Adobe Servers Breached - 3 million users data stolen, source code stolen

Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps:

  • As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.
  • We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.
  • We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.
  • We have contacted federal law enforcement and are assisting in their investigation.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. For more information, please see the blog post here.

We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you. If you would like additional information, please refer to Adobe’s Customer Support page.

Brad Arkin
Chief Security Officer

Private email service fights court order demanding SSL keys then shutsdown.

The U.S. government in July obtained a search warrant demanding that Edward Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that protected all web traffic to the site, according to to newly unsealed documents.

The July 16 order came after Texas-based Lavabit refused to circumvent its own security systems to comply with earlier orders intended to monitor a particular Lavabit user’s metadata, defined as “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication.”

The name of the target is redacted from the unsealed records, but the offenses under investigation are listed as violations of the Espionage Act and theft of government property — the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court.

The records in the case, which is now being argued at the 4th U.S. Circuit Court of Appeals, were unsealed today by a federal judge in Alexandria, Virginia. They confirm much of what had been suspected about the conflict between the pro-privacy e-mail company and the federal government, which led to Lavabit voluntarily closing in August rather than compromise the security it promised users.

The filings show that Lavabit was served on June 28 with a so-called “pen register” order requiring it to record, and provide the government with, the e-mail “from” and “to” lines on every e-mail, as well as the IP address used to access the mailbox. Because they provide only metadata, pen register orders can be obtained without “probable cause” that the target has committed a crime.

In the standard language for such an order, it required Lavabit to provide all “technical assistance necessary to accomplish the installation and use of the pen/trap device”

A conventional e-mail provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

Lavabit founder Ladar Levison balked at the demand, and the government filed a motion to compel Lavabit to comply. Lavabit told the feds that the user had “enabled Lavabit’s encryption services, and thus Lavabit would not provide the requested information,” the government wrote.

“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.

U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.

Levison went to court to fight the demand on August 1, in a closed-door hearing before Claude M. Hilton, Senior U. S. District Court Judge for the Eastern District of Virginia.

“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”

By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested.

“Anything done by Mr. Levison in terms of writing code or whatever, we have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28th,” prosecutor James Trump told the judge. “He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.”

“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”

“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”

“All right,” said Hilton. “Well, I think that’s reasonable.”

Hilton ruled for the government. “[The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that
information just as they could from any telephone company or any other e-mail source that could provide it easily,” said Hilton.

The judge also rejected Lavabit’s motion to unseal the record. “This is an ongoing criminal investigation, and there’s no leeway to disclose any information about it.”

In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”

“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.

The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.

On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote at the time. “After significant soul searching, I have decided to suspend operations.”

Lavabit has raised approximately $30,000 in an online fundraising drive to finance its appeal to the 4th Circuit. Today the appeals court extended the deadline for opening briefs to October 10.

 

The complete document set follows.

Your "Social" connections are gathered and put together by NSA

Since 2010, the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials.  The spy agency began allowing the analysis of phone call and e-mail logs in November 2010 to examine Americans’ networks of associations for foreign intelligence purposes after N.S.A. officials lifted restrictions on the practice, according to documents provided by Edward J. Snowden, the former N.S.A. contractor.

The policy shift was intended to help the agency “discover and track” connections between intelligence targets overseas and people in the United States, according to an N.S.A. memorandum from January 2011. The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners.

The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

N.S.A. officials declined to say how many Americans have been caught up in the effort, including people involved in no wrongdoing. The documents do not describe what has resulted from the scrutiny, which links phone numbers and e-mails in a “contact chain” tied directly or indirectly to a person or organization overseas that is of foreign intelligence interest.

The new disclosures add to the growing body of knowledge in recent months about the N.S.A.’s access to and use of private information concerning Americans, prompting lawmakers in Washington to call for reining in the agency and President Obama to order an examination of its surveillance policies. Almost everything about the agency’s operations is hidden, and the decision to revise the limits concerning Americans was made in secret, without review by the nation’s intelligence court or any public debate. As far back as 2006, a Justice Department memo warned of the potential for the “misuse” of such information without adequate safeguards.

