Unanswered Questions on the NSA Leaks

The flood of documents regarding the NSA’s collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of questions left unanswered in all of this. Let’s try to address some of them.

The flood of documents regarding the NSA’s collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of questions left unanswered in all of this. Let’s try to address some of them.

Can the NSA break the encryption used in HTTPS connections or secure email systems?

For some definitions of “break,” yes. After the overheated reaction to the leak of the documents detailing some of the NSA’s cryptographic capabilities died down, experts took a closer look at the information and began to coalesce around the idea that the agency is essentially doing what it is supposed to do: find ways to defeat encryption. This is done in various ways, including using software vulnerabilities in crypto implementations, man-in-the-middle attacks and perhaps mathematical advances that give the NSA the ability to decrypt some traffic. There are implications in some of the leaked documents that the NSA may have worked to deliberately weaken some cryptographic standards or algorithms, specifically ones approved by NIST, the U.S agency that approves technical standards for the federal government. NIST has denied those allegations, and there are no details right now about which standards are supposedly affected. There are known attacks against some of the more popular ciphers and cryptosystems and some of them are practical. But the easiest way to defeat encryption remains going after anything other than the encryption.

Does that mean I shouldn’t use encrypted email?

No, it doesn’t. Bruce Schneier, who has examined some of the unpublished leaked NSA documents, said that he still trusts the math on which the major encryption algorithms are based. “Honestly, I’m skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts,” Schneier wrote. Using secure email is still a good defense against eavesdropping and attacks, even from the most sophisticated adversaries. Schneier and other experts recommend using longer key lengths, such as 2048 or even 4096 bits, as insurance.

Should I consider the Internet to be a hostile environment?

Yes! But that was true long before any of these NSA-related leaks emerged. The Internet is a dirty, nasty place not fit for use by most decent people. In general, it’s safe to assume that the Internet is trying to do you (or your packets) some kind of harm at all times. Act accordingly.

Why does the NSA care about my email?

It’s not you they care about, individually. It’s the plural you that interests them. The NSA’s job is to collect intelligence on foreign threats, mainly terrorists, and analyze it. That intelligence is usually in the form of electronic communications, what’s known as signals intelligence, and thanks to the rise of the Internet and explosion in cell phone usage, there’s now many times more of that traffic to gather than there was just 15 years ago. And a good portion of that traffic is encrypted these days, with major email providers such as Google encrypting their users’ sessions and more and more sites offering SSL connections to users. The NSA is tasked with trying to sift through all of that traffic and find indications of terror or anti-American activity by foreigners. But those foreigners don’t always just communicate with each other, and so sometimes U.S.citizens’ traffic ends up in the net, as well. When that happens, the agency is supposed to discard it in most cases, as the NSA’s mission only applies to non-U.S. persons. But what the leaked documents show is that the agency has been collecting massive amounts of phone metadata and email and Internet traffic involving Americans.

Are they just storing this stuff indefinitely?

That’s not clear right now. Some of the encrypted communications are stored for long periods, in the hope that the NSA may be able to decrypt them at some point in the future. But whether that is happening now using some of the agency’s supposed capabilities against cryptographic algorithms isn’t known.

I read something about the NSA running man-in-the-middle attacks against Google and other companies. What does that mean?

There’s a diagram that’s surfaced online of how this kind of attack may have been done. It’s a pretty basic set-up and is one of many ways that an adversary could conduct a MITM attack on a target. In general, MITM attacks are used to intercept communications between a sender and receiver, and they’re particularly valuable against encrypted traffic. If the attacker can get to the traffic before it’s encrypted and sent off to Google or whatever the destination is, he has essentially defeated the encryption scheme without having to attack the encryption itself. MITM attacks can be accomplished in several ways, including using a spoofed or stolen digital certificate to impersonate a service such as Gmail, or compromising a wireless router that a target is using and intercepting the traffic and using a tool such as SSLstrip to remove the encryption. The diagram in question doesn’t seem to involve the use of a stolen certificate, but rather the ability of the attacker to somehow access a router in the network that’s processing Google requests. Either way, that kind of attack would give the attacker the ability to read communications that the user believes to be secure.

So, is the Internet over?

Not quite yet. But there are apparently a lot more documents coming, so…

*Image above via Mark Turnauckas‘ Flickr photostream, Creative Commons

Suggested articles

USA NSA surveillance

New Bill Proposes NSA Surveillance Reforms

The newly-introduced bill targets the Patriot Act’s Section 215, previously used by the U.S. government to collect telephone data from millions of Americans.


  • LeeW on

    Some observations: - Google is mentioned a LOT! - When our government turns our data/weapons on US, they are committing an unconstitutional and illegal act against America... - Storing every bit of information on all citizens of America, (Legal citizens) for future use when needed is a despicable act of treason against our nation/America and our Constitution! This same constitution solemnly protects us against tyrants like this brood in our high places, But ALSO protects a legal and constitutionally respectful government from acts against it by a popular uprising of her citizens in response to the shredding of this sacred contract! The immoral acts being committed by this administration, by the very act of disobeying the constraints of the US Constitution now exposes themselves to the backlash of her citizenry now freed from this constraint! Once this administration removes this constraint, what's good for the goose, is now good for the gander... This is a VERY dangerous road we are now on. This entire ugly criminal act by our illegal and rogue administration reminds me of the German stazi of post WWII Soviet Berlin. - Encryption: I have encrypted a 2 paragraph summation of what is about to transpire within this current administration. There is encryption that cannot be broken. Break this: *5
    • rabbit on

      So if you think that this has not gone on for 40 years you are a bit naïve. the current or previous or future administrations have nothing to do with sigint. It has always been done, and will always be done. get over it.
  • LeeW on

    40 years? Mr Rabbit: You need to come out of your hole a bit further and look somewhat further back. What is 2 seconds /compared to over 4 millennia? Don't be so offended at the mistaken notion that all this is somewhat of a post modern observation of current events. Far from it! The events of today, and their roots in far past history and men's predilections for power and dominion are very well documented both in secular and theological writings. Never before in all history of our kind have we ever approached the zenith of total global domination by so few corrupt and despicably evil men who's sole purpose is to garner total control over humanity and force their corruption and perdition onto all, with such brazen abandon. Mr. Rabbit: The stage is set. The players are moved into place. The final act is about to open... Your problem Mr. Rabbit, your looking through the wrong pair of eyes.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.