NSA Fallout: Encrypt Everything, Enterprises Advised

  /     /     /  
Publicated : 22/11/2024   Category : security


NSA Fallout: Encrypt Everything, Enterprises Advised


The NSA may have cracked crypto and added product backdoors, but businesses must focus on internal security practices as well.



20 Great Ideas To Steal In 2013 (click image for larger view)
The National Security Agency -- and by extension, some foreign intelligence agencies and perhaps even criminal syndicates -- can silently intercept encrypted communications and access off-the-shelf products that were thought to be secure.
In the wake of those
NSA Bullrun program revelations
-- courtesy of documents leaked by whistleblower Edward Snowden -- businesses are now asking: How should we react?
Here are five related recommendations from information security and cryptography experts:
1. Dont Blame NSA For Poor State Of Business Security
Start by looking inwards. This is a great time to focus on ourselves, said encryption expert Ivan Ristic, director of engineering at Qualys, via email. First of all, the mess with security is almost all ours. Yes, the NSA helped a bit by subverting security in any way it could, but it couldnt have done it without us focusing on time to market, performance and profit, rather than on security.
[ Here is another security tool to think about. Read
iPhone 5s Fingerprint Scanner: 9 Security Facts
. ]
Thus, if we are to blame anyone, we can only blame ourselves, he said. We didnt need the NSA to tell us that our security was bad. That was obvious -- if you wanted to hear.
2. Now Encrypt Everything
Information security professionals would do well to use the NSA revelations as a catalyst for improving their own business information security defenses. Now that everyone is paying attention, it is a great time to start taking security seriously, said Ristic. What specifically [is there] to do? Encrypt everything. Dont worry about what might be broken; we can fix those things once we learn the facts, he said, referring to as-yet-vague reports about precisely which crypto systems or products the NSA has either weakened or cracked.
Encrypting everything, of course, will take time and money. But consider the alternative: leaving businesses as sitting ducks for any adversary -- looking here beyond the NSA -- that might want to
steal their intellectual property
.
On that front, when adding more levels of encryption to better secure data in transit and at rest, security experts recommend first identifying what information business competitors or foreign adversaries would be most interested in stealing, then
securing that first
.
3. Channel Googles Security Moves
In terms of proactive security, businesses might take inspiration from Google, which this week announced that it has accelerated plans to
encrypt all traffic flowing between its data centers
.
Does that seem excessive? Consider that what Google does today, most businesses emulate at some later date. For example, Google made HTTPS the default for Gmail, and later all of its services, while rival Facebook didnt follow suit
until nearly three years
. Likewise, Google
added two-step log-in verification
for account access back in 2010. But Twitter didnt roll out a similar feature until earlier this year, in the wake of an
account takeover onslaught
courtesy of the Syrian Electronic Army.
4. Focus On Internal Security, Not NSA
Today, encryption experts are raging over reports that the NSA purposefully subverted strong crypto that businesses and others -- dissidents in autocratic regimes, for example -- have been relying on to keep communications safe. But to date, many businesses havent been doing what it takes to secure their communications, said David Jevans, CTO of enterprise mobile security firm Marble Security, via email.
Most email, Web searches, Internet chats and phone calls are not encrypted. The NSA -- or anyone else -- merely needs to scan Internet traffic to read most of it, said Jevans, whos also chairman of the Anti-Phishing Working Group and a member of the Department of Homeland Security ID Theft Technology Consortium.
Qualys Ristic echoed that assessment. Why are we still using unencrypted protocols? he said. There are gaps at every level: IP, DNS, email, the Web. Only a fraction of the traffic is encrypted. Why are we still developing using tools that are painfully vulnerable to well-understood security issues, such as buffer overflows?
Even when strong tools are available, not all businesses and technology vendors are using them. For example, take
Transport Layer Security
, which
leaked Bullrun documents
revealed that the NSA can defeat, thus allowing the agency to decode encrypted HTTPS traffic. But that doesnt mean that the protocol -- and by extension Internet security -- is permanently broken. It needs to be upgraded more than redesigned, said PGP co-founder Jon Callas, whos CTO of Silent Circle, in a recent interview. TLS 1.2 is not bad, and if everything were there, wed be a lot better off, he said.
5. Keep Believing In Strong Crypto
Despite the NSA revelations, and as the above recommendations suggest, the prevailing wisdom continues to be that strong encryption remains effective. Snowden said that himself. Its the rest of the systems that need careful examination, Callas said.
Security researcher and
encryption expert
Adam Caudill echoed that assessment. I still trust strong cryptography, he said via email. I trust AES-256, I trust
ECC
with non-NSA curves, I trust RSA with keys that are at least
2048 bits
.
Just what is the NSA likely capable of cracking? I suspect they can factor
1024-bit RSA keys
in a fairly short amount of time, and some of the success they noted is based on that, Caudill said. Actually, Id be shocked and a bit disappointed if they cant.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NSA Fallout: Encrypt Everything, Enterprises Advised