Risk
9/12/2013
09:18 AM
Connect Directly
RSS
E-Mail
50%
50%

NSA Fallout: Encrypt Everything, Enterprises Advised

The NSA may have cracked crypto and added product backdoors, but businesses must focus on internal security practices as well.

20 Great Ideas To Steal In 2013
20 Great Ideas To Steal In 2013
(click image for larger view)
The National Security Agency -- and by extension, some foreign intelligence agencies and perhaps even criminal syndicates -- can silently intercept encrypted communications and access off-the-shelf products that were thought to be secure.

In the wake of those NSA Bullrun program revelations -- courtesy of documents leaked by whistleblower Edward Snowden -- businesses are now asking: How should we react?

Here are five related recommendations from information security and cryptography experts:

1. Don't Blame NSA For Poor State Of Business Security

Start by looking inwards. "This is a great time to focus on ourselves," said encryption expert Ivan Ristic, director of engineering at Qualys, via email. "First of all, the mess with security is almost all ours. Yes, the NSA helped a bit by subverting security in any way it could, but it couldn't have done it without us focusing on time to market, performance and profit, rather than on security."

[ Here is another security tool to think about. Read iPhone 5s Fingerprint Scanner: 9 Security Facts. ]

"Thus, if we are to blame anyone, we can only blame ourselves," he said. "We didn't need the NSA to tell us that our security was bad. That was obvious -- if you wanted to hear."

2. Now Encrypt Everything

Information security professionals would do well to use the NSA revelations as a catalyst for improving their own business information security defenses. "Now that everyone is paying attention, it is a great time to start taking security seriously," said Ristic. "What specifically [is there] to do? Encrypt everything. Don't worry about what might be broken; we can fix those things once we learn the facts," he said, referring to as-yet-vague reports about precisely which crypto systems or products the NSA has either weakened or cracked.

Encrypting everything, of course, will take time and money. But consider the alternative: leaving businesses as sitting ducks for any adversary -- looking here beyond the NSA -- that might want to steal their intellectual property.

On that front, when adding more levels of encryption to better secure data in transit and at rest, security experts recommend first identifying what information business competitors or foreign adversaries would be most interested in stealing, then securing that first.

3. Channel Google's Security Moves

In terms of proactive security, businesses might take inspiration from Google, which this week announced that it has accelerated plans to encrypt all traffic flowing between its data centers.

Does that seem excessive? Consider that what Google does today, most businesses emulate at some later date. For example, Google made HTTPS the default for Gmail, and later all of its services, while rival Facebook didn't follow suit until nearly three years. Likewise, Google added two-step log-in verification for account access back in 2010. But Twitter didn't roll out a similar feature until earlier this year, in the wake of an account takeover onslaught courtesy of the Syrian Electronic Army.

4. Focus On Internal Security, Not NSA

Today, encryption experts are raging over reports that the NSA purposefully subverted strong crypto that businesses and others -- dissidents in autocratic regimes, for example -- have been relying on to keep communications safe. But to date, many businesses haven't been doing what it takes to secure their communications, said David Jevans, CTO of enterprise mobile security firm Marble Security, via email.

"Most email, Web searches, Internet chats and phone calls are not encrypted. The NSA -- or anyone else -- merely needs to scan Internet traffic to read most of it," said Jevans, who's also chairman of the Anti-Phishing Working Group and a member of the Department of Homeland Security ID Theft Technology Consortium.

Qualys' Ristic echoed that assessment. "Why are we still using unencrypted protocols?" he said. "There are gaps at every level: IP, DNS, email, the Web. Only a fraction of the traffic is encrypted. Why are we still developing using tools that are painfully vulnerable to well-understood security issues, such as buffer overflows?"

Even when strong tools are available, not all businesses and technology vendors are using them. For example, take Transport Layer Security, which leaked Bullrun documents revealed that the NSA can defeat, thus allowing the agency to decode encrypted HTTPS traffic. But that doesn't mean that the protocol -- and by extension Internet security -- is permanently broken. "It needs to be upgraded more than redesigned," said PGP co-founder Jon Callas, who's CTO of Silent Circle, in a recent interview. "TLS 1.2 is not bad, and if everything were there, we'd be a lot better off," he said.

5. Keep Believing In Strong Crypto

Despite the NSA revelations, and as the above recommendations suggest, the prevailing wisdom continues to be that strong encryption remains effective. "Snowden said that himself. It's the rest of the systems that need careful examination," Callas said.

Security researcher and encryption expert Adam Caudill echoed that assessment. "I still trust strong cryptography," he said via email. "I trust AES-256, I trust ECC with non-NSA curves, I trust RSA with keys that are at least 2048 bits."

Just what is the NSA likely capable of cracking? "I suspect they can factor 1024-bit RSA keys in a fairly short amount of time, and some of the success they noted is based on that," Caudill said. "Actually, I'd be shocked and a bit disappointed if they can't."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/12/2013 | 5:57:29 PM
re: NSA Fallout: Encrypt Everything, Enterprises Advised
Re. #3 your points about Google wising up early are interesting. How widely is such traffic encrypted between data centers today? Are many companies there already?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
9/12/2013 | 8:53:36 PM
re: NSA Fallout: Encrypt Everything, Enterprises Advised
Security experts were saying as much when Heartland Payment Systems was hacked several years ago.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/12/2013 | 9:56:06 PM
re: NSA Fallout: Encrypt Everything, Enterprises Advised
An RSA executive I spoke with this week agreed that NSA has the computing power, but also the talent, to break just about any encryption it runs into. But a source who spoke directly with a senior NSA IT official very recently told me that NSA is concerned that it could be entering an arms race with private industry over encryption -- and resource constraints could make it harder for even the NSA to keep up with the private sector.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.