Get ready for 1000% of your daily dose of Irony: America’s top surveillance outfit, the National Security Agency appears to have been hacked, according to announcements made by a group known as the “Shadow Brokers” and backed by a sample of data released as proof. Not only that, it may have happened as early as 2013, just days after NSA whistleblower Snowden went public. The spy agency has yet to comment on the matter, though given their usual taciturn stance on sharing information with the public, further enlightenment is unlikely to come from that source. Snowden himself weighed in on the issue shortly after this news became public, attributing the original hack as likely being the Russian government. In a further dose of irony, Snowden currently resides in Russia, presumably as part American exile and part Russian political trophy.
What this means for you:
Before you grab your bug-out bag and head for your internet-proof bunker, make sure you freak out for the right reasons. In this particular instance, the data for sale appears to be code, and not data on Americans (which they are assuredly collecting). Offered as proof of the deed, the Shadow Brokers posted source code of known malware apps the NSA is alleged (by Snowden and others) to have used to break firewalls and other security platforms in use by foreign nations, presumably to allow the install of other covert surveillance software on the computers behind those security measures. Security pundits, including industry vet Bruce Scheier, have evaluated the data released, and in light of the the current political climate between the US and Russia, are of the opinion that this might be a manuever by the Russian government in anticipation of criticism or accusations from the US about the DNC hacks. To put it in more understandable terms, we may be seeing the opening salvos in a new, thoroughly modern Cold War. Instead of warheads and undercover spies as pawns, this one may be waged via the internet through cyber warfare and social media. Ready to head to that bunker yet?
In a public event hosted by the Reddit.com, infamous NSA whisteblower Edward Snowden answered questions posted by Reddit users on a variety of topics. Of particular note was his response to a question about whether encrypting emails would be an effective way to keep the NSA (or anyone else, for that matter) out of your business. Snowden’s response was both heartening and depressing at the same time:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
What this means for you:
Imagine you want to send a package that contains some very valuable items to a friend on the other side of the world. You carefully wrap the items and then lock them in a briefcase, which is in turn handcuffed to an armored guard, who is then transported via armored truck to your friend’s house. He makes sure that the package is put into your friend’s hands and verifies that your friend is indeed who he says he is, and he even calls you to let you know that the package has been delivered safely. This is analogous to using email encryption to send an email to a friend.
Unfortunately, your friend’s house has a broken lock on the front door, and he carelessly leaves the valuable items in plain view of a window that is also unlocked. That’s analogous to the weak endpoint security Snowden at the end of his response.
In other words, it doesn’t matter how much security you engage on your end if your recipients don’t engage in the same level of security. To use another real-world analogy: cyber attacks are like water – they will flow into every nook and cranny, looking for a way in. It doesn’t matter if 99% of the surface it is covering is impenetrable. That last 1% provides the hairline crack needed to seep in and destroy everything from the inside.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
There’s a whole lot of spying going on: the US and China continue to bicker over who’s spying on who, and the Washington Post fumbles an early scoop that clearly confuses what may end up being the biggest information leak since the Wikileaks scandal. In the midst of this surveillance brouhaha, the confidential source that triggered the Washington Post story has stepped forward in the form of an IT security analyst employed by the spookiest of spook agencies, the Central Intelligence Agency and the National Security Agency. Based upon the information this whistleblower has provided to news agencies, the American Civil Liberties Union has brought suit against the president, the NSA and Verizon for illegal spying, and more are on the way.
What this means for you:
Though the details are still being argued over, it appears the NSA has had an ongoing warrant with Verizon that has provided them with calling histories for just about any domestic Verizon customer, all under the umbrella of the controversial Patriot Act. Now, before you start worrying if your recorded phone calls will be leaked and become the next YouTube sensation, the information collected is data-based (numbers, times, geographic locations) as opposed to them eavesdropping in on your conversations, Hollywood “listening post”-style. Given the vast computational power the NSA has at its fingertips, this is still amazingly comprehensive, and gives them the ability to very accurately profile any US Verzion customer based upon that history.
Sadly, once again, there’s very little you can do as an individual, other than to write your congressperson, or boycott just about every major telecommunications provider and credit card company out there, because it seems that all of them have been forced to cooperate with the NSA at one point or the other under the Patriot Act. The Wired article also makes a very good point: threats to our security can just as easily come from the inside as the outside. Unfortunately, for all involved, it also demonstrates the trend that trusted insiders can easily become the biggest security breach an organization has ever known.
Have you thought about what access your employees have to confidential information? How much trust have you invested in them? Do you have sufficient controls in place to protect your company from inadvertent security breaches caused by a trusted employee? What if that same employee was to deliberately breach your security?