An agency spokeswoman, asked about the analyses of Americans’ data, said, “All data queries must include a foreign intelligence justification, period.”

“All of N.S.A.’s work has a foreign intelligence purpose,” the spokeswoman added. “Our activities are centered on counterterrorism, counterproliferation and cybersecurity.”

The legal underpinning of the policy change, she said, was a 1979 Supreme Court ruling that Americans could have no expectation of privacy about what numbers they had called. Based on that ruling, the Justice Department and the Pentagon decided that it was permissible to create contact chains using Americans’ “metadata,” which includes the timing, location and other details of calls and e-mails, but not their content. The agency is not required to seek warrants for the analyses from the Foreign Intelligence Surveillance Court.

N.S.A. officials declined to identify which phone and e-mail databases are used to create the social network diagrams, and the documents provided by Mr. Snowden do not specify them. The agency did say that the large database of Americans’ domestic phone call records, which was revealed by Mr. Snowden in June and caused bipartisan alarm in Washington, was excluded. (N.S.A. officials have previously acknowledged that the agency has done limited analysis in that database, collected under provisions of the Patriot Act, exclusively for people who might be linked to terrorism suspects.)

But the agency has multiple collection programs and databases, the former officials said, adding that the social networking analyses relied on both domestic and international metadata. They spoke only on the condition of anonymity because the information was classified.

The concerns in the United States since Mr. Snowden’s revelations have largely focused on the scope of the agency’s collection of the private data of Americans and the potential for abuse. But the new documents provide a rare window into what the N.S.A. actually does with the information it gathers.

A series of agency PowerPoint presentations and memos describe how the N.S.A. has been able to develop software and other tools — one document cited a new generation of programs that “revolutionize” data collection and analysis — to unlock as many secrets about individuals as possible.

The spy agency, led by Gen. Keith B. Alexander, an unabashed advocate for more weapons in the hunt for information about the nation’s adversaries, clearly views its collections of metadata as one of its most powerful resources. N.S.A. analysts can exploit that information to develop a portrait of an individual, one that is perhaps more complete and predictive of behavior than could be obtained by listening to phone conversations or reading e-mails, experts say.

Phone and e-mail logs, for example, allow analysts to identify people’s friends and associates, detect where they were at a certain time, acquire clues to religious or political affiliations, and pick up sensitive information like regular calls to a psychiatrist’s office, late-night messages to an extramarital partner or exchanges with a fellow plotter.

“Metadata can be very revealing,” said Orin S. Kerr, a law professor at George Washington University. “Knowing things like the number someone just dialed or the location of the person’s cellphone is going to allow them to assemble a picture of what someone is up to. It’s the digital equivalent of tailing a suspect.”

The N.S.A. had been pushing for more than a decade to obtain the rule change allowing the analysis of Americans’ phone and e-mail data. Intelligence officials had been frustrated that they had to stop when a contact chain hit a telephone number or e-mail address believed to be used by an American, even though it might yield valuable intelligence primarily concerning a foreigner who was overseas, according to documents previously disclosed by Mr. Snowden. N.S.A. officials also wanted to employ the agency’s advanced computer analysis tools to sift through its huge databases with much greater efficiency.

The agency had asked for the new power as early as 1999, the documents show, but had been initially rebuffed because it was not permitted under rules of the Foreign Intelligence Surveillance Court that were intended to protect the privacy of Americans.

A 2009 draft of an N.S.A. inspector general’s report suggests that contact chaining and analysis may have been done on Americans’ communications data under the Bush administration’s program of wiretapping without warrants, which began after the Sept. 11 attacks to detect terrorist activities and skirted the existing laws governing electronic surveillance.

In 2006, months after the wiretapping program was disclosed by The New York Times, the N.S.A.’s acting general counsel wrote a letter to a senior Justice Department official, which was also leaked by Mr. Snowden, formally asking for permission to perform the analysis on American phone and e-mail data. A Justice Department memo to the attorney general noted that the “misuse” of such information “could raise serious concerns,” and said the N.S.A. promised to impose safeguards, including regular audits, on the metadata program. In 2008, the Bush administration gave its approval.

