Report: NSA, GCHQ hugely successful at subverting encrypted Internet traffic
The National Security Agency and Government Communications Headquarters have been increasingly successful in undermining the tools used to protect everyday communications such as SSL and VPN, according to new reports published simultaneously by the New York Times, Pro Publica and The Guardian.
Key tactics adopted by the spy agencies include the use of supercomputers, technical trickery, court orders and simple behind-the-scenes persuasion for voluntary cooperation. Specific details and names of companies who cooperated were redacted, but the sheer breadth and scope that were revealed have chilling ramifications on secure Internet communications for both users and businesses.
Of particular concern is the insertion of secret backdoors into commercial encryption software, as well as attempts to weaken important cryptography technologies by directly influencing the standards and specifications process.
Another trick is to attack weak encryption technologies, or attack an end-point directly.
"The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs," writes Bruce Schneier at The Guardian. He went on to offer tips on how to evade the NSA here.
The Fierce Take: Without additional details, there's not much that enterprises can do to improve their security posture at the moment. Where U.S.-based companies are concerned, the biggest worry likely revolves around the potential for state-sponsored hackers and black hats exploiting the planted backdoors and vulnerabilities. Ironically, the fact that the NSA has diverted resources specifically to break into traffic from the "big four" communications providers-which includes Google--represents another poke in the eye for security-conscious businesses looking to deploy Google Apps.