Cindy and I had the good fortune of attending part of the Real World Cryptography Workshop held last week in New York City. We went primarily to listen to Bruce Schneier discuss the implications of the Snowden documents. But we quickly learned from others sessions that there was an underlying context to this conference. Over the last year, cryptography and data security have been completely shaken by malware, and specifically advanced persistent threats or APTs, leading some to say or at least imply that cryptography is dead.
If not dead, it’s at least been seriously wounded. About a year ago, Adi Shamir—the S in RSA—caused something of a controversy when he said that we should be “preparing for a post-cryptography world” and that “cryptography is becoming less important.” His argument—and it’s a good one—rested on APT’s power to watch everything in a system and thereby violate the core assumption that private keys and the rest of the crypto internals are unavailable to hackers.
Get the Free Pen Testing Active Directory Environments EBook
Security and IT security pros shouldn’t panic just yet.
A counter-argument to Shamir is that we’ve aided and abetted cyber criminals and governments through bad implementations of parts of the security stack— SSL, for example—and just basic neglect. So we can still get more out of the current security technology, but we have to be smarter about it. And there’s some advanced ideas—centered on something called multi-party computation—that in theory will bring new life to crypto.
I came away from Schneier’s presentation with two key points. One, we can expect some of the techniques used by the NSA to eventually filter down to ordinary hackers. For example, packet injection secretly redirects a target to a spoofed site, but requires a privileged position—which the NSA has—on the Internet backbone to be done reliably. Schneier believes we will see wider use of packet injection and other man-on-the-side attacks by private players. Two, we have to make it economically harder for any attacker to gain access to data. Schneier was referring to the fact that large parts of the Internet are easy game for anyone with the right tools and techniques—loosely speaking the backbone and its servers but also endpoint devices and apps have minimal or no encryption or other security as a default.
In listening to Schneier, I began to think less about government intelligence operations and more about what sophisticated hackers (and they’re out there) will be doing to get their hands on corporate data in the coming years. His message then becomes a familiar one, at least to Metadata Era readers: we won’t be able to entirely keep out cyber thieves, so we need to build a second line of defense. Widespread encryption may be cumbersome in a corporate environment where the goal is to get employees to collaborate and share. However, we can make it much more time-consuming for hackers to find the high-value data.
And this is where knowing where your data is and who owns it is a powerful counter-measure. You can prevent bulk-collection of PIIs and other sensitive data by making sure it’s not found in easily accessible shared folders with loose permissions. And you can have in place real-time monitoring of user activity to spot and stop a breach in progress.
“Most of how the NSA deals with cryptography is by getting around it … They exploit bad implementations—we have lots of those. They exploit default or weak keys—we have even more of those.”
“We know that QUANTUM packet injection is how the great firewall of China works. We see some of these techniques used in Syria. And this is the fundamental harm. When I talk about the harms of NSA, this is what I talk about. The harm is that we have an internet insecure for everyone, the loss of trust in protocols, and the loss of trust in government institutions.”
“The goal is not to secure against targeted collection, but secure against bulk collection. Simply encrypting stuff on the Internet… the more on the backbone we encrypt, the better we’ll do. QUANTUM works because the packets are unencrypted. Ubiquitous encryption will do a lot.”
“We all know about the sabotaging of cell phone telephony standards … That came out in a Norwegian paper. There is the deliberate insertion of backdoors.”
“This is of course aided by the fact that we live in the information age. Everything we do is done with computers. Computers produce data. Moore’s law makes it really easy to save and to use. We’re creating data throughout our lives and it’s being collected.”
“Endpoint security is so terrifically weak that the NSA can find ways around it. The math works once we put in systems and products, that’s when the vulnerabilities disappear.”
“Another thing we haven’t seen a lot of are the analysis tools and we will see more. We saw some good examples in the Washington Post story on location data. They did some really neat stuff with the database of cell phone location. They had a system that looked for phones moving towards each other, turned off and then turned on when they are turning away from each other. Looking for secret meetings. They were able to track the phone of US agents and look for phones of people who were vaguely following them—looking for tails.”
“A secure Internet is in everybody’s best interest.”
“We certainly need—as Jerry Kang at UCLA talks about—data guardians, which are entities with fiduciary responsibilities for our data. We need to start thinking about the fact that our data is part of ourselves and is not controlled by us. And a lot our laws about protection are really approximate–our homes, our cars, our bodies–and they don’t apply when pieces of ourselves are remote.”