STE WILLIAMS

Win a top of the range HP Spectre laptop

Analysis Fresh revelations from whistleblower Edward Snowden suggest that the NSA can crack TLS/SSL connections, the widespread technology securing HTTPS websites and virtual private networks (VPNs).

Although reports from the New York Times and its allied publications held off on the specifics, it may all mean that US spooks can reliably crack RC4, a popular encryption cipher, security experts fear.

As reported last night, the NSA and GCHQ are able to foil basic safeguards that supposedly ensure privacy on the web, allowing spooks to peek inside the encrypted contents of VPN traffic, online banking and shopping, and more. No wonder Blighty’s intelligence agents shrugged off Brits attempting to hide their data in SSL.

The UK and US governments can probably compromise HTTPS connections by gaining access to certificates and encryption keys, exploiting backdoors in equipment and algorithms, or otherwise allow the signals intelligence agencies to run man-in-the-middle attacks on encrypted traffic. GCHQ is alleged to have broken the security on some 30 VPN systems, and has plans to get into 300 by 2015.

The NSA’s highly classified Bullrun programme allows the agencies to inspect data sniffed from submarine cables, and might involve, at least in part, collaboration with unnamed technology companies.

Tough ciphers, such as 256-bit AES, remain unbroken by the g-men, it’s hoped. Snowden himself famously said “encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on”.

What the NSA appears to have done is circumvent or nobble the software and hardware that underpin widely used encryption systems, rather than all-out breaking the mathematical foundations of modern-day cryptography.

However, the agency’s unspecified “groundbreaking cryptanalytic capabilities” could include a practical attack on RC4.

“Most major SSL-enabled websites use RC4, which was designed in 1987. This NSA crypto story should be a wake up call for the tech industry,” said Christopher Soghoian, principal technologist and senior policy analyst at the ACLU in an update to his personal Twitter account.

Encryption guru Bruce Schneier concurred that an attack against RC4 was at least a more than plausible theory. “I don’t know one way or the other, but that’s a good speculation,” Schneier said in blog post.

RC4 is an ageing but still widely used stream cipher that’s often used as a component of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols of HTTPS to protect sensitive web traffic from snooping. Security researchers have shown data encrypted by the algorithm can be carefully analysed to silently extract information, such as an authentication cookie used to log into a victim’s Gmail account.

An attack develop by security researchers at Royal Holloway, University of London and University of Illinois at Chicago and unveiled back in March relies on statistical flaws in the keystream generated by the RC4 algorithm. It relies on getting a victim to open a web page containing malicious JavaScript code that repeatedly tries to log into Google’s Gmail, for example. This allows an attacker to get hold of a bulk of traffic needed to perform cryptanalysis.

This particular attack requires at least 16,777,216 captured sessions but it’s easy to imagine that code breakers at the NSA and GCHQ are far further ahead of the game and have come up with a far more elegant, and therefore practical, attack.

RC4 was invented by Ron Rivest in 1987. Various attacks have been developed against RC4, allowing determined hackers to break the encryption, but the technology is still widely used – it’s also used in Wi-Fi WEP protection.

It’s understood about 50 per cent of all TLS traffic is protected using RC4 and its use is, if anything, growing after the discovery of various attacks (including BEAST and Lucky 13) against Cipher-block Chaining (CBC), a mode of encryption used by TLS.

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/

PORTLAND, OREGON — September 5, 2013 — Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute. The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.

The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”

Key findings from the survey include:

64% said they don’t communicate security risk with senior executives or only communicate when a serious security risk is revealed.

47% said that collaboration between security risk management and business is poor, nonexistent or adversarial. 51% rated their communication of relevant security risks to executives as “not effective.”

When asked why communicating relevant security risks to executives was not effective:

68% of the respondents said communications are too siloed

61% said communication occurs at too low a level

61% said the information is too technical to be understood by non-technical management

59% said negative facts are filtered before being disclosed to senior executives and the CEO

“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives,” noted Dwayne Melancon, chief technology officer for Tripwire. “However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”

For more information about this study please visit: http://www.tripwire.com/ponemon/2013/#collaboration

About the Ponemon Institute

The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com or follow us @TripwireInc on Twitter.

Article source: http://www.darkreading.com/management/tripwire-survey-64-of-it-profs-dont-comm/240160886

Facebook has privacy advocates up in arms again — this time in the wake of proposed changes to its data use policy.

