September 06, 2013 | Jim Killock

The security services are stripping us of basic Internet security

The latest revelations from the Guardian give good evidence of why they have recently been the target of government harassment, and also why this is entirely unjustified.

NSATheir reports of NSA and GCHQ attacks on fundamental Internet security really matter. These are the basics of trust on the Internet; they are the reason you trust your bank, your credit card payments or Virtual Private Networks not to leak this information to criminals, blackmailers or governments.

Thus the real impact will not just be about security, it is about economics.

Of course we all expect for NSA/GCHQ to try to break encryption systems from time to time, it's their job. The problems arise when they make us all vulnerable as a result.

From the Guardian article, it appears they use threats and secret orders given to commercial companies to insert backdoors that must now undermine our trust in very common software products. They covertly insert vulnerabilities that weaken security of technical systems for everyone, not just their targets.

The idea that this won't be abused by yet unknown parties can only be naïve optimism, plain stupidity or complete disregard for anything other than the NSA and GCHQ's mission.

How it works

This isn't about breaking the maths - at least not usually - it's about exploiting the 'joins' between the pieces of software, introducing flaws in the implementation of cryptology, and more general 'backdoors' to the communications, which don't rely on the cryptology. Schneier gives some good examples.

Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake

The agencies seem to be doing this directly with companies and standards bodies, on a very wide basis. Many of the exploits are better thought of as exploiting software vulnerabilities.

Thus their strategy relies on people trusting big companies, or not paying attention to the work of standards bodies choosing security protocols.

However, the focus on what cryptographic weaponry the NSA and GCHQ might have in their toolchest risks distracting from the far more pressing problem of poor operating system and application security. When it is possible for teenagers to own botnets containing hundreds of thousands of compromised machines, why would spy agencies waster their time and effort on the hard problem of attacking cryptographic protocols? It is far easier to simply take control of their targets' computers. All the crypto in the world will not save you if there's a virus on your machine - and one thing we know for sure is that it is very easy to attack most computers. No speculation about esoteric mathematics is required to see the truth of that. As Snowden says:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

The weak point the agencies in practice seem to be using is software security, rather than crypto.

What this means: Economic and rights implications

Vulnerabilities and backdoors are open to anyone, potentially, to exploit. While the NSA and GCHQ may benefit, other foreign intelligence or criminal gangs could use some of the same exploits. For instance, VPN technology is relied on by businesses for security.

This pushes the whole policy outside of the realm of national security and into economics and competition, with important consequences for the UK government, given its role in the affair.

As long as the NSA/GCHQ surveillance scandal remained within the framework of national security, EU rules would make it the exclusive competency of member states. The UK could tell the European Commission to back off.

But given the clear economic implications for the wellbeing of millions of European citizens, it will be hard to argue that this remains a UK issue. We will have to push hard to get the EU to acknowledge this when so many of the member states are complicit. The others are not necessarily critical, either. Only the economic consequences are likely to help us make the EU take this up and investigate.

Our rights to privacy are important for many reasons, including as a back up to free speech. They are a bulwark against abuses of the state and a means to retain our personal freedom on a day to day level. But we know at times they can be compromised, for reasons of state security. Programmes like these, however, take matters even further than mass data collection, as they compromise our rights in a pervasive way without knowing who exactly might wish to remove our privacy and security. It is both a massive overstepping of government power, and simply irresponsible.

What we can do about it

Standards bodies seem to be one place where the security services have deliberately tried to introduce vulnerabilities. The Guardian say:

[a} secret document …shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006. "Eventually, NSA became the sole editor," the document states.

In the USA, according to Pro Publica the NSA Commercial Solutions Center invites vendors to submit their software for assessment, but this in fact seems to be a mechanism to compromise their products.

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

There is a clear conflict of interests in allowing intelligence services to specify other people's security standards.

In the UK, the Communications-Electronics Security Group (CESG) approves communications technologies for government or people contracting to them. They are a civil arm of GCHQ: the rationale previously being that they should know about security. Their website lists several commercial certification products. Some of these are geared to companies trying to sell to government, but others are about simply giving approval to technologies and processes.

We have a simple question to CESG: have CESG approved any product that is known to be compromised by GCHQ or the NSA? And if they have, why should anyone take their security approvals seriously in the future?

They need to be made into fully transparent, public interest bodies that run independently of the security agencies, and perhaps government. Information Assurance and signals intelligence simply cannot be associated roles.

For yourself, use Open Source security technologies: if you can't read the code, you don't know how the software might actually operate. If the code is open, then it can be reviewed - if not by you, then by people you trust. Use transparent and interoperable encryption wherever you can, as Schneier recommends, to make it as hard as possible for the security services.