General security

NSA Surveillance Is Changing Users’ Internet Experience

September 12, 2013 by Pierluigi Paganini


Edward Snowden is the former technical assistant for the U.S. Intelligence whose revelations on U.S. surveillance programs have changed the way Internet users live their online experience more than any other event. The PRISM disclosure has revealed to the world how NSA and other intelligence agencies spy on Internet users and monitor every communication on every carrier. The highly secret documents leaked are proof of the huge investment made by the U.S. government to support surveillance programs with the collaboration of the principal security firms. The news is disturbing and has shocked public opinion; Internet users know of the presence of the Big Brother, an entity that doesn’t limit its activities to surveillance, but that in many cases has operated in an invasive way to gather information from unaware private businesses, foreign agencies, and private citizens.

But U.S. intelligence has done much more: According to the latest revelations on the Bullrun program, it put pressure on principal IT vendors to insert backdoors or to disclose encryption keys for their products to allow the monitoring of users’ data.

This post will try to analyze the repercussions on the user’s side of Snowden case. How is it changing Internet users’ habits? Which are the countermeasure adopted and which are the correlated phenomena observed by principal security firms?

Surveillance and Anonymizing Networks

Snowden’s revelations changed the average user’s perception of security and privacy. Not only dissidents and opposites are tracked by authoritarian regimes; the democratic America spies on its citizens as on foreign users. The situation is becoming even more complicated for U.S. government; it has passed the stage of embarrassment. Now U.S. intelligence has to elude an aware audience that knows about its methods and is increasing the adoption of countermeasures. The first phenomenon observed just after the diffusion of documents on PRISM was the increase in the number of users for anonymizing networks, most of all the Tor networks. The use of the Tor network is considered a must today to preserve a user’s anonymity and to avoid government surveillance, the variation in the number of daily Tor users could provide interesting information to intelligence; a sudden reduction in such users could be a sign of intensifying censorship of a particular nation and an increase is also interpreted as a response to the monitoring carried out by a government in a country free from constraints.

Tor metrics provide all the necessary instruments and data to perform a first analysis, evaluating how an event such the disclosure of the U.S. surveillance programs has influenced user’s online habits. Looking at the following graph, showing the daily directly connecting users since March 1, 2013, it is possible to see that the number of users has more than tripled on the global scale.

Figure 1 – Daily directly connecting users

Comparing the above results with number of users who cannot connect directly to the Tor network and access via bridges, which are non-public relays, it emerges that the global increments apply mainly to the portion of the audience with limited restrictions on access to the Tor. As confirmed by data related to single nations, the significant increase is observable for those countries where there is no censorship. I decided to propose, for example, the statistics related to the countries that The Guardian indicated as the “Eyes’ group,” five governments that most of all have collaborated on sharing information on their populations and methods of surveillance. These countries are the U.S., the U.K., New Zealand, Australia, and Canada.

Figure 2 – U.S. Daily directly connecting users

Figure 3 – UK Daily directly connecting users

Figure 4 – NZ Daily directly connecting users

Figure 5 – Canada Daily directly connecting users

Figure 6 – Australia Daily directly connecting users

The graphs show the same trend almost in every country, but there are some consideration that must be raised:

  • Is the spike in Tor traffic a consequence exclusively of Snowden’s revelations?
  • What is the role of non-human generated traffic in this increase?
  • Is it possible that someone is abusing the Tor network for research purposes?
  • Is Tor really secure?

The Internet population is increasingly aware of the anonymous online Tor network and are exploring its use to avoid the surveillance activities of their governments. The exponential growth has been registered on Aug. 20, just a couple of days after David Miranda, The Guardian journalist and blogger Glenn Greenwald’s partner, was detained by UK law enforcement at Heathrow Airport for around nine hours. Is it enough to motivate a similar escalation for Tor usage?

PRISM and Traffic Spike in Tor Networks

Let’s try to answer the first two questions on the real origin of traffic that caused the spike in the Tor network. As seen before, after the disclosure of the PRISM surveillance program, an anomalous increase was observed on a global scale in the number of users directly accessing Tor. Various hypotheses have been proposed by researchers; the most plausible is that a meaningful contribution is given by non-human generated traffic.

The spike was registered starting on August 19, 2013, when an impressive growth in the number of Tor users was noticed. Security researchers at the Fox-IT firm discovered a botnet based on the Mevade malware family that hides its C&C in the anonymizing network.

