Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:47 PM
Connect Directly

NSA Surveillance Can Penetrate VPNs

National Security Agency's XKeyscore system can collect just about everything that happens online, even things encrypted by VPNs, according to Edward Snowden.

The National Security Agency has a system that allows it to collect pretty much everything a user does on the Internet, according to a report published by The Guardian on Wednesday, apparently even when those activities are done under the presumed protection of a virtual private network (VPN).

The Guardian's information comes from whistleblower Edward Snowden, the former NSA contractor now seeking asylum in Russia from U.S. authorities for revealing classified documents about the NSA's intelligence-gathering capabilities to the media. The news organization's report suggests that Snowden's claim that he could wiretap anyone from his desk, dismissed by U.S. lawmakers as false, was essentially accurate.

Described in a 2008 presentation, the system, called XKeyscore, can reportedly track email addresses, logins, phone numbers, IP addresses and online activities — files, email contents, Facebook chats, for example — and can cross-reference this information with other metadata.

Even after weeks of revelations about the scope and breadth of NSA data gathering, news that XKeyscore can penetrate VPNs comes as a something of a shock.

"This is huge: XKeyscore slides also suggest NSA regularly decrypts encrypted VPN traffic," said security researcher Ashkan Soltani via Twitter.

[ Want to be a Web photographer? Read Google's Photo Sphere Community Wants You. ]

Responding to Soltani, CDT senior staff technologist Joseph Lorenzo Hall expressed skepticism that the NSA can break all VPN encryption. But Soltani contends the NSA at least has the capability to crack weak cipher implementations on Windows machines common in the Middle East, such as PPTP and MS-Chap. He points to a 2012 post from security researcher Moxie Marlinspike that states, "PPTP traffic should be considered unencrypted."

Whether or not the NSA is able to crack more robust implementations remains to be seen. Given the resources available to the NSA, the issue may be how much the NSA wants to break a given code rather than its ability to do so. After all, in cases where codes cannot be broken, people can be. As Danish developer Poul-Henning Kamp argues in ACM Queue, politics trumps cryptography.

The White House, trying to contain discontent with its surveillance programs, chose Wednesday to release formerly classified documents about the NSA's domestic phone surveillance program as a Senate Judiciary Committee meeting convened to address the oversight of Foreign Intelligence Surveillance Act programs.

The documents, published by the Office of the Director of National Intelligence, detail the collection of telephone metadata under Section 215 of the Patriot Act.

Senate Judiciary Committee chair Sen. Patrick J. Leahy (D-Vt.) said in a statement that if the government's collection of phone records is not effective, the program should be discontinued. He suggested that NSA chief Gen. Keith Alexander's prior claim that Section 215 surveillance programs have led to the disruption of 54 terrorist plots is not supported by the classified documentation he was provided.

A 2008 presentation states, "Over 300 terrorists [have been] captured using intelligence generated from XKeyscore."

Gen. Alexander contended with skeptical hecklers Wednesday at the Black Hat USA 2013 security conference in Las Vegas, where he defended NSA surveillance as necessary for national security.

In prepared remarks presented during the Judiciary Committee meeting, Stewart A. Baker, a partner in the Washington office of Steptoe & Johnson, LLP, and former assistant secretary for policy at the Department of Homeland Security, dismissed worries about civil liberties concerns.

"[I]t appears that law enforcement has been gaining access to our call metadata for as long as billing records have existed — nearly a century," he said. "If this were the road to Orwell's 1984, surely we'd be there by now, and without any help from NSA's 300 searches."

Baker advocates protecting privacy by, paradoxically, embracing big data and subjecting government employees to more effective surveillance.

"We need systems that audit for data misuse, that flag questionable searches, and that require employees to explain why they are seeking unusual data access," he said. "That's far more likely to provide effective protection against misuse of private data than trying to keep cheap data out of government hands. ... A proper system for auditing access to restricted data would not just improve privacy enforcement, it likely would have flagged both Bradley Manning and Edward Snowden for their unusual network browsing habits."

Jameel Jaffer, deputy legal director of the American Civil Liberties Union Foundation, offered testimony in the opposite direction. He called for Congress to amend the Foreign Intelligence Surveillance Act "to prohibit suspicionless, 'dragnet' monitoring or tracking of Americans' communications," to require more disclosure about Foreign Intelligence Surveillance Court opinions, and to ensure that government surveillance activities are subject to reasonable judicial scrutiny.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/6/2019 | 4:39:47 AM
re: NSA Surveillance Can Penetrate VPNs
The government's penetration of VPNs is primarily a law that requires VPN providers to record some of the activities of VPN users.
Once the government needs to track a VPN user, it will get the user's activity data from the VPN service provider.
But if the VPN service provider's jurisdiction is in some safe countries, such as countries and regions that do not have information retention laws. Then governments in other countries have no way to ask VPN service providers to provide users' information.
This makes it impossible to infiltrate, and there are many more secure VPN service providers, such as Nordvpn, ExpressVPN, surfshark, etc., and there is no data retention method in their country.
User Rank: Apprentice
8/4/2015 | 2:57:13 AM
I think here i can help you.. for all vpn setting you can find the solution here i am sure it will help you to resolve www.corporatevpn.org Corporate VPN
User Rank: Apprentice
7/10/2015 | 12:48:16 AM
re: NSA Surveillance Can Penetrate VPNs
Yes they can trace whatever they want and store tons of data to thrash the privacy.
User Rank: Strategist
2/12/2014 | 6:30:26 AM
re: NSA Surveillance Can Penetrate VPNs
To judge any intelligence organisation by the national law is pretty tricky. An intelligence organisation always will go against it political masters. So when you come up against the so called crimes of any intelligence organisation go to the top, it does not matter in what state you are if it is Israel, Russia or China.

The only point here is that BO should have put more support against the NSA as he has directed them. If you want to reform any of this you should look at the legislative and that is where in the USA I see little coherence. Even Snowden does not blame the NSA as an organisation, but many pro-Snowden activist do not get that either.

But how can we cover ourselve from recent NSA activation to distroy privacy laws? I setup VPN to some what and some how secure my online privacy as it provides encryption and changes my ip to cover my online identity and provide me online anonymity and freedom.

Though theer are many top VPN services but i recommend you to check out this a comprehensive list of best encrypted vpn services that also do not keep logs and provide advacnced protocol to ensure your online privacy 
User Rank: Apprentice
8/1/2013 | 6:56:47 PM
re: NSA Surveillance Can Penetrate VPNs
Does this really come as a shock to most people??

Its obvious that anything you do on pretty much any form of technology is traceable and leaves a digital paper trail.
With that said do you really think the government has the resources to listen/read everyone's facebook chats or emails?

I feel sorry for whoever reads my chats LOL...Perhaps i should be more dramatic in my text to put on a show and give that poor government employee more excitement.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.