A new policy that year, detailed in “Defense Supplemental Procedures Governing Communications Metadata Analysis,” authorized by Defense Secretary Robert M. Gates and Attorney General Michael B. Mukasey, said that since the Supreme Court had ruled that metadata was not constitutionally protected, N.S.A. analysts could use such information “without regard to the nationality or location of the communicants,” according to an internal N.S.A. description of the policy.

After that decision, which was previously reported by The Guardian, the N.S.A. performed the social network graphing in a pilot project for 1 ½ years “to great benefit,” according to the 2011 memo. It was put in place in November 2010 in “Sigint Management Directive 424” (sigint refers to signals intelligence).

In the 2011 memo explaining the shift, N.S.A. analysts were told that they could trace the contacts of Americans as long as they cited a foreign intelligence justification. That could include anything from ties to terrorism, weapons proliferation or international drug smuggling to spying on conversations of foreign politicians, business figures or activists.

Analysts were warned to follow existing “minimization rules,” which prohibit the N.S.A. from sharing with other agencies names and other details of Americans whose communications are collected, unless they are necessary to understand foreign intelligence reports or there is evidence of a crime. The agency is required to obtain a warrant from the intelligence court to target a “U.S. person” — a citizen or legal resident — for actual eavesdropping.

The N.S.A. documents show that one of the main tools used for chaining phone numbers and e-mail addresses has the code name Mainway. It is a repository into which vast amounts of data flow daily from the agency’s fiber-optic cables, corporate partners and foreign computer networks that have been hacked.

The documents show that significant amounts of information from the United States go into Mainway. An internal N.S.A. bulletin, for example, noted that in 2011 Mainway was taking in 700 million phone records per day. In August 2011, it began receiving an additional 1.1 billion cellphone records daily from an unnamed American service provider under Section 702 of the 2008 FISA Amendments Act, which allows for the collection of the data of Americans if at least one end of the communication is believed to be foreign.

The overall volume of metadata collected by the N.S.A. is reflected in the agency’s secret 2013 budget request to Congress. The budget document, disclosed by Mr. Snowden, shows that the agency is pouring money and manpower into creating a metadata repository capable of taking in 20 billion “record events” daily and making them available to N.S.A. analysts within 60 minutes.

The spending includes support for the “Enterprise Knowledge System,” which has a $394 million multiyear budget and is designed to “rapidly discover and correlate complex relationships and patterns across diverse data sources on a massive scale,” according to a 2008 document. The data is automatically computed to speed queries and discover new targets for surveillance.

A top-secret document titled “Better Person Centric Analysis” describes how the agency looks for 94 “entity types,” including phone numbers, e-mail addresses and IP addresses. In addition, the N.S.A. correlates 164 “relationship types” to build social networks and what the agency calls “community of interest” profiles, using queries like “travelsWith, hasFather, sentForumMessage, employs.”

A 2009 PowerPoint presentation provided more examples of data sources available in the “enrichment” process, including location-based services like GPS and TomTom, online social networks, billing records and bank codes for transactions in the United States and overseas.

At a Senate Intelligence Committee hearing on Thursday, General Alexander was asked if the agency ever collected or planned to collect bulk records about Americans’ locations based on cellphone tower data. He replied that it was not doing so as part of the call log program authorized by the Patriot Act, but said a fuller response would be classified.

If the N.S.A. does not immediately use the phone and e-mail logging data of an American, it can be stored for later use, at least under certain circumstances, according to several documents.

One 2011 memo, for example, said that after a court ruling narrowed the scope of the agency’s collection, the data in question was “being buffered for possible ingest” later. A year earlier, an internal briefing paper from the N.S.A. Office of Legal Counsel showed that the agency was allowed to collect and retain raw traffic, which includes both metadata and content, about “U.S. persons” for up to five years online and for an additional 10 years offline for “historical searches.”

We thought TOR became more popular..

What is TOR? Care about your privacy? Check out ourprivacy.org, service by High Desert Technology.

 

Despite speculation that Operation PRISM and concerns over NSA surveillance are spurring users to take up online privacy safeguards in droves, the sudden spike in usage for the Tor browser that began in August can be attributable to pretty much one thing: a massive botnet.