The botnet is the most likely cause of the suspicious traffic.

Figure 7 – Mevade bot code (Fox-IT)

“The malware uses command and control connectivity via Tor .onion links using HTTP. While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based). Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult. It is possible that the purpose of this malware network is to load additional malware onto the system and that the infected systems are for sale,” states the Fox-IT blog post.

The malware authors consider the use of Tor network very efficient for the following reasons:

  • The botnet traffic is encrypted, which helps prevent detection by network monitors.
  • By running as a hidden service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since hidden services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
  • Hidden services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing.
  • The operator can easily move around the C&C servers just by re-using the generated private key for the hidden service.

The use of the Tor network to hide command infrastructure for a botnet is not a new concept. In September the German security firm G Data Software detected a botnet, dubbed Skynet, controlled from an Internet relay chat (IRC) server running as a hidden service of the Tor.

The Mevade malware family is linked to the malicious code “Sefnit,” dated 2009, that included Tor connectivity to implement a backup mechanism for its C&C communications with a dedicated module. The Mevade malware was downloading a Tor module in the last weeks of August and early September.

Authors of the Mevade Tor variant appear to use the Russian language. One of them is known as “Scorpion” and, with his colleague having the nickname “Dekadent,” is probably part of an organized cyber gang. The monetization schema implemented by cybercriminals is not known for sure; probably their primary intent is install adware and toolbars onto victims’ systems.

TrendMicro experts revealed that the variant of Mevade identified has also a “backdoor component and communicates over SSH to remote hosts” that make its use privileged for data theft.

Members of the Tor Project began an investigation into the spike in usage and confirmed that millions of new Tor clients were part of a Mevade botnet, as they have explained in a blog post:

“The fact is, with a growth curve like this one, there’s basically no way that there’s a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them … It doesn’t look like the new clients are using the Tor network to send traffic to external destinations (like websites). Early indications are that they’re accessing hidden services — fast relays see ‘Received an ESTABLISH_RENDEZVOUS request’ many times a second in their info-level logs, but fast exit relays don’t report a significant growth in exit traffic. One plausible explanation (assuming it is indeed a botnet) is that it’s running its command and Control (C&C) point as a hidden service.”

Tor officials are urging Tor users to upgrade to the newest version of Tor client that includes a new handshake feature that Tor relays prioritize over the older handshake. The upgrade will give legitimate new clients an advantage over those who use the older version exploited by the actual instance of Mevade malware.

The spike in Tor user numbers is not attributable only to an event related to disclosure of surveillance PRISM and the desire to escape to government surveillance. The events for sure have contributed to the diffusion of Tor platform to protect user’s anonymity, but they could not be absolutely responsible for the sudden surge observed.

Another fascinating thesis proposed on different forums where the botnet capabilities have been discussed is that the botnet could in reality be linked to the revelations about surveillance programs and that its authors are actually members of a group of hackivists that misuse the malicious architecture to make all the bots run as Tor relays’ exit nodes necessary to increase the capabilities of Tor network itself.

Tor Networks, the Role of Security Research

Snowden has revealed to the worldwide community the obsessive interest of their governments in surveillance activities, but he also remarked that the web is still able to preserve user’s anonymity under specific conditions. Encryption and anonymizing networks are primary tools to protect anonymity from prying eyes and governments are working hard to reduce the dark area of the Internet, where they are not able to monitor the users.

The Tor network was considered, with I2P, as a most useful anonymizing network. For this reason, the exploitation of users’ identities on these platforms is the subject of intense research for security experts all over the world. Anonymity on the Tor network is the primary reason for its use: Hacktivists, whistle blowers, hackers, and cybercriminals are enticed by the possibility to be not traceable.

I was a member of a team of researchers that evaluated this opportunity in one of the first OSINT experiments based on Tor networks; the project was codenamed Artemis and I published some of the results a few months ago.

Recently a group of researchers led by Aaron Johnson of the Naval Research Laboratory published the paper, “Traffic Correlation Attacks against Tor Anonymity.”

The study of the team isn’t an isolated case, many other researchers are working on the same topic for the same purpose, they all are trying to find a flaw that allows the revelation of user’s identity; some experts have addressed the software components used to access the networks (e.g., browsers, plugin), while others are searching for vulnerability in the routing protocol or in the encryption implemented.

