Risk
9/10/2013
11:52 AM
50%
50%

NSA Fallout: Google Speeds Data Encryption Plans

Google's initiative to encrypt data in its internal data centers will slow -- but not prevent -- sophisticated government hackers from surreptitiously monitoring traffic.

In the wake of leaked documents offering new details about the National Security Agency's surveillance capabilities, Google has accelerated plans to encrypt all traffic flowing between its data centers.

The move isn't aimed at resisting government-ordered requests for information about Google's users, or data that Google stores, with which the company must legally comply. Rather, the initiative is aimed at making it more difficult for government intelligence agencies -- or anyone else -- to surreptitiously eavesdrop on data handled by Google.

"It's an arms race," Eric Grosse, VP for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

[ How much do you know about Bullrun, the NSA's decryption program? Read NSA Crypto Revelations: 7 Issues To Watch. ]

According to information security experts, Britain, China, Israel and Russia run highly sophisticated government hacking programs, the Post reported. But theoretically, anyone from foreign governments to criminal syndicates might take an interest in the data being handled by a company such as Google.

Sean Sullivan, security advisor at F-Secure Labs, said via email that Google's encryption plan makes good security sense, given all the different types of information that the company stores. "I think it's a very good idea, considering its Google Docs business," he said.

A Google spokesman, reached by email, declined to comment on the press reports, or on whether the encryption initiative had an internal working name.

Google reportedly began planning to encrypt all traffic between its data centers last year. But the company decided to accelerate the plan in June, after NSA whistle-blower Edward Snowden released details on the NSA's Prism program, which appeared to use APIs installed on servers at Google, Facebook and Microsoft, among other technology giants, that allowed the intelligence agency to intercept and store metadata relating to communications and phone calls.

In the wake of the latest NSA revelations -- specifically, that the agency had worked to build back doors into unnamed commercial products and weaken unnamed encryption systems -- that surfaced Friday, Google has gone public with its end-to-end data center encryption plan. No doubt, that's an attempt by the company to improve its image, after leaked Prism documents detailed a secret U.S. surveillance program that targeted large quantities of data stored by Google. Cloud businesses have said that they stand to lose up to $40 billion as a result of the NSA's monitoring.

Google's Grosse also emphasized that the company has never purposefully weakened its encryption to allow for easier snooping. "This is a just a point of personal honor," Grosse said. "It will not happen here."

To be clear, Google's data center encryption effort wouldn't stop foreign governments or anyone else with the requisite hacking power to intercept and decrypt the traffic flowing between Google's data centers. But as the latest leaked NSA documents have shown, cracking -- or routing around -- strong encryption is a resource-intensive endeavor. Accordingly, Google will be making it difficult for anyone to surreptitiously intercept and retrieve vast quantities of data in one go.

Google's unveiling of its data center traffic encryption initiative comes as Google and Facebook have continued to petition the U.S. Foreign Intelligence Surveillance Court. The latest salvo fired by the technology companies, which want to be allowed to release more details about how they must comply with government-ordered requests for sharing data or accessing systems, came Monday in the form of an amended petition.

"This petition mirrors the requests made to Congress and the President by our industry and civil liberties groups in a letter earlier this year," wrote Richard Salgado, Google's director of law enforcement and information security, and Pablo Chavez, Google's director of public policy and government affairs, Monday in a related blog post. "Namely, that Google be allowed to publish detailed statistics about the types (if any) of national security requests we receive under the Foreign Intelligence Surveillance Act, including Section 702. Given the important public policy issues at stake, we have also asked the court to hold its hearing in open rather than behind closed doors. It's time for more transparency."

Facebook's general counsel, Colin Stretch, said in a blog post Monday that after details of Prism became public, the White House allowed businesses such as Facebook to detail the number of government requests for user data with which they'd been legally required to comply. "It allowed us to make clear that a vanishingly small number of people who use Facebook -- a tiny fraction of 1% -- were the subject of any kind of U.S. government request in the past year," Stretch said.

But since then, any moves toward greater transparency have stalled. "As a result, today we are joining others in the industry in petitioning the Foreign Intelligence Surveillance Court to require the government to permit companies to disclose more information about the volume and types of national security-related orders they receive," Stretch said.

On that front, Google's Salgado and Chavez said they also planned to meet with the President's Group on Intelligence and Communications Technologies on Tuesday. "We'll reiterate the same message there: that the levels of secrecy that have built up around national security requests undermine the basic freedoms that are at the heart of a democratic society."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NomanS662
50%
50%
NomanS662,
User Rank: Apprentice
9/10/2013 | 5:12:20 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
What's the point of encryption if they're just going to give the keys to the NSA. Most of the NSA snooping was not as a result of mathematical cracking but rather they simply asked for the keys and collaborated with companies to put in backdoors.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/10/2013 | 9:21:18 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Interesting development: NIST today defended its process for creating encryption standards -- "NIST would not deliberately weaken a cryptographic standard" -- but said it's reopening the public comment period for publications involving specific cryptographic standards.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
9/11/2013 | 1:31:36 AM
re: NSA Fallout: Google Speeds Data Encryption Plans
It's vital for the business community to come across as trustworthy or cloud computing will lose clients with anything serious to protect.
FrankS309
50%
50%
FrankS309,
User Rank: Apprentice
9/11/2013 | 4:46:36 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
I think any self respecting company will be searching for new way to transmit valuable info that isn't subject to NSA access which can be available to any smart NSA employee who could be coerced or bribed for access to anyone's info. Any company proving it is not involved can make mucho pesos
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
9/11/2013 | 6:15:19 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Looks like it's back to building Private Data Centers and Private Clouds with strong encryption for data that is both on the move and at rest.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.