NSA-RSA Ties Raise New Concerns

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/nsa-rsa-ties-raise-new-concerns-a-6703

New revelations that the National Security Agency meddled with RSA
encryption tools have technology buyers concerned about the security of
offerings not only from RSA, but other security product vendors, too.

"There is uncertainty and concern about what's being put into those items,"
says a deputy chief information security officer of a U.S. government
agency, who asked to remain anonymous. "Yes, we are concerned; yes, we are
trying to put a [product vetting] process in place. It's a very difficult
proposition. You can't do a family tree maker on a computer to find out
where this item comes from."

New academic research shows that security technology provider RSA adopted
not just one, but two encryption tools developed by the NSA, greatly
increasing the spy agency's ability to eavesdrop on some Internet
communications, as first reported by the Reuters news service.

News reports in December said RSA received $10 million from the NSA to make
a now-discredited cryptography system the default software used by a number
of RSA's Internet and computer security programs (see NSA Reports Sullying
Vendors' Standings?). The system, called Dual Elliptic Curve, was a random
number generator, but it had a deliberate flaw - or back door - that
allowed the NSA to crack the encryption, Reuters reports.

65,000 Times Faster

Now, a group of researchers from Johns Hopkins University, the University
of Wisconsin and other universities says it has discovered that a second
NSA tool exacerbated the RSA software's vulnerability. The researchers say
they found that the tool, known as the Extended Random extension for secure
websites, could help crack a version of RSA's Dual Elliptic Curve software
65,000 times faster.

RSA, the security unit of storage maker EMC, told Reuters that it had not
intentionally weakened security on any product and noted that Extended
Random extension did not prove popular and had been removed from RSA's
protection software in the last six months.

"We could have been more skeptical of NSA's intentions," RSA Chief
Technologist Sam Curry told the news service. "We trusted them because they
are charged with security for the U.S. government and U.S. critical
infrastructure."

Curry did not say if the government had paid RSA to incorporate Extended
Random in its BSafe security kit, which also housed Dual Elliptic Curve.

RSA did not respond to ISMG's request for comment.

Vexing Revelations

In addition to the latest revelations about RSA's use of NSA cryptography,
also hurting the level of trust in the supply chain are revelations, based
on U.S. government documents leaked by Edward Snowden, that the NSA hacked
into the computers of Chinese communications giant Huawei Technologies.
According to published reports, the NSA sought to exploit Huawei's
technology so that when the company sold equipment to other countries -
including allies and nations that avoid buying American products - the NSA
could roam through the company's computer and telephone networks to conduct
surveillance and, if ordered by the president, an offensive cyber-operation.

Huawei itself is under suspicion that its communications products have been
tampered with by the Chinese government to pilfer American government and
military secrets and corporate intellectual property, an accusation that
the vendor denies (see House Panel: 2 Chinese Firms Pose IT Security Risks).

That any national government could corrupt IT products raises concerns
among security professionals.

"The assumption that governments would keep citizens' best interests in
mind when balancing national security against privacy concerns has clearly
turned out to be misplaced, and this has huge implications for the trust
dynamic that necessarily needs to exist between customer and vendor,
citizen and state," says Steve Durbin, global vice president of the
Information Security Forum, a not-for-profit association that develops IT
security best practices.

Evaluating the Consequences

Durbin says organizations of all sizes must evaluate the consequences of a
supplier providing harmful access to their information. "Businesses must
focus fixes on the most vulnerable spots in their supply chains now, before
hackers, or other cybercriminals, find their way in to disrupt the global
distribution of goods and services," he says.

That's on the mind of the deputy CISO at the government agency, who does
work with the NSA and did not want to be identified because of the
sensitive nature of the topic. He says his agency is considering
establishing a process that would quarantine new technology in a test bed
to vet it for any security anomalies.

RSA's reputation has been sullied by its relationship with NSA, whether
deservingly or not. "Regaining that trust will be a long haul requiring a
degree of openness regarding what has happened and a focus on ensuring that
it cannot happen again, a very tall order," Durbin says. "It'll take
communication, collaboration, sharing and a lengthy period of time with no
similar incidents before we can get close to that trust that has been so
dramatically destroyed under the guise of national security."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!