A coalition made up of Consumer Watchdog, the Electronic Privacy Information (EPIC), the Center for Digital Democracy, Patient Privacy Rights, U.S. PIRG, and Privacy Rights Clearing House has asked the Federal Trade Commission to enforce a previous consent order with Facebook. The privacy advocates say Facebook’s newly proposed Statement of Rights and Responsibilities and Data Use Policy violate Facebook’s 2011 settlement with the FTC.

“The changes will allow Facebook to routinely use the images and names of Facebook users for commercial advertising without consent. The changes violate Facebook’s current policies and the 2011 Facebook settlement with the FTC. The Commission must act to enforce its Order,” the coalition said in a letter to the FTC.

“Facebook has long played fast and loose with users’ data and relied on complex privacy settings to confuse its users, but these proposed changes go well beyond that,” said John M. Simpson, privacy director for Consumer Watchdog. “Facebook’s overreach violates the FTC Consent Order that was put in place after the last major privacy violation; if the Commission is to retain any of its credibility, it must act immediately to enforce that order.”

The proposed changes by Facebook are especially detrimental to Facebook members who are minors, the group says.

Facebook’s new proposed policy says: “If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.”

That leaves the images and names of minors on Facebook vulnerable, according to the privacy advocates.

Under the Proposed Data Use Policy, Facebook says it now can use any information it receives about members to serve more relevant advertising. “Facebook also makes the remarkable claim under the proposed new policies that ‘User names and User ID’s are the same thing’ This reflects a profound misunderstanding of privacy protection – names are often ambiguous, User IDs are unique identifiers, and it is the misuse of User IDs that has contributed to many of the privacy problems on Facebook,” the privacy group wrote in its letter to the FTC (PDF).

“We urge you to act. The right of a person to control the use of their image for commercial purposes is the cornerstone of modern privacy law,” the coalition said. “Consumer privacy groups have worked diligently to preserve this right and to protect the interests of Facebook users. Now it is up to the FTC based on the Order that is already in place.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/consumer-groups-to-ftc-block-facebooks-n/240160899

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Facebook will wait a little while before adopting changes to its privacy policy flagged last month.

The Los Angeles Times reports that in response to hostile reaction from users The Social Network will hold off introducing new “features” that would have allowed it to use members’ faces in advertisements.

Users greatly dislike that plan, as can be discovered in a few minutes reading comments on the announcement of the new plan.

The Times quotes an email from Facebook to the effect that it is considering “whether further updates are necessary”. That consideration is expected to conclude next week.

The delay in implementation of the new privacy policy comes after half a dozen US privacy groups expressed concerns about the plan in a joint letter sent to the US Federal Trade Commission (FTC). The letter (PDF) suggests the new plan breaches the FTC’s 2011 order forcing Facebook to obtain consent before using users’ information. Just throwing the switch to new privacy settings may not be the same as getting consent.

It’s not clear if the FTC has unleashed the lawyers, or is considering the letter. That Facebook is moving slowly suggests some sort of negotiations may be under way. Either that or it’s adopting the time-honoured strategy of letting anger blow itself out before retreating to a “more reasonable” position that was actually what it wanted from the very start. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/facebook_postpones_privacy_putsch_report/

Win a top of the range HP Spectre laptop

The electronic tags used to keep tabs on criminals and suspects in the UK are “unreliable” – and the systems monitoring them are “shambolic”. That’s according to a dynamite report by Ross Anderson, a leading computer scientist.

The University of Cambridge professor said he compiled his findings after he was called in as an expert witness to defend a woman accused of tampering with a tag.

We’re told the court case against her was dropped after Prof Anderson’s devastating dossier [redacted PDF] highlighted the number of “false alarms” triggered by the tags’ anti-tampering sensors – and the equipment’s “unreliable back-end systems”.

His testimony concluded that there was reasonable doubt that the woman tried to prise off the tag: a technical fault may have been to blame, or that the tag “having become overly sensitive, perhaps through wear and tear, did not require the 35kg of force to register a tamper, but merely some innocuous activity”.

Each of the electronic gadgets is usually securely strapped to the ankle or wrist of a perp or someone released on bail, and it talks wirelessly to a monitoring unit typically installed in the wearer’s home. If the tag isn’t within range of this unit during the hours of evening curfew, the equipment alerts the firm contracted to provide the system.

Rather than put suspects behind bars, or keep crims in prison for their full sentences, people can be ordered to stick to a strict curfew and fitted with tags to keep them at home after dark. The technology first became available to courts in England and Wales in 1999.

‘The overall impression is of an unreliable technology’

Serco, one of the main private security firms running the scheme, was monitoring more than 9,000 people a day in August 2012, and was the contractor who brought the aforementioned woman to court for allegedly “tampering with the tag”, we’re told.