 

Starting around August 19, there has been a sudden spike in the number of Tor clients. Tor is an anonymity network operated by volunteers that provides encryption and identity protection capabilities. It allows users to avoid surveillance and traffic interception as well as circumvent internet censorship, and is a favorite of whistleblowers and political activists.

Within one week the number of users doubled to 1.2 million, up from 600,000. Now, in early September, users have reached 3.5 million – and the base continues to grow.

“Some people have speculated that the growth in users comes from activists in Syria, Russia, the United States, or some other country that has good reason to have activists and journalists adopting Tor en masse lately,” explained Tor project leader Roger Dingledine, in a blog. “Others have speculated that it's due to massive adoption of the Pirate Browser (a Tor Browser Bundle fork that discards most of Tor's security and privacy features), but we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth. The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients.”

The service thinks that the new Tor clients were somehow bundled into a software that was installed onto millions of computers “pretty much overnight.”

“Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers [with malware] and as part of their plan they installed Tor clients on them,” Dingledine said.

The new clients give themselves away, because they’re not actually browsing websites, nor are they generating enough traffic to be a legitimate user. Tor’s early indications are that they're accessing hidden services, DIngledine noted, and one plausible explanation is that the botnet is running its command-and-control (C&C) point as a hidden service.

“I still maintain that if you have a multi-million node botnet, it's silly to try to hide it behind the 4,000-relay Tor network,” said DIngledine. “These people should be using their botnet as a peer-to-peer anonymity system for itself. So I interpret this incident as continued exploration by botnet developers to try to figure out what resources, services and topologies integrate well for protecting botnet communications."

Tor is exploring ways to mitigate the effects of the botnet on its network and on other users, but it’s not devoting resources to shutting it down. That’s a job for someone else, Dingledine said.

“It would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor),” he explained. “Note that getting rid of the C&C point may not really help, since it's the rendezvous attempts from the bots that are hurting so much.”

Tor is looking for ways to prevent botnets from infiltrating in the future. For example, it could rate-limit circuit create requests at entry guards, or learn to recognize the circuit-building signature of bot clients in order to refuse or tarpit connections from them. Entry guards could also demand that clients solve captchas before they can build more than a certain threshold of circuits.

Dingledine added, “Another facet of solving this problem long-term is helping [botnet operators] to understand that Tor isn't a great answer for their problem.”

Can We Trust IPSEC?

Cryptographer and EFF board member Bruce Schneier has given advice on how to be as secure as possible. "Trust the math," he says. "Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA."

He confirms the growing consensus that Bullrun's greatest success is in subverting the implementations of encryption rather than in the ability to crack the encryption algorithms themselves. The general belief is that the NSA has persuaded, forced or possibly even tricked individual companies into building weaknesses or backdoors into their products that can be exploited later.

The bottom line, however, is that the fabric of the internet can no longer be trusted. Meanwhile, John Gilmore, co-founder of EFF and a proponent of free open source software, has raised a tricky question: has NSA involvement in IPv6 and IPSEC discussions effectively downgraded its security? IPSEC is the technology that would make IP communications secure.

Gilmore notes that he had been involved in trying to make IPSEC "so usable that it would be used by default throughout the internet." But "NSA employees participated throughout, and occupied leadership roles in the committee and among the editors of the documents." 

The result was "so complex that every real cryptographer who tried to analyze it threw up their hands and said, 'We can't even begin to evaluate its security unless you simplify it radically'" – something that never happened.

Gilmore doesn't explicitly say that the NSA sabotaged IPSEC, but the fact remains that in December 2011, IPSEC in IPv6 was downgraded from 'must include' to a 'should include.' He does, however, make very clear his belief in NSA involvement in other security standards. 

Discussing cellphone encryption, he says "NSA employees explicitly lied to standards committees" leading to "encryption designed by a clueless Motorola employee."

To this day, he adds, "no mobile telephone standards committee has considered or adopted any end-to-end (phone-to-phone) privacy protocols.  This is because the big companies involved, huge telcos, are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones."