A. Johnson’s group at Georgetown University and the U.S. Naval Research Laboratory (USNRL) published a study, titled “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries,that dismantles the certainty of anonymity on Tor network, demonstrating that it is possible to identify Tor users. The researchers presented their POC on anonymity on the Tor network and the capability to track Tor users in November 2012 during the Conference on Computer and Communications Security (CCS) in Berlin.

The experts detailed the known traffic correlation attack method against onion routing that is based on the concept that a persistent adversary can monitor a user’s traffic as it enters and leaves the Tor network, revealing user’s identity.

“… correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. Laterwork by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor.”

“To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths … Tor users are far more susceptible to compromise than indicated by prior work … We create an empirical model of Tor congestion, identify novel attack vectors, and show that it too is more vulnerable than previously indicated.” the paper states. The group of researchers developed for the POC a TorPS simulator used to analyze the traffic correlation in the live TOR network; it simulates path selection in Tor demonstrating that, under specific conditions, it is possible to identify a Tor user with 95 percent certainty. Johnson’s team assumes that an adversary has access either to Internet exchange ports, or controls a number of autonomous systems; such an adversary could reveal our identity. Fortunately, those capabilities are not easy to gain for a trivial hacker but a state-sponsored hacker or law enforcement can do it with complicity of an ISP. The results confirm that the Tor routing model is exposed to greater risks from traffic correlation than previous studies suggested. An adversary that provides no more bandwidth than some volunteers do today is able to deanonymize any given user within three months of regular Tor use with over 50% probability and within six months with over 80%probability. Current Tor users should carefully consider it. The majority of research activities involves distributed bots constantly monitoring Tor traffic; one of the side effects is that the global population of Tor users increase also, thanks to the contribution of these activities.

Is Tor Really Secure?

Tor, if properly used, is one of the most secure channels to transfer/hide user’s data, but it must be considered that governments are actively working to try to track users also within the Tor network; they are working on techniques to expose the user’s identity once inside the anonymizing network. Recently we read about the possible exploit of a vulnerability within the Firefox browser commonly used to surf within the Tor network, but many other researchers are working on the topic; tracking Tor users is the next challenge and probably someone has already been able to do it. Governments can also count on the support of the ISPs (internet service providers) that are already able to detect Tor usage on their networks. Another couple of data points could be interesting to evaluate the repercussions of PRISM case on the Tor network:

  • The number of relays is growing steadily.
  • Terms related to the PRISM case and to Snowden are still unpopular in the deep web; I found the data using the dashboard designed for the Artemis Project.
  • The Tor project has the U.S. government among its principal financial sponsors. It is known that the project was created by DoD, but why fund it today if the alleged anonymity of its networks could be a source of problems? Is it philanthropy or has the Bullrun project (which we will analyze in the next paragraph) also produced its effects on the Tor network?

Figure 8 – Relays and bridges in the Tor netwok

Data Encryption

Data encryption until now has represented the unique certainty for the protection of data; the complexity of the algorithm used and a sufficient length of the keys are necessary to protect information from espionage and monitoring activities.

The last wave of Snowden’s revelations on the U.S. surveillance program may have the effects of a disaster in the IT world. U.S. intelligence could in fact have access to all encrypted data circulating on the Internet and the ability to decipher any secure communication.

Bullrun is the name of latest surveillance program disclosed by Snowden, the New York Times and The Guardian newspapers, and the journalism non-profit ProPublica, which revealed details of the new super-secret program supported by the NSA to have the possibility of bypassing encryption adopted worldwide by corporations, governments, and institutions.

In reality the Bullrun program is considered the second attempt of U.S. government after the failure to place a backdoor, the so-called Clipper chip, into encryption units that would have allowed it to eavesdrop on communications. The NSA is not able to crack encryption algorithms; according to the whistle blower Snowden, NSA bypasses encryption and is targeting end point of communications:

“Properly implemented strong crypto systems are one of the few things that you can rely on,” Snowden said to The Guardian.

The intelligence agency has induced vendors and manufactures to include backdoors in their products or to disclose related encryption keys to allow the access data. This is the core of the Bullrun program; an event even more shocking is that NSA has worked to undermine the security of those standards.

Figure 9 – classification guide to the NSA’s Bullrun decryption program

The repercussions are critical because the diffusion of the defective encryption standard has exposed the same data accessed by the NSA to the concrete risk of data theft by third-party actors such as foreign state-sponsored hackers and cyber criminals.

