I. The ability to intercept communications between commercial data centers operated by Google and Yahoo! by tapping undersea communications cables:
The idea of tampering with communications cables is not new and has been accomplished on every form of physical material which transfers data. The most common form of communication cable is via copper strands. As time progressed the amount of bandwidth required also increased in demand. To avoid a spaghetti mess of entangled copper lines, fiber optic cables were the way of the future. Fiber optic, made from glass material at a micron size of diameter can transfer enormous amounts of data over vast distances. Of course, glass is significantly more susceptible to breaking than metal material, it seemed very difficult to construct a way to tamper with it.
The common copper cable transmits data via electrical current while fiber optic cables transfer data via photons that travel the speed of light. Because of how copper cables use transfer electricity those signals can be modified thus significantly easier for somebody to eavesdrop on the communication traversing the path. Data traveling through fiber cables is notoriously difficult to intercept which is why it is a more preferred method of transmitting data especially sensitive data used by government agencies and large tech corporations such and Google, Yahoo, Microsoft, Apple, and others.
Despite the security and transmitting data via fiber optic cables there is a vulnerability that makes them pregnable to attack. The act of this fiber tapping allows the data which is still passing through the data be siphoned and because the difficult to detect because the light will continue to travel even after a portion of the photon has been diverted. Furthermore, without causing appreciable signal loss, the tapped signal can be repeated and examined, allowing for the collection of possibly private data without informing the network operators of any breaches.
In 2010, a contracting company called Glimmerglass for the US government began implementing such tapping to monitor for international terrorist activity. At critical junction areas devices were implanted at amplification areas where individuals wires were exposed. The optical signals were captured then could be mirrored and transmitted to monitoring agencies, while keeping the original data packet intact. Unfortunately, modes of data transmissions are not subjective so personal information, corporate information, illegal and terrorist information all flow through the same line and will have to be analyzed before disposing the unwanted data.
The concept of tracking terrorist or illegal data means that all data must be analyzed regardless it being domestic or foreign person. In the light of National Security Agency (NSA) PRISM program it has been identified the level of data interception was occurring in US private corporations that provided front end internet facing services to US citizens. The relative rudimentary exploitation of Google’s front-end servers allowed unites within the NSA to add secure socket layer (SSL) interception of the data traversing in and out of Google’s datacenters.
II. Access to encrypted communications through weaknesses in commercial encryption algorithms
Leaning into the discussion of weaknesses in commercial encryption algorithm, it is merely an arms race of security penetration and exploitation versus defensive posture. With new zero-day threats emerging more frequently there is the thought of a cat and mouse game or whack a mole occurring to patch vulnerabilities.
Encryption algorithms have evolved from very simple forms to advanced mathematical equations. In early days Ceaser himself would send messages to the field encrypting each letter by rotating the character to the third letter of the alphabet. The messenger knew of this private key and then could decipher the encrypted message from ciphertext to plaintext. The concept of that rudimentary style of encryption still exists today but at a much-advanced scale. Without knowing, most communication is transferred via some level of encryption, these levels vary significantly largely due to the application performing the cipher or hardware installed.
For decades commercial encryption systems for processes like digital signatures exclusively used MD5 and SHA-1 hashing algorithms. It was not long before it was inevitably discovered that both algorithms were susceptible to collision attacks. This issue was an enormous problem because the result of two different types of inputs could produce the same exact hash. In 2012, a successful exploitation of this weakness known as an infamous malware named Flame. This form of cyberespionage performed a deep level of monitoring, recordings, and traffic analysis. By recreating a digital certificate appearing to be legitimate because of the MD5 vulnerability of hash collisions the protected certificate authority which issues and validates certificates believe all requests were valid therefore allowing authentication requests.
Commercial companies, regardless of size have robust types of algorithms they utilize in their vast array of applications. One of the strongest encryption type is Advance Encryption Standard-256 (AES-256). This more common algorithm is generally resistant to the brute-force attacks because the key length being 256 bits resulting in billions of possible combinations to decrypt the data without the private key. Despite the strength of AES-256 it has taken time to be widely adopted because of legacy applications and hardware not being able to support it resulting in weaker and vulnerable algorithms being utilized and attacked.
A very common device that nearly all households have of a weak deprecated encryption algorithm and that is their home router. Although becoming scarcer the Wired Equivalent Privacy (WEP) algorithm is a well-known weak method of securing the wireless password from the client device to the router. The standard still exists mainly due to legacy hardware that cannot communicate via more secure paths such as Wi-Fi Protected Access 2 (WPA2) or WPA3. WEP supports 64-bit or 128-bit keys and lacks the robustness of all special characters making it susceptible to brute force and man-in-the-middle attacks. The same concept exists in the global scale of the internet and Software-as-a-Service (SaaS) platforms whether they use legacy SSL or TLS protocols, hyper text transfer protocol vs HTTPS, or unsecured Application Programming Interfaces (API) calls.
