A Simple Guide to GCHQ's Hacking Powers

Uploaded on 2015-03-30 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, GOVERNMENT-National, FREE TO VIEW


We now know a lot more about GCHQ's hacking operations and the details haven't come from Edward Snowden. New documents released by the government and privacy advocates have given us the first official glimpse of how GCHQ operates, with its hacking and encryption weakening operations confirmed for the first time.

The details come from three new documents:

1. The Intelligence and Security Committee's (ISC) Report into the UK's security services.

2. The government's open response to the ISC report.

3. Documents from secret court proceedings released by Privacy International.

But what does all this new information mean? Below we answer the key questions beginning with what hacking powers does GCHQ have?

The spy agency has the power to hack into phones, computers and communications networks and is legally justified to hack anyone, according to privacy experts. GCHQ can also hack anyone, anywhere in the world, even if they are not suspected of any crime. Court documents released by Privacy International show GCHQ can carry out hacking on "individuals who are not intelligence targets in their own right". The privacy charity, which has launched legal action against the UK government and GCHQ, claims this allows GCHQ to hack people who are not targets.

The ISC report also shows for the first time that GCHQ uses security vulnerabilities, including zero-days, which use previously unknown weaknesses to attack software, for its operations. And what does GCHQ have to say about this? The spy agency says Privacy International's claims that its operations are unregulated are "simply untrue". 

A spokesperson for the spy agency said its operations were subject to "rigorous oversight", adding that its "operational processes rigorously support this position". GCHQ was unable to respond to individual issues raised due to its policy of not commenting on intelligence matters.
The agency's Edgehill decryption program, revealed in documents released by Edward Snowden, revealed ambitions to crack encryption used by 15 major Internet companies and 300 virtual private networks (VPNs) by 2015. Cryptography experts have warned that such operations risked weakening online security for everyone.
 
Wired:

« Anonymous vs ISIS: the ongoing skirmishes of #OpISIS
Threat Lessons from Sony and Anthem »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Libraesva

Libraesva

Libraesva secures email communications for organisations, helping them eliminate email borne threats, preserve email data and provide an environment for their people to communicate safely.

CertiKit

CertiKit

CertiKit produce toolkit products that accelerate the adoption of ISO/IEC standards, including ISO 27001, helping organizations all over the world to realize the benefits as soon as possible.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

CERT Bulgaria (CERT.BG)

CERT Bulgaria (CERT.BG)

CERT Bulfaria is the National Computer Security Incidents Response Team for Bulgaria.

MD5

MD5

MD5 is a leading UK provider of Digital Forensic & eDiscovery services to large multi-national corporate businesses, Law Enforcement & Government Agencies, high profile legal firms.

Independent Security Evaluators (ISE)

Independent Security Evaluators (ISE)

ISE is an independent security consulting firm headquartered in Baltimore, Maryland dedicated to securing high value assets for global enterprises and performing groundbreaking security research.

CloudAlly

CloudAlly

CloudAlly provides online cloud to cloud backup and recovery solutions, which backs up daily changes in your SaaS to unlimited Amazon S3 storage and makes it available for restore or export.

Fiserv

Fiserv

Fiserv offers a wide array of Risk & Compliance solutions to help you prevent losses from fraud and ensure adherence to regulatory and compliance mandates.

Dasera

Dasera

Dasera’s Radar and Interceptor products deliver visibility, governance, and protection solutions for data-agile companies.

ADVA Optical Networking

ADVA Optical Networking

ADVA is a company founded on innovation and focused on helping our customers succeed. Our technology forms the building blocks of a shared digital future and empowers networks across the globe.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

Applied Connective Technologies

Applied Connective Technologies

Applied Connective is one team for all your technology needs, from IT to phones, cyber security to physical security, audio/video and the infrastructure to support it.

Kahootz

Kahootz

Kahootz is a highly secure cloud collaboration platform helping teams to work together across organisations.

TriVigil

TriVigil

TriVigil offer a full-service, comprehensive cybersecurity approach specifically tailored to meet the unique needs of educational institutions.

Stratsec

Stratsec

Stratsec is a global team of experts on a mission to protect human life, well-being and the environment against cyber-driven threats.

BreachRx

BreachRx

BreachRx is the first intelligent incident response management platform that provides operational resilience for the entire enterprise.