In 1976 the NSA provided important contributions to a new encryption standard, DES, and many experts speculated for years on the possible presence of a backdoor in the algorithm. The NSA apparently improved DES, but one of the debated modifications was the reduction of the key size from 64 bit to 56 bit. According to many conspiracies the U.S. intelligence at that time had enough computing capability to crack DES.

“The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions, and commercial secrets … Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the Internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance. The NSA’s efforts to secretly defeat encryption are recklessly shortsighted and will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.” commented Christopher Soghoian, principal technologist of the ACLU’s Speech, Privacy and Technology Project.

NSA and other agencies siphoned data from land and undersea cables. Just after the revelations on the PRISM program, the intelligence started a misinformation campaign claiming that U.S. authorities were working to find the way to crack encrypted traffic. In reality, the agency has no reason to do it and the Bullrun program is the proof. Misinformation has been used for diversionary purpose and to influence global sentiment in order to keep the lights of the media far from the dirty collusions of governments and private companies.

“None of methods used to access to encryption keys involve cracking the algorithms and the math underlying the encryption, but rely upon circumventing and otherwise undermining encryption.”

The newspapers claim that NSA maintains an internal database, dubbed “key provisioning service,” of encryption keys for each commercial product. Using the key provisioning service, the NSA is able to automatically decode communications and gain access to encrypted data. Every time the agency needs a key for a new product it formalizes a request to obtain it; the request is from the so-called “key recovery service.”

Other news outlets reported that, in one instance, the U.S. government learned that a foreign intelligence service had ordered new computer hardware and, after pressure from NSA, the U.S. vendor agreed to insert a backdoor into the product before it was deployed.

Keys are provided by vendors or obtained by the intelligence with a hacking campaign against infrastructures of product providers.

“How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored … To keep such methods secret, the NSA shares decrypted messages with other agencies only if the keys could have been acquired through legal means,” states The New York Times.

The most disturbing revelation involves the NSA’s efforts to deliberately weaken international encryption standards that developers use to make their encryption secure. According to a classified NSA memo obtained by The New York Times, the fatal weakness discovered by two Microsoft cryptographers in 2007 in a 2006 standard was intentionally engineered by the NSA.

“Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on … If the backdoor is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program,” said cryptographer Bruce Schneier.

“Some of the methods involved the deployment of custom-built supercomputers to break codes in addition to collaborating with technology companies at home and abroad to include backdoors in their products. The Snowden documents don’t identify the companies that participated.”

The Bullrun program, according to the documents, “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” By this year, the Times reports, the program had found ways “inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert backdoors or by surreptitiously exploiting existing security flaws.”

We are therefore assuming that the U.S. government has deliberately prompted developers to enter bugs in software solutions sold worldwide; the knowledge of those flaws could be sold in the black market of zero-day vulnerabilities. At that point, probably the same U.S. intelligence would offer big bucks to buy back the zero-day to cover traces of its shocking activities.

A different current of thought claims that the NSA in reality has advanced cryptanalytic capacity; back in the 1970s, the NSA knew a cryptanalytic technique called “differential cryptanalysis” that allowed it to break numerous algorithms considered secure.

Snowden’s revelation on the black budget summary said that nearly 35,000 people and $11 billion annually are part of the Department of Defense-wide Consolidated Cryptologic Program and $440 million is reserved to “Research and Technology.”

This is considered the biggest expense on the cryptography research of the planet, demonstrating the high interest of the U.S. in breaking most used encryption protocols.

What about Tor Crypto keys?

The idea that NSA could be able to access encrypted data also put at serious risk the efficiency of an anonymizing network such as Tor. Rob Graham, CEO of the penetration testing firm Errata Security, asserted that running a “hostile” exit node on Tor in it’s possible to analyze incoming connections, during his study he noted that 76% of the 22,920 connections adopted the Diffie-Hellman algorithm.

“The problem with Tor is that it still uses these 1024-bit keys for much of its crypto, particularly because most people are still using older versions of the software. “

According to official Tor statistics, only 10% of Tor servers are using version 2.4 of the software, the release that implements elliptic curve Diffie-Hellman crypto, which is considered most difficult to crack.

While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the U.S. spy agency.

“Everyone seems to agree that, if anything, the NSA can break 1024 RSA/DH keys … Assuming no ‘breakthroughs,’ the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they’ve got fairly public deals with IBM foundries to build chips … Of course, this is just guessing about the NSA’s capabilities … As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I’d assume that it’s that, rather than curves, [it’s 1024 RSA/DH] that the NSA is best at cracking,” Graham wrote in a blog post recently published.

