From my last day at work on the 19th December, the internet has been rather busy with information security news.
In an effort to summarise, the holiday period started with the news that security giant RSA was alleged to have a
backdoor in its products, which came about after the NSA paid it $10 million. Reuters reported that RSA received the cash in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software.
Specifically, the spotlight shone on the Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator. Security blogger Graham Cluley
said that this “deliberately crippled” algorithm was being used as the default pseudo-random number generator – a crucial component – in RSA’s BSafe toolkit.
Back in September, RSA issued an
advisory to its BSafe customers telling them to ditch the use of Dual_EC_DRBG inside its BSafe toolkit, and use an alternative pseudo-random number generator instead.
Following this, the NSA declined to comment, RSA
responded by “categorically denying” the allegation, saying it worked with the NSA “both as a vendor and an active member of the security community” in order to “strengthen commercial and government security”. RSA was met with a furious reaction from the security community, not least from Mikko Hypponen, chief research officer at F-Secure, who announced in an open
letter that he was cancelling his talk at next month’s RSA Conference on “Governments as Malware Authors”.
Hypponen said that this was because “surveillance operations from the US intelligence agencies are targeted at foreigners”. Later a list
appeared of 462 products that conformed to the Deterministic Random Bit Generator (DRBG) algorithm, and following this a number of companies that were featured in the list issued statements.
Cisco said in its
comment that it does not work with any Government “to weaken our products for exploitation, nor to implement any so-called security backdoors in our products”. Cisco chief security officer John Stewart said that it was “deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information”
Apple’s
statement also said that it has “never worked with the NSA to create a backdoor in any of our products, including iPhone” and it was continuously working to make its products even more secure.
It was also reported that Microsoft’s “Send Error” reports were being intercepted by the NSA’s TAO (Tailored Access Operations) division as they are sent unencrypted. The leaked presentation, se
en by
Der Spiegel, found that this passive access to error messages provides insights into problems with PCs if a person is being targeted and reveals information on security holes that might be exploitable. So what seemed to be an innocent method of reporting an issue could be you giving up more than you realised, and you only thought you were helping the vendor with a bug.
Proving that the NSA never stayed out of the headlines over the Christmas period, it was also reported by the
Guardian that the bulk collection of telephone data does not violate the constitution. The ruling from Judge William Pauley found that the privacy protections enshrined in the fourth amendment of the US constitution needed to be balanced against a Government need to maintain a database of records to prevent future terrorist attacks.
“The right to be free from searches is fundamental but not absolute,” he said. “Whether the fourth amendment protects bulk telephony metadata is ultimately a question of reasonableness.” He also said that the argument by the American Civil Liberties Union (ACLU) that the collection of all telephony metadata is too broad and contains too much irrelevant information “has no traction” as without all the data points, the Government cannot be certain it is connecting the pertinent ones.
“There is no way for the Government to know which particle of telephony metadata will lead to useful counterterrorism information … Armed with all the metadata, NSA can draw connections it might otherwise never be able to find. The collection is broad, but the scope of counterterrorism investigations is unprecedented.”
The final word of 2013 really was left to Edward Snowden, the man from whom the knowledge came in the first place. He was given the platform of Channel 4’s Alternative Christmas
Message on Christmas Day to give his views, which was short but allowed him to state that “A child born today will grow up with no conception of privacy at all” and he called for a better balance of trust and privacy.
“End mass surveillance – and remind the government that, if it really wants to know how we feel, asking is always cheaper than spying,” Snowden said.
The NSA, GCHQ and the mass surveillance story was a key story of 2013 and among the many predictions that I have seen, it seems that this theme will continue on into this year.