If you thought NSA snooping was bad, you ain't seen nothing yet: online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics, according to security guru Bruce Schneier.
"The NSA techniques give about a three to five year lead on what cyber-criminals will do," he told an audience at the RSA 2014 conference in San Francisco.
"These techniques for exfiltrating data aren't magical, they are just expensive. Everything we know about technology is that it gets cheaper. So the notion of putting up a fake cell tower or wireless access point, of jumping air gaps, you're going to see this stuff – it's really just a matter of time."
The mass surveillance carried out by the NSA was made possible not just thanks to the agency's huge budget and matching motivation, he said, but also because the fundamental model of the internet and the companies that operate on it allowed it. Entire business plans for Facebook, Google and others are predicated on collecting personal data and using it (with some psychological techniques) to convince us to buy stuff.
All that data is swirling around and it's going to be a top target for savvy crooks, he said. The very business model of many online firms has created hugely valuable data flows that the NSA, other countries' intelligence agencies, and ultimately the criminal community, wish to feast upon.
The good news is that there are solutions, most notably encryption. Whistleblower Edward Snowden's revelations have shown that strong crypto "drives the NSA batty," Schneier said. Too many companies aren't building encrypted communications in as standard, he said, but if the NSA is foxed by a particular technique or algorithm then criminals will be too.
Strong crypto for everyone, not just the big rigs
People used to eschew encryption due to the processor load it caused, he said, but these days it's perfectly possible to run strong crypto without crippling your systems. The NSA managed to tap into the interlinks between the data centers of Google, Yahoo! and others because they weren't encrypting that in-transit data effectively, but that has now changed.
Snowden's leaks have shown the extent to which security and trust on the internet are broken, Schneier said, and new systems needed to be implemented in order to build a secure internet. This doesn’t mean balkanizing the internet – Schneier described suggestions for country-specific internets as the "worst part" of the NSA leaks – but a fundamental rethink of how the internet and commercial software is managed.
It used to be that the US ran the internet as a "benign dictatorship," Schneier said, but those days are gone and they are never coming back. Unfortunately, the alternative of allowing internet governance to fall into the hands of the International Telecommunications Union are worse, he reckoned, and it could take 20 years before a suitable compromise is found.
In the meantime, IT buyers should be realistic and decide who they want to be spied upon by. While Cisco and Juniper sales are being hammered in China and India following claims the NSA is able to compromise and infiltrate their kit one way or another, there are very few other countries that have the capability to build their own network hardware industries and, for now, the NSA is the lesser of other evils.
"If someone's going to spy on you then better the US than Russia. I'd like there to be a huge public outcry, but the truth is you won’t be able to find the vendor that isn't vulnerable to legal pressure from somebody," he said.
"You think the Israeli companies are going to be better? Not a chance. Or the French – just not possible. It's a matter of picking who your enemy is and I hate this, I wish it wasn't so, but I think it is." ®
Source
Schneier: NSA snooping tactics will be copied by criminals in 3 to 5 years
Userlevel 7
+52
Userlevel 7
+56
I love Bruce Schneier, he is the man!
Userlevel 7
+52
Q&A: Schneier on trust, NSA spying and the end of US internet hegemony
RSA 2014 Bruce Schneier is the man who literally wrote the book on modern encryption, publishing Applied Cryptography in 1994, and for the past 20 years has been an important and sometimes outspoken voice in the security industry.
He founded the firm Counterpane Internet Security (later sold to BT), and is also a board member of the Electronic Frontier Foundation and an Advisory Board Member of the Electronic Privacy Information Center.
More recently he's been working on documents released by Edward Snowden on NSA activities and presented his findings at this year's RSA conference in San Francisco. The Register took the opportunity of sitting down with Schneier at the event and chewing through the current state of security, privacy and government intrusion online.
The Reg: This conference opened with a statement from RSA chief Art Coviello regarding the use of the flawed NSA-championed Dual Elliptic Curve Deterministic Random Bit Generator in an encryption toolkit product.
Coviello said RSA did all it could to secure its software. What's your take on the affair?
Schneier: I believe that's true. When NIST came out with that RNG standard, it was one of four choices available, and those choices tracked other crypto suites. It made sense in a holistic way that there should be an elliptic curve in there. It was slower, it was kludgier, but some people thought that was a plus, not a minus.
By 2007 there was the first inkling that there might be a backdoor, but it was just guessing and it is part of the NIST standard. Any toolkit that says "we're compliant" [with a particular standard], which I'm sure is a requirement for all sorts of contracts, had to implement it.
My guess is that RSA didn't know anything was amiss and when a large customer comes in with technical changes that don’t really matter you just do them. I think RSA was more a victim here, and I think it's been unfortunate that over the last couple of months they haven't been able to tell their story clearly.
It's hard to tease out who did what and when. Certainly, I didn't boycott the RSA conference – I'm here for myself and the attendees, not for RSA – and if I was going to list companies to boycott because of their NSA collaboration, RSA wouldn’t even make the top 10.
Who would be your top 10?
