The US National Security Agency (NSA) attacks on virtual private networks (VPNs) and the encryption protocols used by chat services such as Skype do not spell the end of online privacy, according to security experts.
News that the NSA's specialist Office of Target Pursuit maintains a team of engineers dedicated to cracking the encrypted traffic of VPNs broke in German newspaper Der Spiegel at the end of December.
The report showed a slide from a 2010 NSA presentation proving that the agency has developed exploits for many of the most commonly used VPN encryption techniques.
These include Secure Shell, Internet Protocol Security (IPSec), and Secure Socket Layer.
VPNs are secure lines of communication that set up a private network between devices across public networks. They work by setting up an encrypted tunnel between any smartphone or tablet and the provider's VPN servers.
Theoretically, data is protected and encrypted when in the tunnel, ensuring that it cannot be siphoned off or stolen while in transit unless the attacker has the encryption keys used during the process.
VPN networks were previously thought to be a key step for people and businesses to protect data from intelligence agencies and cyber criminals.
PRISM whistleblower Edward Snowden listed encryption as a key way for people to protect themselves from the NSA during a video discussion at the SXSW conference in March 2014.
Companies such as Google, Microsoft, Yahoo and Facebook also view encryption and VPNs as a way to protect customers, and have worked to encrypt data passing through their systems since the PRISM scandal broke.
However, Benjamin Ali, a dark web specialist at security firm Centient, noted that the Der Spiegel report does not spell disaster for digital privacy as many newer encryption technologies are not listed as vulnerable.
"From the report it would appear that not all VPNs are vulnerable to this attack, which seems to apply to PPTP/IPsec and not OpenVPN," he told V3.
"OpenVPN uses AES encryption standard which, according to this article, has not been broken. However, as this report is from a while back, this might not be the case now."
Ali added that robust encryption key management could still protect most users and that the problem will not affect most businesses.
"This attack requires finding out the pre-shared key, therefore changing this key regularly could protect the data being sent," he said.
"One way to do this is to use 'ephemeral' keys. These are keys that are generated randomly and used only for a certain amount of time, after which they are discarded and securely erased.
"[Additionally] these 'attacks' are focused. A business would need to draw attention or do something that would warrant the NSA targeting them."
David Emm, principal security researcher at Kaspersky Lab, mirrored Ali's sentiments, arguing that businesses have more pressing concerns to address.
"I think it's important to consider this within the wider context of business security. Businesses need to secure their systems and data from a wide range of potential attackers," he told V3.
"In response, companies need a defence-in-depth strategy that includes anti-malware protection, intrusion detection, distributed denial of service prevention, encryption, VPN and the development of a 'security mindset' within company staff."
Emm added that, despite his assurances, the NSA revelations should still act as a catalyst for change in companies' data handling practices.
"Not all forms of data are equal, and not all data requires the same level of protection," he said. "It's important that a business segments its data in the same way that it segments its network."
Ali agreed, suggesting that the news should act as a reminder for businesses not to trust corporate data on consumer services, such as Skype.
"There are plenty of alternatives [to Skype] that can be used for the same purposes that can provide secure messaging," he said.
"An example of this is messaging services that use OTR chat encryption which, according to the slides, have been causing the NSA problems."
Emm and Ali are two of many IT professionals to warn against using consumer services for business.
Representatives from several industries' IT departments listed consumer products in the workplace as a key security concern during a 2014 roundtable discussion hosted by V3.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches