Critical Crypto Compromise

Each episode we’re going to be talking about information security and technology security issues that matter to business, not just the technologists. The big story this episode is the news that the NSA intentionally weakened encryption standards and products, allowing them … and who else … to get access to what you thought was protected.

The hot news of the past couple of weeks is that the NSA’s attacks against cryptography. It was revealed that the NSA had intentionally weakened cryptography standards developed by the National Institute of Standards and Technology (NIST), which sets official technical requirements used by government agencies, several regulatory requirements and a large number of US-based companies. It was also revealed that the NSA has groundbreaking capabilities to decrypt protected data. Details of these revelations are not clear, but speculation abounds.

On the podcast we touch on many different issues and potential issues.

  • First and foremost, why should businesses care about this issue? The thinking is that if the NSA can break this encryption it might be possible for nation-states or other companies to achieve similar results. This poses problems for protecting intellectual property, trade secrets, business intelligence information, as well as potentially compliance issues.
  • Second, how has the NSA done this? At this point, all we have is speculation. However, we posit four potential ways. 
    • Attacking the math. The NSA has some of the brightest mathematicians out there, working to figure out ways to reduce the effectiveness of other nations’ cryptography. There could have been a groundbreaking discovery in mathematics, rendering encryption much less secure. Or they could have thrown a significant amount of money to develop special supercomputers.
    • Deliberately weaken the standards. The revelations said that this happened. Which standards, and to what degree remains to be seen. It may be that the standards were weakened, but only to make them more susceptible to an attack on the math, as described above.
    • Weaken the implementation. In cryptography it’s often more common that the software implementation of the cryptographic methods is the weakest link. Even some of the best in the business have gotten this wrong in the past. Where cryptographic methods are subjected to intense scrutiny over long periods of time by many people and groups, software is often overseen by a small group of people. A systematic attempt were made to weaken this software, either through organizational pressure or a lone actor, it is highly likely to be successful.
    • Corporate complicity. It’s already been established through prior revelations that the government has convinced several companies to comply with secret court orders and other requests. It could be the case that the NSA simply asked corporations to put back doors or other special techniques in their products to allow the NSA to eavesdrop more easily. This potentially extends to hardware as well as software.

Some other topics touched on during the podcast include:

  • It means that these companies all have access to your data and a way to easily get at it, built to support NSA and FISA court. Business data or whatever.
  • Google recently filed a brief saying that 3rd party emailers (ie. I use and send email to someone whose business email is hosted on Gmail) have no right to privacy. So what does that mean for your business data that is sent to somebody running their email or site on a Google platform? Like GMail for businesses.
  • Skype is owned by Microsoft and is now built into Outlook/Lync. How comfortable do you feel knowing that Microsoft has the capability to intercept, record, store and search all your conversations over Lync?
  • Glenn Greenwald says he has more data than he can reasonably check out. He’s offered to let a couple of people look at it through his Twitter feed. Any listeners want to give it a go? NOTE: Twitter wasn’t on the list of cooperators with the NSA stuff.
  • EFF got released a ton of government NSA surveillance documents which including the secret FISA court things in an EFF lawsuit. (Hundreds of pages of documents)
  • NSA illegally used phone data for three years, FISA court said that there was gross negligence and the NSA had no idea how to even handle the amount of data coming in or put any type of controls in place.
  • “Incredibly, intelligence officials said today that no one at the NSA fully understood how its own surveillance system worked at the time so they could not adequately explain it to the court,” says EFF activist Trevor Timm

Other items:

  • Beau was on the Down the Security Rabbithole podcast on Monday. If you aren’t a regular listener, Rafal Los does a great job of bringing business and security together.
  • Dave was on the Social Engineering podcast last week. This is a good podcast series that explains Social Engineering principles with the help of non-security types, like used car salesmen and professional interrogators.
  • If you’re interested in getting involved in broader security issues such as those raised in our podcast, we would like to invite you to join The Cavalry. This is a group that is forming to address just such issues at many different levels. Join the discussion and help shape and guide the group over at The Cavalry site. To get a better idea of what, how and (most importantly) why, check out the talk Josh Corman and Nicholas Percoco gave at BSidesLV this year.