Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Says They Have VPNs In a 'Vulcan Death Grip'

Posted by Soulskill on from the +1-for-attempting-a-trek-reference dept.

An anonymous reader sends this quote from Ars Technica: The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

12 of 234 comments (clear)

  1. Re:4 years ago? by khasim · · Score: 5, Interesting

    It's not so much the VPN technology as it is the failure to correctly implement and secure it.

    TFA leaves the real content until the end of the article:

    The data is then replayed from the repositories through a set of attack scripts, which use sets of preshared keys (PSKs) harvested from sources such as exploited routers and stored in a key database ...

    So if the NSA wants to "crack" your VPN session they first record it (we know how they do that) then they try to brute force that recording using what is, essentially, a dictionary attack.

    TFA seems more entranced by the cutesy names than by the technology.

  2. Re: What IP address ranges are in the US? by dpilot · · Score: 4, Insightful

    Plus don't forget, the NSA simply must be the only agency in the world trying to do this sort of thing. I'm sure that no other nation has any interest whatsoever in gathering this type or depth of information, for any reason at all.

    --
    The living have better things to do than to continue hating the dead.
  3. Re: What IP address ranges are in the US? by bragr · · Score: 4, Informative

    That is harder than you'd think. A surprising amount of data ends up going through the US. A lot of the EU-Asia traffic ends up going through the US as the indian ocean routes are relatively slow, and AFAIK Russia hasn't built any extensive cross continent fiber networks.

  4. Sigh. by ledow · · Score: 5, Insightful

    So if they have the PSK, then they can decrypt your VPN connection?

    Yeah, not surprising.

    Nowhere does it say they actually have effective techniques for extracting the PSK from, say, a Diffie-Hellman exchange. Because.... well... pretty much, nobody can.

    But, sure, if you plug in your VPN PSK into a router that's then compromised, your PSK is then public knowledge. Hell, in most places it's listed in your Cisco CLI and extractable if you have access to it (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/82076-preshared-key-recover.html).

    Isn't this why we have several things, not least SSL VPN with proper keychains, certificate revocation, passphrase-protected keys, etc.?

    You can try to scaremonger all you like (this is, what? The fourth of fifth article this month with scaremongering like this about Tor, SSL, etc.?). Fact is nobody has demonstrated, or even pointed to suspicious circumstances that may hint, that the NSA or anyone else are doing anything different to the bad guys out there - finding out that compromising the devices is generally easier than decrypting proper TLS security. And nobody's been seen to actually have a shred of evidence that they can decrypt TLS by any way other than being handed the keys.

    All this does is tell me the exact OPPOSITE of what the little guy (and presumably anyone reading this article, shame on you Slashdot) would take home. The NSA aren't able to do anything more than I thought they could. That the encryption is serving it's purpose to the point that it's easier to compromise the routers en-masse than it is to break the encryption.

    All this does is say to me "Keep doing what you're doing". Use proper PKE with decent size keys and secure them as much as humanly possible.

    All I've thought about these kinds of articles for the past year is "What are you trying to scare me onto?" Truecrypt, SSL, PFS etc. It all points towards a certain set of algorithms which are hailed as the "solution" to all these problems - Elliptic Curve. Strangely, one of the "official" curved was designed in co-operation with these people and they won't provide justification for it, and their track-record in this area is quite well-known. These are the people who paid RSA to weaken their encryption, the people who didn't want us to be able to have large-bit encryption available in any case, and who wanted us to have backdoored chips protecting our devices.

    PKE is doing it's job at the moment. I'd hate to think that we all jump-ship to the thing that's ACTUALLY broken, in our haste to secure things against this kind of propaganda.

    1. Re:Sigh. by ledow · · Score: 4, Insightful

      Your choice of OS, if you have something worth encrypting and hiding, is the least of your worries.

      If you have any brains at all, all key generation is done offline on a clean machine and then that machine destroyed. Only a specific, purpose-built target on YOU would stop that working as intended without informing the NSA, and then they may as well just listen in to the room anyway.

      What you are falling into is the "movie hackers" fallacy - "Gosh, everything hackable therefore everything is hacked all the time". If you have a clean, from-disk OS, even, and keep it off the net, and sign your messages with your pre-generated private key on a device that goes NOWHERE and only gets turned on when you need to use it - fuck 'em. Quite what power do you think they have over that?

      The problem with modern day stuff is ALL Internet-access-based. Hell, most people think a computer isn't a computer unless it's on the Internet nowadays.

