Risk
7/24/2013
10:04 AM
Connect Directly
RSS
E-Mail
50%
50%

How NSA Data Demands On Microsoft Shape Your Security

Microsoft is legally prevented from saying too much about charges it collaborated with the NSA. Product security gets caught in this complex situation.

Is Microsoft -- and by extension the likes of Google and Yahoo -- being prevented from adding security improvements to its consumer Web services because of U.S. government surveillance demands?

A review of the recent wrangling among Microsoft, the U.S. government and critics of Microsoft's cooperation with government surveillance efforts provides a glimpse into this complex state of affairs.

The Guardian last week accused Microsoft of giving the U.S. National Security Agency backdoor access to Outlook.com encryption and Skype communications to facilitate the NSA's anti-terrorism surveillance programs. To be fair to Microsoft, the NSA can already directly access data from multiple Web services, including Gmail, Hotmail and Yahoo, plus numerous chat and video services, according to documents leaked by NSA contractor Edward Snowden.

The Guardian's story led Microsoft to issue a 1,400-word blog post, titled "Responding to government legal demands for customer data," in which it asserted that "there are significant inaccuracies in the interpretations of leaked government documents reported in the media."

What are those inaccuracies? We don't know. Microsoft says it's legally prohibited from detailing them. It also says it can't say more about the data demands approved by the Foreign Intelligence Surveillance (aka FISA) Court, with which it must comply. "Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information," wrote Microsoft general counsel Brad Smith last week. "We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the government is stopping us."

Or as parodied by Belarusian writer and researcher Evgeny Morozov: "To be clear, this statement that our company has written to clarify its relationship with NSA is not meant to make anything clear."

Then again, is it fair to ask Microsoft's PR and legal machines to operate with their hands tied behind their backs? "Microsoft is obligated to comply with the applicable laws that governments around the world -- not just the United States -- pass, and this includes responding to legal demands for customer data," Smith said. "All of us now live in a world in which companies and government agencies are using big data, and it would be a mistake to assume this somehow is confined to the United States."

Despite the gag order preventing Microsoft from fully responding to the criticism leveled against it, Smith claimed that on the Outlook.com front, "we do not provide any government with direct access to emails or instant messages." Furthermore, he said that changes made to Skype in 2012 "were not made to facilitate greater government access to audio, video, messaging or other customer data."

It's not Microsoft's fault that governments want this information. Furthermore, White House and intelligence officials insist (of course) that such data is being collected only in legal ways. But could, and should, Microsoft be taking steps that might raise the bar for intelligence agencies that want to collect intelligence on its users?

For example, the Communications Assistance for Law Enforcement Act (CALEA), while requiring some businesses to let the government wiretap their communications, also says that "a telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

Then again, "a secret order from the FISA Court, which might be among the 'aspects of this debate' that Microsoft finds it's unable to discuss, could provide a new reason why Microsoft doesn't act to better protect Skype users against eavesdropping," said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation (EFF), in a blog post. "If the secret order required Microsoft to turn over Skype users' communications on an ongoing basis, Microsoft might fear that changing the Skype technology in a way that stopped it from complying would violate the order." In other words, the government's demands for data might make it difficult for Microsoft to alter its system, at least in a way that trades enhanced encryption for easy interception.

For example, while Skype offers "end to end" encryption, the EFF says Skype also serves as a certificate authority for users. As a result, anyone with access to Skype's keys could intercept any Skype communications. In other words, "Skype is in a position to give the government sufficient data to perform a man-in-the-middle attack against Skype users," Christopher Soghoian, a principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, argued last year.

"This security limitation has concerned us for a long time," said the EFF's Schoen. "One way of limiting man-in-the-middle attacks would be for Skype to introduce a way for users to do their own encryption key verification, without relying on the Skype service." Such a feature would let users verify that they're not being spied on, and other encryption systems already offer this feature, including PGP and HTTPS. But Skype -- since acquired by Microsoft -- has declined to add such a feature, despite related requests from privacy rights groups.

The continuing rise in cybercrime, of course, means that everyone's communications need better safeguarding against interception. Intelligence agents aren't the only people who can execute man-in-the-middle attacks against Skype or target Gmail accounts. In the wake of PRISM and every other obscurely named NSA surveillance program under the sun demanding freer access to Web data, is this government-ordered surveillance subverting the information security of widely used consumer services?

That's also a topic Microsoft is legally prevented from addressing. The White House, responding to a suit filed by the ACLU, claimed last week that the NSA's surveillance programs are fully legal. "The alleged metadata program is fully consistent with the Fourth Amendment" prohibition against unreasonable search or seizure, and thus doesn't violate the free speech protections of the First Amendment, assistant U.S. attorney David S. Jones wrote in a Thursday filing to U.S. District Judge William H. Pauley.

Even if Microsoft and the NSA could freely discuss the tradeoffs inherent in the current surveillance programs, there aren't easy answers. Federal judge James G. Carr, who served on the FISA Court from 2002 to 2008, has called on Congress to let the court appoint technologically sophisticated, pro-bono lawyers "with high-level security clearance" to argue against the government's filings and help judges balance surveillance requests with civil liberties concerns. In other words, let the judges tasked with overseeing FISA requests actually understand the full implications of those requests.

Better oversight might also address the open question of whether the NSA's voracious data-interception demands are weakening the information security protections being offered to consumers and businesses.

Gen. Keith Alexander, commander of U.S. Cyber Command, will be keynote speaker at Black Hat USA 2013, the benchmark for all security conferences. Join us for four intense days of training and two jam-packed days of briefings. Register for Black Hat today. In Las Vegas, July 27-Aug. 1.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
esnowden
50%
50%
esnowden,
User Rank: Apprentice
7/29/2013 | 3:04:58 PM
re: How NSA Data Demands On Microsoft Shape Your Security
Microsoft (and Google and Yahoo and Facebood and etc) are conveniently feigning powerlessness when it comes to these NSA programs. Setting aside 4th amendment issues, these companies' constitutional 1st amendment right to free speech is infringed upon by Section 215 of the Patriot Act. Without revealing the specific orders, they have legal standing to take this to the appropriate, open federal court to challenge the relevant sections of the law. They simply fail, due to incompetence or willful neglect, to defend their rights. Additionally, while section 215 does gag any of these companies from disclosing FISA court orders, it does not prevent them from disclosing information about their software. That is, the Patriot Act does not stopping them from hiring an independent firm to audit their software and provide a public report on the security. If they want. Either way, Microsoft et al are partially responsible for their fate in this matter.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio