Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Says They Have VPNs In a 'Vulcan Death Grip'

Posted by Soulskill on from the +1-for-attempting-a-trek-reference dept.

An anonymous reader sends this quote from Ars Technica: The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

7 of 234 comments (clear)

  1. Re:4 years ago? by khasim · · Score: 5, Interesting

    It's not so much the VPN technology as it is the failure to correctly implement and secure it.

    TFA leaves the real content until the end of the article:

    The data is then replayed from the repositories through a set of attack scripts, which use sets of preshared keys (PSKs) harvested from sources such as exploited routers and stored in a key database ...

    So if the NSA wants to "crack" your VPN session they first record it (we know how they do that) then they try to brute force that recording using what is, essentially, a dictionary attack.

    TFA seems more entranced by the cutesy names than by the technology.

  2. Good news by Charliemopps · · Score: 4, Interesting

    This is actually good news. The clearly state that "Ubiquitous Encryption" is a threat to the NSA. They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.

    So go out, encrypt everything you can. I'm looking directly at you SlashDot. Fix your 10yrs out of date website for christs sake. You want me to start using "Beta"? Secure it!

  3. Re: What IP address ranges are in the US? by Richard_at_work · · Score: 4, Interesting

    Does any other nation have an intelligence budget that even approaches that of the U.S.?

  4. What a stupid idea ... by CaptainDork · · Score: 2, Interesting

    ... I downloaded the Tor browser and I'm, like going to cnn, disney, xvideos, and then I try going to my Facebook page and WHAM!!!!

    I'm in validation mode,

    That's much better than the "command mode" ("commode" for short), but I had to prove I am me by sending Facebook my passport and giving them my phone number.

    The fucking NSA isn't allowed to blow their cover and stuff.

    --
    It little behooves the best of us to comment on the rest of us.
  5. We should use the DMCA by seeker_1us · · Score: 4, Interesting

    My content sent over VPNs is original work encrypted to protect it against those not authorized to have a copy. It is thus covered by copyright law. The NSA is circumventing encryption to obtain illegal access to copyright work.

  6. SSH is blocked in lots of represive regimes by Anonymous Coward · · Score: 3, Interesting

    SSH is great technology because the certificate is self signed and relies on TIME to protect it, even the NSA can't travel back in time and do a man in the middle attack on the first SSH link and every subsequent SSH session between those computers, to swap that cert.

    Likewise the documents said NSA was intercepting 10 million TLS (HTTPS) a day. By now, three years later that will be 100 million or a billion. The problem is the certificate authorities are US companies and all backdoored by the NSA. SSH doesn't have this problem, the certificate is self signed, we don't trust the certificate authority to verify the source of the certificate as us and not the NSA.

    Also my port 22 SSH is blocked, and I live in one of those Asian repressive regimes, so I take it as a sign that SSH is considered secure by said repressive regime because they block it.

  7. Re: What IP address ranges are in the US? by sound+vision · · Score: 4, Interesting

    You don't think there's still the old-school hacker way to break into systems, by hacking, not buying backdoors from corporations? I'd wager that a team of no more than 5 or 10 top-notch hackers could pull off a Stuxnet- or Sony-style attack. And it may only take the cost-equivalent of 50 soldiers-with-tanks-and-support-column to do it. Normal soldiers are actually really expensive when you think of all the supplies and equipment they need in addition to just the pay and benefits. To house and feed a literal army of men for years at a time probably costs much more than putting up a roomful of hackers. Have you ever heard of the term "asymmetric warfare"? Many countries are missing entire branches of military like navy and air force and their associated expenditures. Think of the R&D funding for that alone going to hackers - you could have a hacker army. All you need is the right recruiting program, which is probably easier to put together than the US military budget. I predict we will see many more high-profile breaches before people start taking security more seriously.