There Is No Way To Keep Your Data From The NSA

wayne Rash

Even encryption won’t stop the NSA. Wayne Rash warns of back doors in network adapters, which could siphon off data before it is encrypted.

Thanks to NSA leaker Edward Snowden we now know that most of the communications pathways you thought were secure can’t be relied on.

Most of the secure cloud storage, almost all of the on-line encryption to websites, the 4G wireless communications you use and your Wi-Fi encryption have been compromised by the US National Security Agency (NSA) and probably by the intelligence services of other nations. In some cases the actual encryption has been cracked, and in other cases the encryption has been circumvented.

The NSA can read what it wants

Edward_Snowden-2In a series of reports in the New York Times and other media, Snowden’s leaked secrets have revealed that most of the basic encryption you use, including SSL, has been broken. If it wants to, the agency can find out just what you bought from Amazon yesterday. But perhaps more important, the NSA can read what you’re storing on the public cloud, it can read your communications with Google when you send gmail, and it can read your banking transactions.

The fact that the National Security Agency can crack this encryption should be no surprise. After all, the NSA was chartered in the early 1950s specifically for code-breaking. So cracking such encrypted communications is actually what the agency is supposed to be doing. This is, after all, how the NSA tracks the communications of terrorists in Yemen, or the Taliban in Pakistan. But we didn’t expect that this would eventually give them the capability to read our business and personal messages at home.

But Snowden also revealed something that the NSA probably would prefer that you didn’t know. Good encryption still works, and there are types that the NSA still hasn’t cracked, such as PGP. When Phil Zimmermann created Pretty Good Privacy 22 years ago, the government tried to block its implementation. During the Clinton administration, the government even tried to force the adoption of the “Clipper” chip to create a permanent back door into computer systems through an embedded encryption chip with a built-in back door.

PGP encryption is still out there, although it’s owned by Symantec these days, and it still works. In fact, the US government is a major user of PGP encryption. But that doesn’t stop the NSA and the agencies of other governments from trying to get their hands on your communications, and most of the time they’re successful. The reason is that they don’t bother to crack encryption these days. They just siphon off unencrypted data before it’s encrypted or after it’s decrypted.

In addition, the NSA has been able to find and preserve encryption keys, with which decryption stops being an issue. Sometimes these keys are obtained legally, other times they’re retrieved through a back door to a server that holds the keys. But such back doors are limited to servers and encryption keys.

Much, perhaps most of the information the data the intelligence agencies want is found through a back door into the target machine itself. After all, why go to the trouble of cracking encrypted material when you can get it in the clear?

What is actually safe?

And this leads to the next question, which is, what’s actually safe on the Internet? As you’ve probably figured out by now, public e-commerce sites have almost certainly been compromised. Widely used VPNs have also been compromised, which means that the airline reservation system you use probably isn’t closed to intelligence agencies. Your public cloud provider, regardless of how secure it claims to be, probably isn’t.

The next question is whether this matters to you. Chances are the NSA isn’t going to be watching you buy Ethernet cables on eBayeven though it can because the NSA has more important things to worry about. But suppose you try to buy ammonium nitrate on Amazon? This chemical is a critical component in the fertilizer used in commercial farming. But it’s also a critical component that terrorists use in making bombs. What then?

This is where the much discussed back doors come in. If you’ve been reading this site for any period of time, you’re no doubt aware of the back doors in cellular switching equipment that have been blamed on Chinese telecom vendors Huawei and ZTE. But it’s alleged in some of the analysis of Snowden’s documents that the NSA has also built back doors in other equipment including server network interfaces. Not only would this allow traffic to be sent to an outside entity, it could do more.

As Dr. Steve Weis, CTO of PrivateCore explained to me in an interview, these networking adapters have access to the memory of the computer to which they’re connected. This is the same place where the encryption keys are stored when that server is encrypting data. Thus it’s no great trick to harvest the keys, which is one place where intelligence agencies can get those keys I mentioned earlier.

So can you protect your data? For most routine Internet activities the answer is you can’t. If you start looking for ammonium nitrate or you are communicating with co-conspirators in a terrorist attack plot, it’s possible that someone will find out. It could be through a back door; it could be through the retail vendor or the communication service you are working with; it could be somewhere else along the way. If you have really important data to protect, there’s almost nothing you can do short of encrypting your data before it ever reaches the computer that’s attached to the network.

But even then you have to store those encryption keys someplace really secure, which also means not on a computer attached to the network. In short your only real hope is that whatever you do is too boring to be interesting to any intelligence organisation.

Shhh! Do our whistleblowers quiz, but keep it quiet…

Originally published on eWeek.