- Guy who runs Trump Organization Twitter account caught hyping up own tweet Sunday 4:51 PM
- People found out how tall Olaf is–and now ‘Frozen’ is terrifying Sunday 3:41 PM
- Rapper Juice WRLD dead at 21 Sunday 3:02 PM
- Embody Andrew Yang, fight other presidential candidates in video game Sunday 2:33 PM
- Ariana Grande spoke with TikTok teen who looks exactly like her Sunday 1:00 PM
- Beyoncé accused of paying dancers ‘low rates’ Sunday 11:58 AM
- Timmy Thick blasted for saying the N-word in comeback video Sunday 9:11 AM
- Netflix’s ‘The Confession Killer’ is a devastating and well-built portrait of a con artist Sunday 8:00 AM
- Swipe This! I’m ashamed to tell anyone about my online shopping habit Sunday 6:00 AM
- UPS facing backlash for thanking police after employee killed in shootout Saturday 5:02 PM
- Sanders campaign fires staffer after anti-Semitic, homophobic tweets surface Saturday 3:13 PM
- Brother Nature was attacked, says everyone just watched with phones out Saturday 2:45 PM
- Ryan Reynolds’ gin company hires Peloton wife for ad Saturday 1:24 PM
- Ex-vegan YouTuber accused of fraud after following meat-only diet Saturday 1:11 PM
- The 15 best Disney+ hidden gems and deep cuts Saturday 12:23 PM
NSA paid security firm $10 million to leave encryption ‘back door’
RSA Security was awarded a $10 million contract for shipping its software with an NSA-engineered vulnerability.
In September, the Guardian revealed that the National Security Agency intentionally created a flawed formula designed to provide a “back door” into commonly used encryption products. New information shows that the U.S. government paid at least one private security company in exchange for implementing the NSA’s pre-designed flaw into its software.
Reuters reported Friday that RSA Security was awarded a $10 million contract for shipping its software, BSAFE toolkit, with an NSA-engineered vulnerability in the software’s key generation process. The contract was exposed by top-secret NSA documents leaked by whistleblower Edward Snowden.
Encryption keys are created by different mathematical algorithms, which are used to generate random numbers. The algorithm used must be sophisticated enough that the key generation protocol can’t be easily compromised. The NSA documents suggest that a flaw in RSA’s algorithm allowed keys generated by its software to be easily cracked.
The new revelation isn’t that RSA’s algorithm was flawed but that the company was paid, with U.S. tax dollars, to continue implementing it long after its vulnerability was discovered.
In 2007, Wired journalist Bruce Schneier published an article titled, “Did NSA Put a Secret Backdoor in New Encryption Standard?” In it, he revealed that the NSA had championed the use of Dual_EC_DRBG, the algorithm used by RSA, and correctly predicted that it contained a backdoor used by the agency.
“My recommendation, if you’re in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances,” Schneier wrote.
Regardless, RSA continued to implement the flawed encryption as a default for its products. The company’s customers were finally alerted in 2013 and told to use of a different key generator. “To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRBG,” RSA said.
Unfortunately, any flaw in encryption software not only creates a backdoor that can be accessed by U.S. intelligence agencies but anyone with hardware sophisticated enough to crack the weakened encryption. In September, Ars Technica reported that McAfee Security was using Dual_EC_DRBG encryption in some of its products. Ironically, McAfee said its firewall software was only using the flawed encryption “in federal government or government contractor customer environments.”
The NSA has faced intense scrutiny for eroding confidence in both technology manufactured within the U.S. and industry standards, such as those approved of by the NIST. Documents provided by Snowden have revealed a systematic effort by the NSA to undermine the efficiency of encryption featured in consumer products, not only by developing of new code-breaking technology but through direct collaboration with U.S. companies.
Before the 2013 publication of Snowden’s top-secret documents began, only those with knowledge of a highly classified NSA program code-named Bullrun were privy to the details of the agency’s decryption efforts. According to ProPublica, top analysts from the NSA’s counterparts in Britain, Canada, Australia, and New Zealand—collectively known as the Five Eyes—were also granted access to the secretive program.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.