I think AT&T certainly would be on top, but I personally use AT&T's cellphone service. It's really hard to pick. That's the worst poison of these NSA actions; that we no longer know who to trust.
We cannot trust any phone company, any operating system provider, any application's vendor, any security company. We simply don’t know who is colluding, who has been compelled to collude, who is being owned surreptitiously, and all the transparency reports and denials don’t really tell us anything.
In your last-but-one book Liars and Outliers you went into great detail about the importance of trust. In the wake of NSA spying, has trust been irretrievably lost?
I really think some of losses in trust are going to be very difficult, if not impossible to get back. The NSA deliberately subverted products and standards. We rely on these things for our security and there was the implicit assumption that those in charge of them were making them as good as they could.
Additionally, US companies are going to find it very hard to get users to trust them again. The best slogan a company like Google can say now is "we're secure, except for the attacks we don’t know about and the attacks we are prohibited by law from telling you about," which is a sucky marketing slogan.
Even if the NSA says, like they are saying, "no, we haven't subverted standards," no one believes them. If the President says he's changed the NSA's policy so they don’t do this any more, how do we know there isn’t another even more secret organization that he formed to get around those rules? In a sense there's been a blind trust that we've had all these years that we finally have been shown was ill-founded, and I don’t know if it's possible – at least with current technology – to get it back.
So what's your solution?
You can imagine some future technology where you can prove assurance, where you can prove that a piece of software or hardware does what you believe it does and nothing more. That's not beyond the realm of possibility. We don’t know how to do that but it seems plausible that someday we will. Until then the problems are not technical, they are political and social, and there aren’t technical solutions to those kind of problems.
Full Article
RSA 2014 Bruce Schneier is the man who literally wrote the book on modern encryption, publishing Applied Cryptography in 1994, and for the past 20 years has been an important and sometimes outspoken voice in the security industry.
He founded the firm Counterpane Internet Security (later sold to BT), and is also a board member of the Electronic Frontier Foundation and an Advisory Board Member of the Electronic Privacy Information Center.
More recently he's been working on documents released by Edward Snowden on NSA activities and presented his findings at this year's RSA conference in San Francisco. The Register took the opportunity of sitting down with Schneier at the event and chewing through the current state of security, privacy and government intrusion online.
The Reg: This conference opened with a statement from RSA chief Art Coviello regarding the use of the flawed NSA-championed Dual Elliptic Curve Deterministic Random Bit Generator in an encryption toolkit product.
Coviello said RSA did all it could to secure its software. What's your take on the affair?
Schneier: I believe that's true. When NIST came out with that RNG standard, it was one of four choices available, and those choices tracked other crypto suites. It made sense in a holistic way that there should be an elliptic curve in there. It was slower, it was kludgier, but some people thought that was a plus, not a minus.
By 2007 there was the first inkling that there might be a backdoor, but it was just guessing and it is part of the NIST standard. Any toolkit that says "we're compliant" [with a particular standard], which I'm sure is a requirement for all sorts of contracts, had to implement it.
My guess is that RSA didn't know anything was amiss and when a large customer comes in with technical changes that don’t really matter you just do them. I think RSA was more a victim here, and I think it's been unfortunate that over the last couple of months they haven't been able to tell their story clearly.
It's hard to tease out who did what and when. Certainly, I didn't boycott the RSA conference – I'm here for myself and the attendees, not for RSA – and if I was going to list companies to boycott because of their NSA collaboration, RSA wouldn’t even make the top 10.
Who would be your top 10?
I think AT&T certainly would be on top, but I personally use AT&T's cellphone service. It's really hard to pick. That's the worst poison of these NSA actions; that we no longer know who to trust.
We cannot trust any phone company, any operating system provider, any application's vendor, any security company. We simply don’t know who is colluding, who has been compelled to collude, who is being owned surreptitiously, and all the transparency reports and denials don’t really tell us anything.
In your last-but-one book Liars and Outliers you went into great detail about the importance of trust. In the wake of NSA spying, has trust been irretrievably lost?
I really think some of losses in trust are going to be very difficult, if not impossible to get back. The NSA deliberately subverted products and standards. We rely on these things for our security and there was the implicit assumption that those in charge of them were making them as good as they could.
Additionally, US companies are going to find it very hard to get users to trust them again. The best slogan a company like Google can say now is "we're secure, except for the attacks we don’t know about and the attacks we are prohibited by law from telling you about," which is a sucky marketing slogan.
Even if the NSA says, like they are saying, "no, we haven't subverted standards," no one believes them. If the President says he's changed the NSA's policy so they don’t do this any more, how do we know there isn’t another even more secret organization that he formed to get around those rules? In a sense there's been a blind trust that we've had all these years that we finally have been shown was ill-founded, and I don’t know if it's possible – at least with current technology – to get it back.
So what's your solution?
You can imagine some future technology where you can prove assurance, where you can prove that a piece of software or hardware does what you believe it does and nothing more. That's not beyond the realm of possibility. We don’t know how to do that but it seems plausible that someday we will. Until then the problems are not technical, they are political and social, and there aren’t technical solutions to those kind of problems.
Full Article
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.