News that the NSA has effectively negated security on the Internet is bleak -- even dire. It should also leave you and your company concerned that the same techniques might one day be used by other individuals and organizations. If you weren't wearing a tinfoil hat yesterday, you may well consider donning new headgear today.
While it's become increasingly clear the NSA can get its eyes onto anything it likes, there's also a great deal of concern that its dirty tricks may have opened the door for other groups to snoop. The revelations that NSA-derived intelligence was (is!) being leaked to the DEA, for example, certainly can't inspire much confidence that NSA is keeping mum on "Bullrun" secrets, as originally covererd in The Guardian and the New York Times.
The Guardian's report on this latest brouhaha quotes Christopher Sohoian, senior policy analyst at the ACLU, as saying:
Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise. This is because the insertion of backdoors in a software product, particularly those that can be used to obtain unencrypted user communications or data, significantly increases the difficulty of designing a secure product.
In the same report, former U.S. Department of Justice prosecutor Stephanie Pell is quoted as saying:
[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users.
So humor me for a moment, strap on your tinfoil hats, and let's take a look at simple steps your company can take to minimize the chances of getting hacked -- not just by the NSA, but by other organizations with the wherewithal to unwind NSA's Gordian knots. (I hesitate to point to Russian TV-Novosti's coverage of the Parabon Leaks, which may be woven entirely from tinfoil.)
The fundamental point, according to security guru Bruce Schneier, goes like this: "The math is good, but math has no agency. Code has agency, and the code has been subverted."
Schneier has been working with The Guardian, going through "hundreds of top-secret NSA documents provided by whistleblower Edward Snowden." In The Guardian he explains how to remain secure against NSA surveillance. His recommendations include:
- Hide in the network by using Tor.
- Encrypt communication with TLS or IPsec.
- Don't use encryption software from major vendors; instead, use public-domain encryption that's compatible with other public-domain encryption packages.
Schneier specifically mentions TrueCrypt, GnuPG, Silent Circle (which recently shut down its Silent Mail email service and released a secure messaging app for Android devices), Tails, CypherPunk's OTR and BleachBit for file wiping.
We don't specifically know if NSA has figured out how to bypass SSL or AES, although Snowden's comment two months ago offers some hope:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
While Snowden doesn't specifically recommend any product, his statement sounds to me like an endorsement for TrueCrypt's AES-256 encryption and GPG.
Using products with "properly implemented strong crypto" tosses the hot potato to the endpoints. It would be wise to assume that some major online email providers have been compromised -- perhaps by devious means, including NSA moles in key positions. It would also be wise to assume that online storage and hosting companies are vulnerable, but we already knew that was the case with the PRISM revelations. It's also fair to assume that your company's virtual private network isn't so private after all. And the SSL "lock" you've been teaching users to check may not be as locked as it once appeared.
The warning issued by Ladar Levison, who shut down his Lavabit email service last month, still rings in my ears:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit... This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
It's advice that every company -- inside or outside the United States -- should take to heart. The crushing corollary is that even companies without physical ties to the United States may be compromised, too.
Tip o' the hat to JustinL.
This story, "How to secure your company against NSA-inspired hacking," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.