About 18,000 people are electronically tagged at any one time, according to the security engineering prof. Typically, those subject to curfew orders need to stay at home from 8pm to 8am.

He said he was asked to write up an expert report on the evidence presented by Serco for last month’s court case in London. According to his review, the tagging system relied too much on contractors and their partners, rather than independent parties, to investigate alleged breaches of the rules.

“[Serco’s] logs relating to my defendant’s case showed large numbers of false alarms; some of these had good explanations (such as power cuts) but many didn’t,” Prof Anderson explained in a blog post.

“The overall impression is of an unreliable technology surrounded by chaotic procedures.

“Of policy concern, too, is that the tagging contractor not only supplies the tags and the back-end systems, but the call centre and the interface to the court system. What’s more, if you break your curfew, it isn’t the Crown Prosecution Service that takes you before the magistrates, but the contractor – relying on expert evidence from one of its subcontractors. Such closed systems are notoriously vulnerable to groupthink.”

The academic asked for access not just to the tag at the heart of this particular case, but to Serco’s equipment for testing the electronics, plus system specifications, false-alarm statistics and audit reports. Serco demurred and decided to drop its prosecution, the prof said.

“If you’re designing systems on whose output someone may have to rely in court, you’d better think hard about how they’ll stand up to hostile review,” he concluded in a post on his university’s Light Blue Touchpaper blog here. The academic’s previous work includes an investigation into phantom money withdrawals, which led to the discovery of weaknesses in systems banks had insisted were foolproof.

We invited Serco to comment on Wednesday, but we have yet to hear back from the outsourcing giant. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/offender_tagging/

The top six privacy organisations in the US – the Electronic Privacy Information Center, Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG, and the Privacy Rights Clearinghouse – sent a joint letter to politicians and regulators on Wednesday asking for some of Facebook’s proposed changes to its policies to be blocked.

The letter claims that Facebook’s proposed changes violate a 2011 privacy settlement with the FTC.

Last week Facebook issued proposed changes to its Data Use Policy and Statement of Rights and Responsibilities as part of an agreement that was made in settlement of a class-action lawsuit.

That settlement, covering the social giant’s routine use of user’s names and images for promoting its Sponsored Stories, saw around 614,000 users of the site receive $15 each in compensation for having their personal information used without their consent.

But the letter from the privacy groups argues that Facebook’s new policy wording is actually weaker than before.

The changes will allow Facebook to routinely use the images and names of Facebook users for commercial advertising without consent.

The old statement said users can use their privacy settings “to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us.”

Whereas the new copy says users, “permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you.”

The letter goes on to say that “the pending changes arise from a class action settlement in which the attorneys who purported to represent the interests of Facebook users granted the company a right that was contrary to the company’s policy at the time the litigation was initiated.”

Additionally, the group said that users of the social network who “reasonably believed” that their names and images could not be used for commercial purposes without their prior consent could later discover that “their images could even be used by Facebook to endorse products that the user does not like or even use.”

The Federal Trade Commission must act now to protect the interests of Facebook users and to ensure compliance with the 2011 Order. The Order requires that, “prior to any sharing of a user’s nonpublic user information by [Facebook] with any third party, which materially exceeds the restrictions imposed by a user’s privacy setting(s),” Facebook must make a “clear and prominent” disclosure and obtain the “affirmative express consent” of the user.

The members of the privacy group also took issue with the way that policy changes would impact on younger users of the site.

Under the proposed changes, minors signing up for Facebook will be deemed to have asserted that one of their parents or guardians has agreed to the use of their name, images and other content for commercial purposes.

This wording “eviscerates any meaningful limits over the commercial exploitation of the images and names of young Facebook users,” wrote the group who also commented “This is contrary to the Order and FTC’s recognition that teens are a sensitive group, owed extra privacy protections.”

The group ended their letter by asking the FTC to do something to help.

We urge you to act. The right of a person to control the use of their image for commercial purposes is the cornerstone of modern privacy law. Consumer privacy groups have worked diligently to preserve this right and to protect the interests of Facebook users. Now it is up to the FTC based on the Order that is already in place.

If you have concerns about Facebook’s new policies then you may wish to take a look at our Facebook tips which give some easy suggestions for improving your safety and privacy on the social network.

Follow @SecurityFAQs
Follow @NakedSecurity

Image of thumb down courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zqqQiG21OF0/

over time, what’s the relationship of one system to another system?”

