Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:41 PM
Connect Directly

Latest NSA Crypto Revelations Could Spur Internet Makeover

Concerns over backdoors and cracked crypto executed by the spy agency is prompting calls for new more secure Internet protocols, IETF will address latest developments at November meeting

Documents taken from the NSA showing that the spy agency has systematically been cracking encryption and establishing a foothold in secure communications technology could provide the strongest impetus yet to spur a long overdue update of the underlying protocols of the Internet.

That the U.S. National Security Agency cracks encryption comes as no surprise -- code-breaking is part of the spy agency's mission -- but reports that the NSA went too far by urging software companies to insert backdoors and weaknesses into their code has raised valid questions over the viability of today's commercial encryption technologies. The latest Snowden document leaks, reported by The New York Times and The Guardian late last week, said the agency has cracked or evaded encryption used in much of the Internet's sensitive communications today, potentially exposing users' encrypted email, online chats, and phone calls.

"I don't find it particularly surprising that their agenda was to crack all the crypto -- that has always been their agenda," says Lawrence Garvin, head geek at SolarWinds. But what's still unclear in the latest Snowden revelations is whether the NSA can successfully crack newer, stronger encryption technology, he says.

The latest developments indicate potentially glaring overreach by the NSA, and security experts in response are calling for efforts to speed up some long-awaited updates to the Internet's underlying TCP/IP protocols.

"This should speed up the [adoption] of new protocols," says Stephen Cobb, security evangelist for ESET. "Ten years down the road, we may look back and say we avoided massive cyberattacks because we took measures to improve our security. Ironically, it was prompted by our own government agency [the NSA]."

Crytpo expert Bruce Schneier in a blog post last week publicly called for a re-engineering of the Internet to thwart spying, urging the use of open protocols that are harder for the NSA to subvert. Schneier said the Internet Engineering Task Force's meeting in November should be "dedicated" to this topic. "This is an emergency, and demands an emergency response," Schneier said.

IETF chair Jari Arkko today confirmed that security, indeed, will be under discussion at the IETF November meeting in Vancouver: "We have obviously been disturbed by the revelations, and continue to do our best to improve the Internet security in view of these and other threats," Arkko says. "We have a policy to employ strong security mechanisms, and we care a lot about having trusted services and protocols in the Internet. We are discussing this topic, and we will discuss it in our next meeting. There may be some technical improvements that are helpful."

Internet security isn't just about technology, however, Arkko says. "Communications security will not help if you do not trust the party that you are communicating with, or the device that you are using," he says.

The IETF already is working on a new version of the Transport Layer Security (TLS) protocol that ratchets up security to prevent eavesdropping and tampering, as well as other efforts to beef up encryption algorithms. Also in the works is mandatory security for HTTP 2.0.

"I believe mandatory security in HTTP 2.0, in particular, if adopted, would be helpful against eavesdropping in some situations," Arkko says. But he cautions that it must be coupled with trust between the communicating parties, he says, or else "complete protection for eavesdropping is difficult to achieve."

[NSA says it only touches about 1% of online communications in the U.S. See NSA Responds To Criticism Over Surveillance Programs .]

At the heart of many of the Internet's security woes is the old "on the Internet, no one knows you're a dog" problem: the ability to remain anonymous or to pose as someone you're not. One key solution would be to authenticate packets, says David Frymier, CISO and vice president at Unisys.

The next-generation IP protocol, IPv6, holds some promise for this, he says. "With IPv6, if you require authentication of packets, a lot of problems ... go away," Frymier says. "A lot of Internet problems are derived from the fact you can do things anonymously and spoof your identity, such as man-in-the middle attacks."

Frymier says the NSA is basically exploiting incorrectly implemented or designed technologies to get to the intelligence it wants. And bad guys can do the same, he says. "I stood in front of a computer that I knew was infected, yet it came up clean even though I could see it beaconing to a server in China," he says. "The fact is bad guys know how to get inside Windows in such a way that you just can't tell they are there."

Look for new encryption software to emerge as well. "I think the latest revelation will energize efforts to improve some of the security and privacy fundamentals" of the Internet protocols, ESET's Cobb says. "I think we will see a lot of growth in ... new encryption software, for example, that could potentially defeat current NSA capabilities."

James Clapper, director of national intelligence, said in a statement yesterday that it's no secret the U.S. intelligence community gathers "information about economic and financial matters, and terrorist financing."

"What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of -- or give intelligence we collect to -- U.S. companies to enhance their international competitiveness or increase their bottom line," Clapper said.

"As we have said previously, the United States collects foreign intelligence -- just as many other governments do -- to enhance the security of our citizens and protect our interests and those of our allies around the world. The intelligence community's efforts to understand economic systems and policies and monitor anomalous economic activities is critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security," he said.

Encryption Implosion?
The latest NSA revelations late last week from the Snowden files don't mean that encryption or the Internet are broken, however, experts say. The NSA appears to have set its sights on a common weakness in encryption: the deployment, management, and storage of encryption keys, experts say.

Older algorithms with shorter bit-key lengths were brute-forcible by the NSA, Unisys' Frymier says. But the "other 10 percent" of encryption using longer bit-key lengths is still safe from NSA snooping, he says. "If you've got strong encryption properly implemented with a secure key management structure, then you're safe from the NSA," he says.

The NSA is basically boiling the ocean, he says, and most organizations in comparison have a relatively small set of data that they need to protect. "I'm convinced this is possible to have a secure communications system," Frymier says. Aside from strong encryption that's properly deployed, that would also entail managing your own keys and better control of endpoints so they can securely transmit data, he says.

"The Internet is not broken," he says. "I'm not surprised by any of this at all. It's not just the NSA that's doing this. The Chinese are doing it" as well, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
9/10/2013 | 6:23:32 PM
re: Latest NSA Crypto Revelations Could Spur Internet Makeover
Thank you for your comment, rjones2818. If I'm understanding your question, I think the next phrase in the sentence you cite answers it: "---but reports that the NSA went too far by urging software companies to
insert backdoors and weaknesses into their code has raised valid
questions over the viability of today's commercial encryption
User Rank: Strategist
9/10/2013 | 3:24:07 PM
re: Latest NSA Crypto Revelations Could Spur Internet Makeover
"That the U.S. National Security Agency cracks encryption comes as no
surprise -- code-breaking is part of the spy agency's mission -- "

Don't you think that's just a wee bit glib? Is the NSA supposed to be spying on us? You know the arguments, I'd think we should be able to expect better or (perhaps) deeper thought from a professional journal/newsletter (or what it is chosen to call Dark Reading's place on the professional scale).
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...