NSA’s Decade-Long Plan to Undermine Encryption Includes Backdoors, Stolen Keys, Manipulating Standards

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/threatlevel/2013/09/nsa-backdoored-and-stole-keys/

By Kim Zetter
Threat Level
Wired.com
09.05.13

It was only a matter of time before we learned that the NSA has managed to 
thwart much of the encryption that protects telephone and online 
communication, but new revelations show the extent to which the agency, 
and Britain’s GCHQ, have gone to systematically undermine encryption.

Without the ability to actually crack the strongest algorithms that 
protect data, the intelligence agencies have systematically worked to 
thwart or bypass encryption using a variety of underhanded methods, 
according to revelations published by the New York Times and Guardian 
newspapers and the journalism non-profit ProPublica, based on documents 
leaked by NSA whistleblower Edward Snowden.

These methods, part of a highly secret program codenamed Bullrun, have 
included pressuring vendors to install backdoors in their products to 
allow intelligence agencies to access data, and obtaining encryption keys 
by pressuring vendors to hand them over or hacking into systems and 
stealing them.

Most surprising, however, is the revelation that the agency has worked to 
covertly undermine the encryption standards developers rely upon to build 
secure products. Undermining standards and installing backdoors don’t just 
allow the government to spy on data but create fundamental insecurities in 
systems that would allow others to spy on the data as well.

“The encryption technologies that the NSA has exploited to enable its 
secret dragnet surveillance are the same technologies that protect our 
most sensitive information, including medical records, financial 
transactions, and commercial secrets,” Christopher Soghoian, principal 
technologist of the ACLU’s Speech, Privacy and Technology Project, said in 
a statement about the revelations. “Even as the NSA demands more powers to 
invade our privacy in the name of cybersecurity, it is making the internet 
less secure and exposing us to criminal hacking, foreign espionage, and 
unlawful surveillance. The NSA’s efforts to secretly defeat encryption are 
recklessly shortsighted and will further erode not only the United States’ 
reputation as a global champion of civil liberties and privacy but the 
economic competitiveness of its largest companies.”

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/