For their organization, to answer that contextual question, White and Collins say their team has had success leveraging NetFlow data coming off of its Cisco network infrastructure.

“That tells you in summary form who is talking to who and over what port,” White says. “We know, for example, one system that belongs to our ecommerce site, then based on that NetFlow data we can say, ‘OK, well, who does that system talk to? Well it talks to these two app servers and these two app servers talk to these systems and it looks like they’re talking this database language.”

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

Putting it together for meaningful answers through metrics
So what does all that correlation and contextualization look like in the real world? According to Collins, it can mean the difference between handing a business unit a report that says it has x amount of vulnerabilities on a laundry list of assets and handing them an enterprise threat readiness report.

“Since we’ve taken in more data, we’ve asked more complicated security questions, we’ve correlated that data and we’ve added this rich context, we’re able say, here’s the different vulnerabilities broken down by insider threat, outsider threat, by regulation , by each individual threat and also going across the columns by the business unit,” he says.

As for security QA, the probing questions are based on what the organization needs to know, not on what data is offered ready-made by a security tool.

For example, they say their organization has asked ‘Which users have the worst security behavior’ and by correlating system configuration information, web proxy events and malware events, they learned that 90 percent of the problems come from 1 percent of the users.

“Which really sets us up to do targeted follow-up security awareness training,” White says.

What’s more, they took that a step further and asked ‘Which users are the riskiest users?’ and tied the answers from the previous question to its application risk catalog and user permissions to see how bad behavior looked across populations of users with access to the highest priority applications.

Like building up muscle through regular exercise, regularly asking and answering difficult security questions hones thought processes about data collection and correlation that can yield creative answers to some of the toughest metrics problems. For example, one of the most ‘intractable’ problems faced by White and plenty of others in the industry is understanding where sensitive data resides in unstructured data stores and who has access to those repositories.
In his organization’s case, answering that question took the use of a Google appliance, pointing it at its systems and configuring it to crawl and index unstructured data so that his team could execute regular expressions against the indexed content.
“You get the uniform resource locater and the filename and type of content found and the number of those records,” he says, explaining that combining that with Active Directory information for user permissions to fileshares or Sharepoint and they can pinpoint who has access to the sensitive information.
As other organization seek to engage in data-driven QA like White and Collins’ organization did, Collins says a real key to the correlation and contextualization process is ensuring that there’s a common language for the data sets. It’s also important to understand who the owners are for every asset and every system.

“It’s great you collect this stuff,” he says, “but if you don’t have anyone you can communicate back to and have them act on it, it’s not really that valuable.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/risk/know-thyself-through-data-driven-securit/240160924

If you’ve been reading Naked Security for a while, any or all of the following might ring a bell:

• Queensland Police Service (QPS)
• Project Synergy
• Sophos Signature Luncheons

As quickly as I dare, let me run you through them.

Twelve years ago, QPS realised that cybercrime was costing Queensland alone, only the third most populous state in Australia with about 4.5 million inhabitants, many millions of Australian dollars a year.

Most of that money was leaving the Australian economy forever, often as cash transfers, stolen by crooks who had never set foot in Australia, and probably never would.

This was not a problem that QPS could solve without building partnerships with the computer security industry and with fellow cybercops overseas.

So they started up Project Synergy, a series of activities, including annual conferences.

Sophos has been an enthusiastic supporter of these events right from the start.

That’s because the events are intended not only to bring together practitioners from around the world who share an interest in helping to protect our economies from cybercrime, but also to agree on some activities for the year ahead that will actually do something about it.

Sophos’s Signature Luncheons, which have been running in the Asia Pacific region for about the last ten years, are our own sort of Project Synergy.

In the words of someone I know very well, these events are intended to:

bring together experts and thought leaders in IT security for frank and open debate about the future of computer security.

We use the Chatham House Rule, which means you can tell other people what was discussed, but without mentioning who said what.

This encourages openness and the sharing of information, since all of us, competitors though we might be in day to day business life, face a common enemy: the cybercrooks.

The Signature Luncheon series has helped us not only to keep track of the changing nature of security threats, but also to agree on some activities for the year ahead that will actually do something about it.

Anyway, to close the circle: earlier this week, at the Queensland Police Fraud and Corporate Crime Symposium 2013, Sophos was honoured with a Partnership Award from the QPS.

The things we did that QPS particularly liked were: providing educational material for community groups; hosting the Signature Luncheon events to explore current and emerging issues; and raising greater awareness in the government and business communities regarding fraud and cybercrime.

Thank you, QPS!

