The National Security Agency has broken into the highly secure data centers where Google and Yahoo store vast troves of data on their users by hacking an unencrypted weak point in the data pipeline linking the enormous centers, according to a new story at The Washington Post.
The massive servers run by the leading Internet companies are carefully guarded and strictly audited; according to Google, buildings housing its servers are guarded 24/7 and secured with heat-sensitive cameras, biometric verification, and more.
These servers hold terrabytes of confidential data on users, including the emails they send, their video chats, banking information and so on -- all the private data one would hope to be kept under lock and key. But the links between the servers that are scattered across the globe are less secure. And by tapping into that link, the NSA can collect information at will from hundreds of millions of user accounts -- not just foreign citizens but emails, videos and audio from American citizens.
'Obviously, this was not turned on last week.'
- Michael Sutton, vice president of security research for Zscaler
“The numbers are staggering. 180 million records in 30 days? This is not a small program by any means,” Michael Sutton, vice president of security research for Internet security firm Zscaler, told FoxNews.com.
Indeed, according to documents obtained by the Post, a Feb. 28, 2013 memo from analysts working on the operation reveals numerous complaints that the program was harvesting too much data, much of it with “low intelligence value.”
That’s because it’s not just “metadata” but pure information straight from the Internet giants.
They’re tapping into the fiber optic cable,” Sutton said. “This is raw stuff in proprietary data format, so they had to have a system in place tor translate that to human readable format.”
“Obviously, this was not turned on last week,” he said.
It’s called Operation MUSCULAR, and it’s the latest way the NSA has sought to tap into Internet communications. MUSCULAR relies on an unnamed telecommunications provider outside of the U.S. that offers secret access to a cable or switch through with Google and Yahoo pass unencrypted traffic between their servers, the Post reported. It's a clear weakness in Google’s digital armor.
Google said it was aware of the chink, though the company was unaware that the government had exploited it so thoroughly.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,"
Google's chief legal officer David Drummond told FoxNews.com. "We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
Yahoo expressed a similar sentiment, telling FoxNews.com that “we have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”
In September, Google announced that it would start encrypting the data it was passing between data centers, an effort to prevent exactly the type of snooping that the NSA has been engaged in.
“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google, based in Mountain View, Calif, in comments to the Post at the time. “We see these government agencies as among the most skilled players in this game.”
But fixing the hole is no simple task. Sutton said the company would need to add SSL acceleration cards -- specialized hardware components that offload the work of encoding and decoding information into SSL, which at one time was merely for secure transactions between browser and server and now is used end-to-end in much Internet communication.
"Authorization used to be just at log in,” Sutton told FoxNews.com. “As privacy has become an increasing concern, we’ve seen the web go to SSL for everything.”
Adding such cards to the data centers would be costly, but is clearly underway.
“It would not be a trivial effort, but when the chairman is commenting on it, it’s clearly a high profile project,” he said.