As attacks become more prevalent and the evolving landscape of cyber threats increase and more sophisticated, large companies are putting a greater emphasis on their security measures. Companies are becoming greater targets than government agencies because of softer and wider array of targets for adversaries. No longer is there a conventional battlefield with uniform arms and clear military combatants. With cyber being the new domain to where attacks and defense is mandatory legacy protocols and encryption algorithms must be deprecated and remediated sooner than before.
III. Direct access to Microsoft, Google, Facebook, Skype, YouTube, and Apple servers
The unfathomable idea that the United States government would have the backdoor access to the largest services used by American citizen be allowed. Even if large corporations such as Google, Apple, and Facebook would allow such access they most certainly would not advertise it. It was until the most infamous leak of National Security Agency (NSA) via Edward Snowden in 2013, proved that the US government was indeed collecting and storing vast amounts of data from these companies.
The program called PRISM, secretly ran by the NSA shrouded in secrecy from the public’s eye via the Foreign Intelligence surveillance Act (FISA). Shielded from any governing body or justice system the NSA could gather information including chats, emails, photos, telephony data, files, and social media activity from numerous internet companies. Unbeknownst to the consumers of these services, their personal data, or which they thought, was completely secured and private was not. All companies forcefully claimed there was no direct access to their servers without a court order. Despite the acknowledgement, it became more concerning that the data was being retained and stored even if a user deleted their profile or account(s). Effectively forcing these companies’ hand in delivering the data either by a FISA court order, direct access, or through breaching vulnerabilities the NSA would get the data.
To no surprise, US citizens and even its allies that the NSA was surveying were outraged. Many argue how unconstitutional it was for the government to be monitoring without oversight or permission. Aside from the government, the tech companies also received much heat despite claiming they were forced or court ordered too. In some reform, the USA Freedom Act in 2015 would provide oversight and create greater transparency of which the data was being collected. Although this did not completely restrict the government or its agencies from continuing to monitor data but enacted constraints or tighter criteria of which the data could be retrieved and stored. The reputation of the US government and NSA was unequivocally tarnished due to the lack of transparency and responsibility of data.
Lastly, legislative requirements and business pressures may lead to the intentional introduction of backdoors or flawed encryption. Governments may enforce looser encryption regulations to facilitate surveillance, or companies may include security flaws to comply with export regulations, which might be exploited by malicious actors. These backdoors compromise the overall security of the encryption since, if discovered, anybody may access them, not only the intended receivers.
IV: The ability to reveal sender identity information about some communications sent anonymously through The Onion Router (TOR) network
When trying to mask your communication some individuals may rely on The Onion Router Network or TOR. A widely used browsing service with many advantages such as increased privacy settings, no cookie tracking, and enhanced privacy. Although this service has a negative stigma associated with because of dark web browsing or other illicit enablement, others utilize it for anonymity and privacy protection such as journalists, activists, and whistleblowers.
TOR is not an end all be all for safe and secure internet browsing. One significant weakness lies in its susceptibility to traffic analysis attacks, where bad actors can observe patterns of data flow entering and exiting the network to de-anonymize users. The entry and exit nodes are a crucial limitation of TOR browsing because of the lack of encryption from the client entering the network to its final destination. Moreover, concerns of Distributed Denial of Service (DDoS) attacks on trusted Tor Relays would cause traffic within an onion network to be routed to those relays that are not under heavy load. Briefly, DDoS attacks are a type of Denial-of-Service attack where multiple computers target a single system to overload it with requests. Thus, by obtaining a relay list of Tor nodes via a simple HTTP GET request, an attacker can target each individual IP within an onion network.
Another major concern with TOR is the susceptibility of malware that can be exploited on numerous relay servers because they are not properly managed or secured. With the known fact that entry and exit nodes traffic can be listened to if the traffic is sent in plain text or unencrypted. Because the entire network is meant to be anonymous there is no control over who is maintaining or governing these TOR nodes. The nodes could be injected with malicious software allowing for government agencies, nation-states, or bad actors to be watching and infecting clients.
There is, however, an additional layer of protection that can increase the privacy and security of the connection and that is to utilize a Virtual Private Network (VPN) in conjunction with TOR browsing. With everything, there is a balance between security and convenience of course. While utilizing a VPN and TOR browsing the latency of browsing can be so significantly high which may result in lack of usability and frustration navigating. Just like most, it is nearly impossible to achieve total protection, while VPN may increase protection it will not prevent vulnerable Tor browsers that become outdated thus routing traffic to legacy unmanaged nodes. These vulnerable nodes could allow malicious software to be downloaded then executed outside the TOR network ultimately revealing the clients IP and other host information, thus, circumventing the VPN client.
