There has been many shocking revelations by Edward Snowden including Friday’s disclosure on some of the details on how the NSA (US) and GCHQ (UK) allegedly eavesdrop on the internet. Before panicking, let’s take a look at what has been disclosed and security expert opinions on the implications of this.
We summarize the key points below (with excerpts taken from Bruce Schneier’s article on the Guardian).
- A summary on XKeyScore the NSA spying system: Snowden claims that the NSA XKeyScore system can track email addresses, logins, phone numbers, IP addresses and online activities — files, email contents, Facebook chats, for example — and can cross-reference this information with other metadata. It also suggests that it regularly breaks VPN traffic though further details are not given.
- Some Countries are less secure than others: Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other “partners” around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.
- The NSA does not magically break encryption, it usually does so exploiting existing weaknesses or building backdoors into commercial products: The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there’s a lot of bad cryptography out there. If it finds an internet connection protected by MS-CHAP, for example, that’s easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world. The NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically:CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.
- The NSA focuses on metadata more than content: The NSA collects much more metadata about internet traffic: who is talking to whom, when, how much, and by what mode of communication.Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.
- The NSA has capabilities against commonly used security mechanisms such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL)
What does this mean and how do I protect myself?
- Use secure open source VPN technologies. Do not trust commercial proprietary VPNs. PPTP is blatantly unsecure and can be considered unencrypted. L2TP/IPsec may be unsecure due to its close ties with the NSA. OpenVPN is based on TLS technology which thus far appears to be secure. BolehVPN uses OpenVPN technology in its open source form although we do have a limited implementation of L2TP/IPSec for compatibility with devices that do not support OpenVPN and do not necessarily need a high level of security (for e.g. TV boxes to access geo specific content). We do not use the closed source OpenVPN Access Server edition. Having it open source reduces the chance of the NSA/GCHQ introducing secret backdoors into the protocol.
- SSL may no longer be secure: There are indicates that SSL may be broken or the Certificate Authorities may be cooperating with the NSA/GCHQ. This means most commercial SSL that protects banks, e-mail and social media websites may be at risk. Using a VPN in conjunction with this adds another layer to crack and makes it harder for the NSA/GCHQ to create relevant meta-data.
- Don’t use providers in the US/UK: BolehVPN is 100% Malaysian owned. We do offer US and UK servers but do not recommend sensitive information being transacted over those servers.
- If you’re not doing terrorist or highly sensitive activities, BolehVPN’s services should be sufficient: BolehVPN employs cryptographically secure protocols and does not cooperate with governments to install backdoors into its products.
- Use TOR to sign up and register for our VPN and pay using BitCoin: These makes it harder to identify via meta-data and financial transactions.
In the constant arms race against internet security and government surveillance the key point for the average user is to protect your internet connections as much as you can and to secure the lowest lying fruit. Remember your security is only as secure as the weakest link and if people have to resort to brute-forcing techniques, you’re probably doing something right. Security is always a multi pronged approach. No one can guarantee unbreakability but cracking involves a lot of work and for the average user it is not worth the time and effort of the NSA/GCHQ to dedicate such resources against you unless you’re a person of high interest in which case you shouldn’t be using our service anyway.
The Guardian: NSA Surveillance: A guide to staying secure
Revealed: How UK and US spy agencies defeat internet privacy and security
NY Times How the NSA cracked the Web
VPNVerge: Can the NSA crack VPN?
BestVPN: NSA Breaks and Undermines many kind of Encryption
Why OpenVPN uses TLS
Information Week: NSA Surveillance can Penetrate VPNs