THE LATEST COLLECTION of NSA documents released by Edward Snowden revealed that it targeted an Irish company as part of its data collection activities.
A report from the German magazine Der Spiegel revealed that one of its targets was SecurityKiss, a VPN (virtual private network) service based in Dublin. It used XKeyscore, the NSA’s computer system that searches for and analyses data it collects worldwide, to carry out this action.
One of the documents, dating from late 2009, said the agency was processing 1,000 requests an hour to decrypt VPN connections and was expected to increase to 100,000 per hour by the end of 2011.
The aim was for the system to be able to completely process “at least 20 percent” of these requests, meaning the data traffic would have to be decrypted and reinjected. In other words, by the end of 2011, the NSA’s plans called for simultaneously surveilling 20,000 supposedly secure VPN communications per hour.
Speaking to TheJournal.ie, the founder and CEO of SecurityKISS, Grzegorz Luczywo, said that the news was “disturbing but not so surprising,” but there was nothing to suggest that this traffic was decrypted.
From the documents, nothing suggests that these traffic was actually decrypted [and] nothing suggested that that the communication was broken. What is certain is that the traffic is collected in an encrypted form.
While SecurityKiss doesn’t use usernames and passwords for OpenVPN – instead it uses the individual private keys and certificates embedded in the programme which means the basic NSA attack of stealing keys can’t be used as they’re not in the activation email – the company isn’t ruling out the possibility of other attacks.
Recently, the company had to discontinue its PPTP (Point-to-Point Tunneling Protocol) service as the connection method had been compromised by the NSA.
While a small number of its users availed of it – less than 5% according to Luczywo – it was alerting customers that using it didn’t ensure confidentiality and to use OpenVPN and end-to-end encryption if they needed secure communications.
“We were warning users that it doesn’t ensure confidentiality so they should only use it for video streaming or other applications where confidentially isn’t that important,” Luczywo. “It was more popular on mobile devices because of the ease of configuration, but basically, most of the traffic goes through OpenVPN and most users are Windows users.”
The company may also look for help from digital rights and privacy organisations to see what it can do from a legal perspective, but for now, the company is waiting for the release of more detailed and technical documents so it can figure out the extent of the NSA’s targeting.
To embed this post, copy the code below on your site
have your say