NSA and Encryption

The U.S. National Security Agency's efforts to defeat encrypted Internet communications, detailed in news stories this week, are an attack on the security of the Internet and on users' trust in the network, some security experts said.

The NSA and intelligence agencies in allied countries have found ways to circumvent much of the encryption used on the Internet, according to stories published by The New York Times, ProPublica and the Guardian. The NSA, the British GCHQ and other spy agencies have used a variety of means to defeat encryption, including supercomputers, court orders and behind-the-scenes agreements with technology companies, according to the news reports.

The reports, relying on documents provided by former NSA contractor Edward Snowden, show that many tech companies are collaborating with the spy agencies to "destroy privacy," said cryptographer and security specialist Bruce Schneier. "The fundamental fabric of the Internet has been destroyed."

The new revelations should raise major concerns from Internet users over who they can trust, Schneier added. "I assume that all big companies are now in cahoots with the NSA, cannot be trusted, are lying to us constantly," he said. "You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer."

It doesn't appear that the NSA is defeating encryption by brute force but by "cheating" by attempting to build backdoors into systems and strong-arm companies into giving it information, Schneier said.

Digital rights group the Center for Democracy and Technology echoed some of Schneier's concerns, with CDT senior staff technologist Joseph Lorenzo Hall calling the NSA's encryption circumvention efforts "a fundamental attack on the way the Internet works."

The NSA has been working for years to build backdoor vulnerabilities into encryption standards and technology products, the stories said. A representative of the NSA didn't respond to a request for comment on the stories.

Hall criticized those efforts. "In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it's incredibly destructive for the NSA to add flaws to such critical infrastructure," he said in an email. "The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners."

The New York Times story this week, citing a Guardian report from July, said Microsoft has worked with the NSA to provide the agency with pre-encryption access to Outlook, Skype and other products.

Microsoft has repeatedly denied helping the NSA break encryption on its products. The company complies with legal court orders for information on its customers and will provide agencies with unencrypted customer information residing on its servers if ordered by a court to do so, a spokeswoman said.

Microsoft General Counsel Brad Smith, in a July blog post, detailed the way Microsoft responds to court surveillance orders.

"We do not provide any government with direct access to emails or instant messages," Smith wrote then. "Full stop."

CDT's Hall defended Microsoft's approach. "It seems pretty clear that Microsoft is legally compelled to do this and would not otherwise do it voluntarily," he said.

But Matthew Green, a cryptographer and research professor at Johns Hopkins University, suggested Microsoft is due for scrutiny on encryption security, if encryption has been compromised, as the recent news stories suggest. Most commercial encryption code uses a small number of libraries, with Microsoft CryptoAPI being among the most common, he wrote in a blog post.

"While Microsoft employs good (and paranoid!) people to vet their algorithms, their ecosystem is obviously deeply closed-source," Green wrote. "You can view Microsoft's code (if you sign enough licensing agreements) but you'll never build it yourself. Moreover they have the market share. If any commercial vendor is weakening encryption systems, Microsoft is probably the most likely suspect."

Microsoft IIS runs on about 20 percent of the Internet's Web servers, and nearly 40 percent of the SSL servers, while third-party encryption programs running on Windows depend on Microsoft APIs (application programming interfaces), Green noted.

"That makes these programs somewhat dependent on Microsoft's honesty," he said.

The good news for privacy-minded Internet users is that security researchers questioned whether the foundations of cryptography itself have been compromised. Some encryption protocols are vulnerable, but it's likely that the NSA is attacking the software that encryption is implemented with or relying on human mistakes, Green wrote.

"Software is a disaster," he added. "Hardware isn't that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors."

Any compromises are unlikely to be related to weakness in the underlying cryptography, added Dave Anderson, a senior director at Voltage Security.

"It seems likely that any possible way that the NSA might have bypassed encryption was almost certainly due to a flaw in the key management processes that support the use of encryption, rather than through the cryptography itself," he said by email. "So, is it possible that the NSA can decrypt financial and shopping accounts?  Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error."

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed

 
NON-MANAGED=REACTIVE
MANAGED=PROACTIVE
 
 

ourprivacy.org

US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles