NSA has VPNs in Vulcan death gripno, really, thats what they call it
This is what NSA's VPN Exploit Team does when it decrypts a VPN.
The National Security Agencys Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTPs VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNsincluding tools with names drawn from Star Trek and other bits of popular culture.
OTPs VPN exploit team had members assigned to branches focused on specific regional teams, as well as a Cross-Target Support Branch and a custom development team for building specialized VPN exploits. At the regional level, the VPN team representatives acted as liaisons to analysts, providing information on new VPN attacks and gathering requirements for specific targets to be used in developing new ones.
While some VPN technologiesspecifically, those based on the Point-to-Point Protocol (PPTP)have previously been identified as being vulnerable because of the way they exchange keys at the beginning of a VPN session, others have generally been assumed to be safer from scrutiny. But in 2010, the NSA had already developed tools to attack the most commonly used VPN encryption schemes: Secure Shell (SSH), Internet Protocol Security (IPSec), and Secure Socket Layer (SSL) encryption.
The NSA has a specific repository for capturing VPN metadata called TOYGRIPPE. The repository stores information on VPN sessions between systems of interest, including their fingerprints for specific machines and which VPN services theyve connected to, their key exchanges, and other connection data. VPN fingerprints can also be extracted from XKEYSCORE, the NSAs distributed big data store of all recently captured Internet traffic, to be used in identifying targets and developing an attack. Because XKEYSCORE includes data from untasked sourcespeople and systems not designated as under surveillancethe OTP VPN Exploitation Teams presentation requested, Try to avoid relying on (XKEYSCORE) workflows due to legal and logistical issues. But XKEYSCORE, it was noted, is best for attacks on SSH traffic.
Analysis of TOYGRIPPE and XKEYSCORE data, as well as from daily VPN exploits, is fed into BLEAKINQUIRYa metadata database of potentially exploitable VPNs. This database can be searched by NSA analysts for addresses matching targeted individuals or systems and to generate requests for the VPN Exploit crew to convert the "potentially" into an actuality.
When an IPSec VPN is identified and tasked by NSA analysts, according to the presentation, a full take of its traffic is stored in VULCANDEATHGRIP, a VPN data repository. There are similar, separate repositories for PPTP and SSL VPN traffic dubbed FOURSCORE and VULCANMINDMELD, respectively.
The data is then replayed from the repositories through a set of attack scripts, which use sets of preshared keys (PSKs) harvested from sources such as exploited routers and stored in a key database called CORALREEF. Other attack methods are used to attempt to recover the PSK for each VPN session. If the traffic is of interest, successfully cracked VPNs are then processed by a system called TURTLEPOWER and sorted into the NSAs XKEYSCORE full-traffic database, and extracted content is pushed to the PINWALE digital network intelligence content database.
But for those that arent successfully cracked, the VPN Exploit Teams presentation noted, the team works to turn that frown upside down by doing more data collectiontrying to capture IPSec Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic during VPN handshakes to help build better attacks. In cases where the keys just cant be recovered, the VPN Exploit Team will contact our friends for help gathering more information on the systems of interest from other data collection sites or doing an end-run by calling on Tailored Access Operations to create access points through exploits of one of the endpoints of the VPN connection.
More:
NSA has VPNs in Vulcan death gripno, really, thats what they call it