How will Consumers and Providers Protect Private Data from the NSA?

The NSA breach reveals that the super adversary the security people hoped would never materialize does exist - the government agent with pretty much unlimited time and resources to store and analyze the majority of Internet traffic.


31 October 2013

How will Consumers and Providers Protect Private Data from the NSA

The NSA breach reveals that the super adversary the security people hoped would never materialize does exist - the government agent with pretty much unlimited time and resources to store and analyze the majority of Internet traffic.

Does this mean ‘game over’? I have reasons to be optimistic here. Once the initial shock is gone and we read past the headlines, one can see that proven techniques work when used to design systems with highly resourced adversary in mind. This may sound simplistic, but encrypting sensitive content and implementing proper cryptography at the application level are two practical measures that will produce effective protection for private data.

Bruce Schneier’s article Attacking Tor: how the NSA targets users' online anonymity provides details on techniques used by government agencies to identify and to attack targets, as well as to collect data for “later.” One can pick and choose their favorite part of Schneier’s article - be it quantum servers doing man-in-the-middle attacks by racing Google searches or funny codenames like ‘Egotistical Giraffe’.

I looked for hints on what kind of protections may be effective. The main focus of Schneier’s article was Tor resiliency to direct attack. This got me thinking about how encryption can be used as a strong countermeasure. The main lesson here is that properly implemented encryption works - even against such a sophisticated adversary like the NSA Systems Intelligence Directorate (SID). Otherwise, they would not need to build the whole attack orchestration system to compromise the end users’ computers. They would just collect and decrypt the data right from the Internet backbone.

And the second lesson, based on the first – applications are responsible for protecting the data they process. It is safe to assume that transport layer protection can be weakened and bypassed and that access controls for large repositories can be circumvented. The last resort protection is the application layer encryption that utilizes standard algorithms and secure key management. Standard algorithms are public and it is highly unlikely to have a backdoor weakness there.

Time will show whether either the consumer or service provider community or both will succeed in restoring mutual trust to conduct substantial online business across vast geographies. In the meantime, as consumers we just have to hope that providers will take advantage of those lessons and implement proper protections. Providers, on the other hand, must realize that data privacy is becoming an increasingly important criterion for cloud service selection.

Another related topic comes to mind - adversaries storing encrypted SSL data for later analysis, and how to use Perfect Forward Secrecy as a countermeasure. Stay tuned for my next blog.

 



Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.