Monday, July 7, 2014

Most NSA-Proof Security Solutions Are Deliberate Deceptions

Co-authored by Dr. Stephen Bryen, Chairman & CTO Ziklag Systems

Many products, ranging from texting, to email, to secure voice calling claim to be "NSA proof" and therefore safe for any user.

2014-07-07-nsacanaccesssmartphonedata.jpg

The truth is this kind of promotion intentionally misleads customers into believing their mobile phone or email can't be exploited. It is a form of hucksterism that tells you as much about the security provider as it reveals about the gullibility of the buyer.

To begin with, the bulk of these solutions use a server which cannot be proven to be safe. Some of the servers are located in other countries. For example Blackphone has put its server in Switzerland, supposedly off-limits to NSA. A German start-up company, Tutanota, has put its server in its home country, claiming it is protected by German privacy laws. One would suppose that the BND, Germany's security service, is having a good laugh over this idea.

A server is an intermediary system that handles transactions. In the case of text messages and emails, it collects them and holds them until it delivers the message to the recipient. Mostly all of them keep these messages saved on their servers in the clear, meaning they are not encrypted on the server. They re-encrypt the messages when they are sent from the server to the recipient. Google, for example, provides pretty good encryption back to its servers. But once there they are automatically decoded.

It may surprise many to know that almost all mobile phones encrypt voice back to the phone company. This encryption is weak, of course, at the insistence of security agencies and police. So companies such as Blackphone say they can do better and offer stronger security.

But what about the server? Is the server well protected? Who runs the server? How vulnerable are the computers in the server to hack attacks? What about the employees --have they been vetted?

Consideration also has to be given to location. Is a server in Switzerland safer than one in the U.S.? Switzerland has been a playground for foreign intelligence services for decades.

For years and years a cottage industry in Washington DC has been hiring cleaning personnel to empty trash baskets into the hands of third parties. That grew into allowing intruders to come in and drain computers of all their information. Bribing some janitors or employees, or infiltrating an operation, is easy to do. And you only need to plant a simple bug; then everything leaks out.

Edward Snowden's leaks have made clear that planting such bugs is an important NSA activity. It is also done by intelligence agencies all around the world. Do you think the Swiss are rich just because they are nice people? Beyond the intelligence agencies and police organizations, there are criminals and large criminal operations sometimes linked to intelligence organizations. This is the rap on Russian and Chinese cyber criminals. But it is probably far bigger than just those two There are big profits to be made by snooping.

If the server does not guarantee being NSA proof, what about the mobile phone or computer?

Computer vulnerability to trojans, viruses, malware and other diseases is well known. It is almost impossible to completely protect any computer, even if the computer is not connected to a network. U.S. and Israeli sleuths seem to have solved that problem with attacks such as Stuxnet which took down Iranian uranium enrichment centrifuges.

Mobile phones are an even bigger problem because they have almost no security, and their users don't want security, they want APPS and amusement. This means just about any nefarious organization or determined hacker can get inside a mobile phone.

The mobile device is a kind of time bomb because it is so wide open. It can be secretly activated even if you have shut it off, meaning that all your conversations can be recorded and transmitted. All your emails, texts, tweets, photos and all other transactions (like at your bank) can equally be copied down, or even changed to cause you trouble. The rule is this: if you can write it, read it, say it or see it so can any determined intruder.

Many people, especially Americans, have rationalized the threat by saying "Who, me?" In other words, they think they are immune. The real truth is anyone can be a victim, or provide a pathway to a victim.

Here are a few tips:

1. Stay away from anyone who promises to make you NSA proof. They are trying to sell you something.
2. Stay away from public systems that offer "free" email, texting and the like.
3. Keep in mind that corporate servers, corporate email and corporate services that are provided through their own systems generally are safer than third party run servers. The proviso of course is that corporate management is serious about security and hires top people to protect the company.
4. Be careful with your mobile phone. Pay attention to APPS that ask for permissions that don't seem to match the service they are providing. Avoid downloading a lot of junk on your phone that may just be malware.
5. Always remember that you are never a match against a determined, well financed adversary.

No comments:

Post a Comment