In this case, we can speculate that Snowden’s revelation could have a serious impact also on the use of anonymizing networks; conscious consumers are definitely encouraged to upgrade their Tor client, but we cannot ignore the fact that Big Brother is increasing its capabilities day after day.

Snowden Leaks and PGP Use

The disclosure of documents on U.S. surveillance programs created great concerns within the Internet community. The fear of being spied on has profoundly changed the habits of many users and influenced the policies of various enterprises. The mainstream concern about the loss of privacy has sustained a rapid growth of privacy-friendly software such as data encryption applications to securely send emails.

OpenPGP (Pretty Good Privacy) has seen the daily creation of unique keys nearly triple since June, just after Snowden’s leaks first became public. In PGP, encryption is based on keys tracked and shared through keyservers.

Kristian Fiskerstrand’s provide statistics related to over 80 key servers around the world; his data demonstrated the rapid growth of new PGP key generation, revealing a trend that has gone from 500 to 1,500 and 1,600 new keys added every day.

Figure 10 – New PGP keys created (Kristian Fiskerstrand’s data)

Figure 11 – New PGP keys created

The above images indicate a meaningful increase in adopting PGP encryption across the board, showing that Internet users are becoming aware of security issues. Snowden’s revelations have shaken the IT sector and the privacy revolution is just beginning; it is becoming even simpler to read about platforms such as Tor or I2P. The popular Kim Dotcom’s Mega announced the creation of an encrypted email system, following the official announcement:

“We’re going to extend this to secure email which is fully encrypted so that you won’t have to worry that a government or Internet service provider will be looking at your email.”

For each service that is being born, another has been deleted. Silent Circle preemptively shut down encrypted email service to prevent the NSA spying. The Silent Circle blog posts explains:

“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now.” It’s especially damning, considering that Silent Circle’s co-founder and president is Phil Zimmermann, the inventor of the widely-used email encryption program Pretty Good Privacy.

Silent Circle reportedly had revenue increase 400% month-over-month in July after the surveillance program disclosure. Corporate enterprise customers switched to Silent Circle services to preserve their business and prevent surveillance and cyber espionage. The company declared to Forbes that it is increasing revenue this year in part due to the disclosure NSA operations.

NSA Mobile Devices

Obviously there are some revelations concerning the observation of mobile devices. The German news agency Der Spiegel reported the latest act of U.S. surveillance: The NSA is able to access data stored in a wide range of mobile devices, including Android, iPhone, and BlackBerry.

According to the popular media agency, U.S. intelligence is spending a great effort on mobile cracking. It is able to access the data stored on Smartphone and tablets. The NSA has created highly specialized divisions for mobile hacking; the units are able to access the list of calls, SMS traffic, user’s contacts, notes, and GPS data. In reality, U.S. intelligence had been already able to access to SMS messages: A document of the agency dated 2009 remarked that the NSA agents can “see and read SMS traffic.”

The German news agency confirmed that the NSA’s capability to access data on mobile devices is not considerable as a mass surveillance operation, but it is exploited by U.S. intelligence to spy on specific individuals and was done secretly without the support of manufacturing and Smartphone vendors.

The last group of Snowden’s documents leaked confirmed to the most skeptical users that nothing is secure, not even their mobiles.


Snowden’s case has definitively changed Internet users’ perception of security and privacy: The repercussions on the global security market are enormous, the level of trust in government institutions and major IT companies has collapsed. Customers have put their trust in the wrong companies; too often they have been deceived by false myths and new paradigms designed to facilitate the surveillance operated by intelligence agencies.

On the Internet, the number of websites that propose free and open privacy-friendly software is increasing. in just an example of network reaction. The Bullrun program is the latest revelation on a nefarious policy conducted by one of the major security agencies, ironically because its willingness to supervise each and every datum of the largest Internet has made it unsafe. Chasing the concept of security, NSA has actually opened loopholes in the global information systems that could have benefited powers such as China or terrorist groups.

If surveillance activities are necessary for security reason, their abuse could have serious repercussions on security. The unique certainties are that the surveillance program will continue and the expense of monitoring activities will continue to increase. On the market side, the decrease of trust in U.S. security vendors could advantage other entities. The equilibrium is jeopardized when trust is broken and open source software will reach a new peak of popularity while waiting for the next incident.

The IT world will never be the same!


Posted: September 12, 2013
Pierluigi Paganini
View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.