Vulnerabilities / Threats
9/9/2013
03:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Latest NSA Crypto Revelations Could Spur Internet Makeover

Concerns over backdoors and cracked crypto executed by the spy agency is prompting calls for new more secure Internet protocols, IETF will address latest developments at November meeting

Documents taken from the NSA showing that the spy agency has systematically been cracking encryption and establishing a foothold in secure communications technology could provide the strongest impetus yet to spur a long overdue update of the underlying protocols of the Internet.

That the U.S. National Security Agency cracks encryption comes as no surprise -- code-breaking is part of the spy agency's mission -- but reports that the NSA went too far by urging software companies to insert backdoors and weaknesses into their code has raised valid questions over the viability of today's commercial encryption technologies. The latest Snowden document leaks, reported by The New York Times and The Guardian late last week, said the agency has cracked or evaded encryption used in much of the Internet's sensitive communications today, potentially exposing users' encrypted email, online chats, and phone calls.

"I don't find it particularly surprising that their agenda was to crack all the crypto -- that has always been their agenda," says Lawrence Garvin, head geek at SolarWinds. But what's still unclear in the latest Snowden revelations is whether the NSA can successfully crack newer, stronger encryption technology, he says.

The latest developments indicate potentially glaring overreach by the NSA, and security experts in response are calling for efforts to speed up some long-awaited updates to the Internet's underlying TCP/IP protocols.

"This should speed up the [adoption] of new protocols," says Stephen Cobb, security evangelist for ESET. "Ten years down the road, we may look back and say we avoided massive cyberattacks because we took measures to improve our security. Ironically, it was prompted by our own government agency [the NSA]."

Crytpo expert Bruce Schneier in a blog post last week publicly called for a re-engineering of the Internet to thwart spying, urging the use of open protocols that are harder for the NSA to subvert. Schneier said the Internet Engineering Task Force's meeting in November should be "dedicated" to this topic. "This is an emergency, and demands an emergency response," Schneier said.

IETF chair Jari Arkko today confirmed that security, indeed, will be under discussion at the IETF November meeting in Vancouver: "We have obviously been disturbed by the revelations, and continue to do our best to improve the Internet security in view of these and other threats," Arkko says. "We have a policy to employ strong security mechanisms, and we care a lot about having trusted services and protocols in the Internet. We are discussing this topic, and we will discuss it in our next meeting. There may be some technical improvements that are helpful."

Internet security isn't just about technology, however, Arkko says. "Communications security will not help if you do not trust the party that you are communicating with, or the device that you are using," he says.

The IETF already is working on a new version of the Transport Layer Security (TLS) protocol that ratchets up security to prevent eavesdropping and tampering, as well as other efforts to beef up encryption algorithms. Also in the works is mandatory security for HTTP 2.0.

"I believe mandatory security in HTTP 2.0, in particular, if adopted, would be helpful against eavesdropping in some situations," Arkko says. But he cautions that it must be coupled with trust between the communicating parties, he says, or else "complete protection for eavesdropping is difficult to achieve."

[NSA says it only touches about 1% of online communications in the U.S. See NSA Responds To Criticism Over Surveillance Programs .]

At the heart of many of the Internet's security woes is the old "on the Internet, no one knows you're a dog" problem: the ability to remain anonymous or to pose as someone you're not. One key solution would be to authenticate packets, says David Frymier, CISO and vice president at Unisys.

The next-generation IP protocol, IPv6, holds some promise for this, he says. "With IPv6, if you require authentication of packets, a lot of problems ... go away," Frymier says. "A lot of Internet problems are derived from the fact you can do things anonymously and spoof your identity, such as man-in-the middle attacks."

Frymier says the NSA is basically exploiting incorrectly implemented or designed technologies to get to the intelligence it wants. And bad guys can do the same, he says. "I stood in front of a computer that I knew was infected, yet it came up clean even though I could see it beaconing to a server in China," he says. "The fact is bad guys know how to get inside Windows in such a way that you just can't tell they are there."

Look for new encryption software to emerge as well. "I think the latest revelation will energize efforts to improve some of the security and privacy fundamentals" of the Internet protocols, ESET's Cobb says. "I think we will see a lot of growth in ... new encryption software, for example, that could potentially defeat current NSA capabilities."

James Clapper, director of national intelligence, said in a statement yesterday that it's no secret the U.S. intelligence community gathers "information about economic and financial matters, and terrorist financing."

"What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of -- or give intelligence we collect to -- U.S. companies to enhance their international competitiveness or increase their bottom line," Clapper said.

"As we have said previously, the United States collects foreign intelligence -- just as many other governments do -- to enhance the security of our citizens and protect our interests and those of our allies around the world. The intelligence community's efforts to understand economic systems and policies and monitor anomalous economic activities is critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security," he said.

Encryption Implosion?
The latest NSA revelations late last week from the Snowden files don't mean that encryption or the Internet are broken, however, experts say. The NSA appears to have set its sights on a common weakness in encryption: the deployment, management, and storage of encryption keys, experts say.

Older algorithms with shorter bit-key lengths were brute-forcible by the NSA, Unisys' Frymier says. But the "other 10 percent" of encryption using longer bit-key lengths is still safe from NSA snooping, he says. "If you've got strong encryption properly implemented with a secure key management structure, then you're safe from the NSA," he says.

The NSA is basically boiling the ocean, he says, and most organizations in comparison have a relatively small set of data that they need to protect. "I'm convinced this is possible to have a secure communications system," Frymier says. Aside from strong encryption that's properly deployed, that would also entail managing your own keys and better control of endpoints so they can securely transmit data, he says.

"The Internet is not broken," he says. "I'm not surprised by any of this at all. It's not just the NSA that's doing this. The Chinese are doing it" as well, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
9/10/2013 | 6:23:32 PM
re: Latest NSA Crypto Revelations Could Spur Internet Makeover
Thank you for your comment, rjones2818. If I'm understanding your question, I think the next phrase in the sentence you cite answers it: "---but reports that the NSA went too far by urging software companies to
insert backdoors and weaknesses into their code has raised valid
questions over the viability of today's commercial encryption
technologies."
rjones2818
50%
50%
rjones2818,
User Rank: Moderator
9/10/2013 | 3:24:07 PM
re: Latest NSA Crypto Revelations Could Spur Internet Makeover
"That the U.S. National Security Agency cracks encryption comes as no
surprise -- code-breaking is part of the spy agency's mission -- "

Don't you think that's just a wee bit glib? Is the NSA supposed to be spying on us? You know the arguments, I'd think we should be able to expect better or (perhaps) deeper thought from a professional journal/newsletter (or what it is chosen to call Dark Reading's place on the professional scale).
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.