Author Topic: Major new Snowden publication: IPSec, PPTP, SSH, possibly SSL and TLS not secure  (Read 809 times)

0 Members and 1 Guest are viewing this topic.

Offline Resistor

  • Peasant
  • *
  • Posts: 65
  • Cookies: -10
    • View Profile
This is a major publication. IPSec and PPTP are not secure, making many VPNs not secure. SSH appears to not be secure either, making life now a bit hectic for systems administrators. I'm not sure if they are saying SSL and TLS connections can be fully decrypted on a scale of millions of users, or if they are simply monitored and collected/stored on a scale of millions of users, in hopes of being decrypted.

OTR, GnuPG, Truecrypt, Tor/TAILS, ZRTP, and CSpace appear to be secure, at least as of 2012, which is when these documents were created.

http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
http://www.spiegel.de/media/media-35535.pdf

Furthermore, this is a must watch CCC talk by Jacob Appelbaum and Laura Poitras.
http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video

Offline madf0x

  • Knight
  • **
  • Posts: 172
  • Cookies: 50
    • View Profile
Yeah I read through those documents last night and Im pretty sure its just FUD. No where do they even hint that they can break any connection. In fact in many places they talk about alternative methods of exploitation in the event they can't decrypt. In one slide they even outright say they steal IPSEC private keys by breaking into routers. Later on they also say for VPN they use a metadata database to fingerprint potentially exploitable vpns and to remember 'just because its not exploitable now, doesn't mean it won't be exploitable in the future!'

They even seem to have different teams to attack the protocol in different ways, ergo not putting their eggs all in one basket. In all likelihood its simply a matter of them employing attacks weve already seen and heard except on a much larger scale. If that counts as being insecure or broken I guess, but its broken in the same way that 'no computer cannot be hacked' phrase is true.

What I find MUCH more interesting, is how they follow trends to identify new technologies to look at to potentially attack. Things like following technological 'thought' leaders and even using forums. Yup, theres a distinct chance that one or two NSA agents is getting paid to browse Evilzone, perhaps even an active member, in case someone cooks up something really interesting :) Now that I think is food for thought.

Offline nobody

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Excellent post Resistor- thanks for this really interesting stuff; great reminder of the quality of research coming from CCC.
I do agree with Madf0x that there's still no visibility of any of these agencies actually achieving a half-decent hack on a connection - these idiots continue to run rampant amongst us; probably outsourced their super crypto cracking wizards to an offshore location for cheap labour....