples of successful interception cited in the leaked documents include government networks in Afghanistan, Greece, Pakistan and Turkey as well as a Russian telecommunications company.

According to a 2013 NSA document leaked by Mr Snowden and previously revealed byThe New York Times, the ASD obtained nearly 1.8 million encrypted master keys, used to protect private communications, from the Telkomsel Mobile network in Indonesia, and developed a way to decrypt almost all of them.

Another supposedly secure system accessed by the NSA and its partners is Skype, which is widely used to conduct internet video chat. The newly leaked documents show Skype has been successfully intercepted since at least February 2011.

Read more here:
Revealed: the encryption tools spies can (and can't) crack

The NSA has been cracking encryption for years. Photo: Reuters

Australia's electronic espionage agency is a partner in a massive United States-led assault on internet security and privacy, according to top secret documents disclosed by former US intelligence contractor Edward Snowden.

The GermanDer Spiegelmagazine has published new disclosures of signals intelligence cooperation between the United States and its "5-eyes" partners the United Kingdom, Canada, Australia and New Zealand revealing that the secret agencies have broken most widely-used forms of internet encryption.

Many of the leaked documents are classified top secret, "COMINT" (communications intelligence) and releasable only to "5-eyes" agencies the US National Security Agency (NSA), the Australian Signals Directorate (ASD), the United Kingdom's Government Communications Headquarters, Canada's Communications Security Establishment and New Zealand's Government Communications Security Bureau.

Intensive efforts to overcome what is described as the "major threat" of "ubiquitous encryption" on the internet have been regularly discussed at top secret "SIGDEV" signals intelligence development conferences between the "5-eyes" agencies.

Advertisement

The leaked documents show the NSA and its allies routinely intercept supposedly secure Hypertext Transfer Protocol (Https) connections used for internet applications including banking and financial services, e-commerce or accessing webmail accounts. According to one top secret document, the NSA planned to crack 10 million intercepted https connections a day by late 2012 with a particular focus on "password based encryption systems".

Other priority intelligence targets are virtual private networks (VPN) which are used by companies and organisations operating from multiple offices and locations. NSA and its partners operate a large-scale VPN exploitation project to intercept the data exchanged inside VPNs. Examples of successful interception cited in the leaked documents include government networks in Afghanistan, Greece, Pakistan and Turkey as well as a Russian telecommunications company.

According to a 2013 NSA document leaked by Mr Snowden and previously revealed byThe New York Times, the ASD obtained nearly 1.8 million encrypted master keys, used to protect private communications, from the Telkomsel Mobile network in Indonesia, and developed a way to decrypt almost all of them.

Another supposedly secure system accessed by the NSA and its partners is Skype, which is widely used to conduct internet video chat. The newly leaked documents show Skype has been successfully intercepted since at least February 2011.

See the rest here:
Revealed: the encryption tools spies can't crack

Most of usat least the cynical onesassume that the NSA has probably beaten most of the encryption technologies out there. But a new report from Der Spiegel that draws on documents from Edward Snowden's archive shows that this simply isn't true. There are some tools that the NSA, as recently as two years ago, couldn't crack.

"[Some users] think the intelligence agency experts are already so many steps ahead of them that they can crack any encryption program," explains the report. "This isn't true." In fact, there are several encryption technologies that gave the NSA trouble. First of all, the documents show that the NSA had "major" issues trying to break the encryption on both Tor and Zoho, the email service. Truecrypt, the now-defunct freeware service for encrypting files on your computer, was another thorn in the NSA's side, along with Off-the-Record, which encrypts instant messages.

Another good tool mentioned is Pretty Good Privacy, which is shocking given that the protocol is two decades old, originally written in 1991. But there are also combinations of tools that the NSA describes as "catastrophic" when attempting to crack. Here's how Der Spiegel describes the special sauce:

Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.

There are also plenty of seemingly secure services that the report shows are easy for the NSA to monitor, just as you might already assumeincluding VPNs and the HTTPS connections that many of us see on a daily basis when logging into banking sites and other supposedly "secure" websites. According to the report, the NSA intercepted 10 million of those https connections every day in 2012.

Then there are the details about how the NSA proactively fights encryption online, including attending meetings of groups that create the standards for encryption, like the Internet Engineering Task Force. This way, the NSA can influenceand water downthe internet-wide standards for privacy in a much longer-term way. In one of the more ironic sections of the new documents, we learn that while the NSA is responsible for recommending the best security standards to the US National Institute of Standards and Technology, at the same time it is looking for ways to break the tools it recommends.

It's a harrowing new look at the NSA's encryption-breaking prowess, but at the same time, a heartening glimpse of the freely available tools that still provide a modicum of privacy. More than anything, it's a reminder that the NSA is throwing all its weight into cracking these protocolsand none of us can ever assume that a single encryption tool is truly private. The entire report is well worth a read. [Der Spiegel]

The rest is here:
The Encryption Tools the NSA Still Can't Crack Revealed in New Leaks

A military no trespassing sign shown in front of Utah's NSA Data Center in Bluffdale, Utah.

Image: Rick Bowmer/Associated Press

By Rex Santus2014-12-29 21:13:57 UTC

A new report on documents leaked to the press by whistleblower Edward Snowden highlights some security tools the National Security Agency has cracked and those it hasn't in its widespread surveillance of digital communication.

The NSA had trouble breaking some forms of encryption, according to a report in the German newsmagazine Der Spiegel that listed seven coauthors, including Laura Poitras, who directed the Snowden documentary Citizenfour. The encryption and security-breaking problems the NSA encountered were ranked on a scale of 1 to 5, from "trivial" to "catastrophic." Facebook chat, for example, was considered "trivial."

The NSA had "major" problems (the fourth level) with Zoho, an encrypted email service, as well as Tor, the network and software that helps users browse the Internet anonymously. Tor sends information through a variety of a relay nodes, managed by volunteers, that make it difficult to tell who or where the web traffic originated from.

Government security specialists also had trouble with Truecrypt, a software program used for file encryption that was shuttered earlier this year. PGP, an early encryption program for email that was founded in 1991, still proved a formidable opponent to the NSA.

The situation only became "catastrophic" when a user constructed a sort of Frankenstein's monster of privacy protection: The Tor network atop other anonymizing services, certain instant messengers and phone encryption apps like RedPhone, for example.

Some combinations rendered a "near-total loss/lack of insight to target communications, presence," according to Der Spiegel's review of the NSA documents, which was also presented at Berlin-based hacking group Chaos Computer Club's annual conference this weekend in Germany.

Nothing is bulletproof, of course. The government has found its way into Tor before, and malicious hackers targeted the anonymity network just last week. Using a combination of privacy methods is the best way to avoid NSA surveillance.

Read more:
Snowden leaks reveal encryption programs that NSA couldn't break