Making news across Twitter and the world at the moment is the latest government secret revealed by ex-NSA contractor and whistle-blower Edward Snowden, though the altogether sinister #RSA trend, is actually two news items running in parallel.
The first is the unbelievable (therefore true) and explosive leak that the NSA paid RSA $10 million to deliberately weaken their encryption algorithms so they (the US government) had a back door to hack your documents, files and servers at will. Nice one, Obama! Here’s the story that Reuters lead with : Exclusive: Secret contract tied NSA and security industry pioneer.
It should be noted that in weakening protection for the covert spying on innocent individuals like you and I, it also left holes for other hackers to break into on-line accounts, stealing id’s, credit cards, etc. Basically, anyone relying on or using the ironically name BSAFE toolkit or their Data Protection Manager is insecure – by design. Which, by extension, means pretty much all encrypted security – including on-line banking and shopping – could potentially be at risk.
From Wired in September: RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
In its advisory, RSA said that all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C were affected.
In addition, all versions of RSA Data Protection Manager (DPM) server and clients were affected as well.
Also, from that article, which I find hilarious, is this quote from Sam Curry, chief technical officer for RSA Security:
Every product that we as RSA make, if it has a crypto function, we may or may not ourselves have decided to use this algorithm. So we’re also going to go through and make sure that we ourselves follow our own advice and aren’t using this algorithm
Frankly, scarily even, I would think anything else they produce must be viewed with suspicion. What really beggars belief is that EMC paid $2.1 billion for RSA in 2006, and accepted a paltry $10 million bribe to reduce its value to rock bottom by this revelation. You can just imagine how the shareholders must feel about this, eh! I don’t know about you, but my thought is if they kept quiet about this, what other skeletons are waiting to be dug up? Just to put the scale of this in perspective – anything using RSA/EMC software could, in theory, be at risk. Were the repeated data thefts at Verisign in 2010 a result of this? I’m best there’s a lot of companies asking questions like that right at this moment. Some lawyers are about to get rich. (OK, richer!)
We are, happily assured that their SecurID product is secure.
So what is this open letter disclosure on the U.S. Securities and Exchange Commission all about then?
Bearing in mind their own CTO has admitted they don’t know how insecure their own in-house security is nor are 100% sure what was affected:
cite = Sec.gov
EX-99.1 2 dex991.htm OPEN LETTER
Open Letter to RSA Customers
Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSAâ€™s systems. Some of that information is specifically related to RSAâ€™s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customersâ€™ relevant partners.
We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps weâ€™ve outlined in our SecurCare Online note. APT threats are becoming a significant challenge for all large corporations, and itâ€™s a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.
/s/ Art Coviello
I assume the above letter relates to a SecurID incident in 2011 for which they were fined $66.3 million. Regardless of how the crackers got in (which was ridiculous), you have a security company controlling perhaps 70% of the world market, whose employees are dumb enough to open file attachments from unknown sources (d’oh!), who – allegedly (covering my back here!) – sells its integrity and soul for a pittance. And in doing so leaves itself and the rest of the world vulnerable. And we are to wholeheartedly trust any of it’s security products – or any derivative created using their actively flawed algorithms and software?
What you have to realise is this. In both the September and current announcements, whilst rightly bringing this disgraceful, undemocratic injustice to light, it also serves to remind every single criminal organisation in the world that these backdoors exist, which software they are in and these cartels will be having a bumper haul this Christmas. They’ve had since it was first mentioned in September, if not well before, and now they know the full extent. They aren’t simply looking for poor code to exploit, they are looking for a barn door to aim at – one paid for by Uncle Sam.
So far they say it’s just this one product – unless or until it comes out that the NSA went further or that they persuaded other security companies to ‘work with them’ – then the brown stuff really will hit the fan because all of a sudden it goes way deeper. Cloud computing? Online banking? Ebay? Amazon? Sony? Microsoft? Google? Paypal? Who was in the news the other day, losing 20 million customers data… Ah yes, Target, whose customers credit cards are being sold for $20 to $100 each. Is this related in any way? Drama queen scenario, yes, but…
RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness
Running along this is another news story – that researchers broke RSA 4096 encryption using a microphone and a couple of emails.
RSA again and probably not as simple as getting creative with a hex editor and a custom Linux installation, but you see where it leads.
Just gets better and better, eh?
Talking of which, you have to wonder, will Andrew Snowden shed light on other conspiracy theories?