We appreciate the recognition; we salute your efforts in tackling cybercrooks head on; and we look forward to more Synergy in 2014.

Follow @duckblog

PS. Let me say publicly what a great job Sophos Australia Marketing has done, all these years, to run the many Signature Luncheons we have held. They take a lot of organising – just getting IT security speakers lined up is like herding cats, and that’s before you arrange a venue, and an audience, and, of course, the luncheon itself. Thanks, guys.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LalD3QnS9_I/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

The Federal Trade Commission has reached a settlement with US wireless webcam manufacturer TRENDnet that will commit the firm to third-party security audits for the next 20 years, plus two years of free technical support for its customers.

The FTC began its investigation last year after a list of the IP addresses of over 700 TRENDnet customers was posted online, allowing anyone to take a remote peek through the webcams’ lenses. The company rushed out a security patch to fix the problem, but the FTC report says that TRENDnet failed in several of the most basic levels of secure software, and needed to be punished.

“The Internet of Things holds great promise for innovative consumer products and services,” said FTC chairwoman Edith Ramirez in a statement. “But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”

The report found in February 2010 that the firm added a Direct Video Stream Authentication (DVSA) feature, which allowed users to make the camera feeds public. The DVSA had a flaw that allowed the feeds to be secretly set as public regardless of the owner’s settings, and the FTC noted that 20 models of the firm’s cameras, some of which were branded under the title “SecurView”, were vulnerable.

The FTC’s investigation found that since April 2010 TRENDnet had not taken “reasonable steps” to ensure that its webcam products were secure. There was no security review of the original code base, nor any penetration testing done before the code’s release. The FTC also notes that login names and passwords of the IP webcams were transmitted and stored on PCs and mobile in plain text, making them easy to slurp.

Under the terms of the settlement, the firm will face a security audit every two years for the next 20 years and is barred from “misrepresenting” the secure nature of its products. No direct financial penalty was made against the company, but TRENDnet has been instructed to contact customers about security issues, provide them with free technical support for the next two years, and appoint a chief security officer.

There is growing concern over the increasing attention software crackers are spending looking into flaws in devices such as webcams. Last month a Texas family found the webcam monitoring their two-year old daughter had been hacked, and a British or European man was heard shouting obscenities at the child.

In that case, the cracker had exploited a flaw in in the control software of the family’s Foscom webcam and given himself root access. The family is reportedly looking into pursuing a class-action suit against the Chinese vendor.

There is a vast pool of unsecured or insecure hardware out there. In March a researcher managed to temporarily hijack 420,000 IPv4 devices by finding those requiring admin/admin or root/root username-password login, or no password at all to get root access. Thankfully he just used it to map out the internet, but the study raised some serious security questions.

There’s no doubt that many manufacturers are now looking more seriously at the issue, but not quickly enough for the FTC. Searching on the vulnerability-scanning search engine Shodan still shows far too many vulnerable systems waiting to be cracked, and companies with an interest should check out their systems before the Feds take note. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/05/ftc_slaps_trendnet_with_20_years_probation_over_webcam_spying_flaw/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological heft, spycraft, and collaboration with major technology companies, according to new reports.

In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their job, ProPublica, The New York Times, and The Guardian, disclosed on Thursday a wide-ranging campaign by the spies to smash internet crypto methods so to better slurp data from the world+dog.

The NSA “has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show,” the NYT reports.

Though thin on specifics, the stories clearly outline that the agencies have developed a variety of methods to attack and gain access to data secured by either SSL, or inside a virtual private network (VPN). They also imply that they have put backdoors into crypto-systems and potentially widely used digital components, as well.

The spies have also worked with technology companies to gain a direct line to data stored in their servers, though the documents do not specify which companies in particular. Analysts can slurp away at the decrypted data through a highly classified program named “Bullrun”.

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. … Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable,” one memo from 2010 given to the spies at GCHQ, says.

New “groundbreaking capabilities” have also let the agencies inspect data that is intercepted from submarine cables, the reports state.

The gist of the reports is that the agencies have probably compromised SSL via gaining certificates and encryption keys to the point where they can perform man-in-the-middle attacks on widely used applications. GCHQ is alleged to have broken the security on some 30 VPN systems, and has plans to get into 300 by 2015.

Though mega-leaker Edward Snowden has previously claimed end-to-end encryption can protect users, the thorough ways in which the agencies have worked to compromise endpoints makes it unlikely that users on either end of a communication have access to clean hardware.

So it goes. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/05/nsa_gchq_ssl_reports/