      Don't get me wrong, if you're targeted by the NSA, I'm sure they can get to you somehow. But I can assure you they were targeting Bin Laden and he survived, what, a decade with the whole world looking for him? He was found to be couriering USB keys down to the local cybercafe.

      Targeted malware only works if you're stupid enough to expose the machine to the net, or run programs that aren't verifying content. Fuck trying to "infect" someone who only reads their mail via "mutt", for example. It's all Hollywood tripe.

      If there's a terrorist with a brain out there, and they are trying to avoid the NSA's glare, I'd be quite annoyed at their stupidity if they aren't using read-only boot media, a bunch of random devices bought in shops, PKE, and programs that aren't mainstream enough to have exploits written for them.

      Fuck, even I know how to encrypt mail offline and have read my mail accounts via telnet in the past.

      If you're targeted, malware is the fucking least of your worries, and easily countered by not allowing your PC to come into contact with it. Even that stuff about some malware making computers "talk" over audio channels to cross air-gaps only works when computers are infected in the first place.

      We even have double-compilation-verification built operating systems, and you can boot some old shit off a floppy image from pre-Windows days if you're really paranoid.

      The problem is not that - it's not encrypting, generating, or securing your message. It's how do you get your message to the wider net from there, and that identifies your location quite quickly. However, as pointed out above, you can sit in the same location for ten years with a willing stooge to courier to nearby cybercafes and NEVER get caught that way.

      It lacks in imagination to think that the NSA, or indeed any intelligence agency, is really as good as you think they are. I'm a massive fan of GCHQ history, for instance, and I quite believe that today's GCHQ is a shadow of it's former self forced to resort to asking Facebook for copies of its data. Given that they invented this type of stuff to prevent EXACTLY what they are trying to do now, it's hilarious that it's backfired to the point where they are having to convince you they really can listen to everything, everywhere, always.

      If they could do that, you would never hear of it. Because, you see, they'd know about all the leaks and be able to stop them in their tracks - legally or illegally.

  5. Good news by Charliemopps · · Score: 4, Interesting

    This is actually good news. The clearly state that "Ubiquitous Encryption" is a threat to the NSA. They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.

    So go out, encrypt everything you can. I'm looking directly at you SlashDot. Fix your 10yrs out of date website for christs sake. You want me to start using "Beta"? Secure it!

    1. Re:Good news by wbr1 · · Score: 4, Insightful
      To what end should slashdot secure itself? Are you storing confidential info here? It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

      There would need to be a compelling business/financial reason for any site to do so. Helping others hide their traffic is not all that compelling from a beancounters point of view.

      --
      Silence is a state of mime.
  6. Re:What IP address ranges are in the US? by gatkinso · · Score: 4, Informative

    My guess is that you overlooked the "USA, AUS, CAN, GBR, NZL" at the top of the slides.

    --
    I am very small, utmostly microscopic.
  7. Re: What IP address ranges are in the US? by Richard_at_work · · Score: 4, Interesting

    Does any other nation have an intelligence budget that even approaches that of the U.S.?

  8. Re: What IP address ranges are in the US? by itsenrique · · Score: 5, Funny

    With those ping times, you sure won't have the first laugh.

  9. We should use the DMCA by seeker_1us · · Score: 4, Interesting

    My content sent over VPNs is original work encrypted to protect it against those not authorized to have a copy. It is thus covered by copyright law. The NSA is circumventing encryption to obtain illegal access to copyright work.

  10. Re: What IP address ranges are in the US? by sound+vision · · Score: 4, Interesting

    You don't think there's still the old-school hacker way to break into systems, by hacking, not buying backdoors from corporations? I'd wager that a team of no more than 5 or 10 top-notch hackers could pull off a Stuxnet- or Sony-style attack. And it may only take the cost-equivalent of 50 soldiers-with-tanks-and-support-column to do it. Normal soldiers are actually really expensive when you think of all the supplies and equipment they need in addition to just the pay and benefits. To house and feed a literal army of men for years at a time probably costs much more than putting up a roomful of hackers. Have you ever heard of the term "asymmetric warfare"? Many countries are missing entire branches of military like navy and air force and their associated expenditures. Think of the R&D funding for that alone going to hackers - you could have a hacker army. All you need is the right recruiting program, which is probably easier to put together than the US military budget. I predict we will see many more high-profile breaches before people start taking security more seriously.