Short post here: Increasingly often I see people discussing about IT security shrug their shoulders and sigh: “Oh well, the NSA is going to get past this anyway!” Non-technical people and IT experts and even IT security experts. I have heard experts speak laconically about HTTPS, because the NSA knows how to break it anyway. I have heard IT security experts argue that a certain security measures are useless because NSA can manipulate hardware at Amazon, before it gets delivered to you. People laconically choosing terrible passwords or PIN codes. I am sure you have seen that also.
Granted. If what is reported in media is correct, the capabilities of the NSA to attack and hack are amazing. Most of the revelations are years old – which is an eternity in IT. So you can make a guess about what they are currently doing. But make no mistake. Just because some attackers have found ways to attack SSL/TLS or VPN that does not mean you can stop using these tools.
- First of all, as Snowden repeats often, good crypto really does work. Even against advanced adversaries. Just because the NSA may have some attack vectors (or hope to have them in the future) for HTTPS, it does not mean they always succeed.
- Secondly, more importantly, there is not one attacker you have to worry about here. There are scores of other attackers with different capabilities, different goals, different tools, and so on. Even if you are not an interesting target for the NSA (although they seem to have rather permissive criteria), still you have to worry about cyber gangs, scammers, et cetera. There are attackers with little capabilities who just use off-the-shelf tools. Some attackers are only after easy targets. Some attackers are amateurs, some professionals: There is even a market for DIY virus kits for starters.
IT security is not binary, like a game of chess: Either you win, or your opponent wins, and you lose. Some elegant clash of minds. Information security is more like swimming with a bunch of sharks, of different sizes and shapes, with different appetite and different weapons. I stole the catchy title from Josh Corman’s talk about security in IoT. How many times do you hear that information security is about a tiger and monkeys running and that you just have to be faster than the rest. No! One tiger? Full after one victim? Cyber is different. It looks more like a single diver swimming with a bunch of sharks or like a game of space invaders. Attackers will keep coming. More and better attackers, and some attackers keep coming back. Space invaders, of course, would have been a less catchy title for this post.
But the game is speeding up, so we have to be extremely agile in the choice of our information technology and be quick to use cutting-edge security measures, which are effective, in practice. Too often, I feel, we find IT security experts to be in a kind of paper work modus. If only we had things on paper… but you do not stop an attack with paper.
This is also not the moment to throw our hands in the air, shrug, say that NSA will break in anyway, and wander off discussing philosophy and ethics of surveillance by governments. We have to use this knowledge from the Snowden revelations and the knowledge we have about a range of other past incidents, and start moving and shoring up our IT. By now we know how bad security really is. But NSA and the other national intelligence agencies are hardly the only attackers making the news.
Of course, thanks to the Snowden revelations we know what works against sophisticated attackers. You can draw these things up in your IT strategy already. It is a matter of time before other attackers will get similar capabilities, so it is good to be prepared. But in the short-term most attacks will use pretty mundane attack tools and still be pretty devastating: Phishing email together with some malware or a link leading to an exploit of some 3rd party software like for PDF documents or web animations, which in turn takes over the machine of the end-user. Infected wifi hotspot used to capture credit card numbers and cvc codes. Plain network snififing using a pineapple. And so on.
Let me know what you think! I think we have to underline more often that information security is not like playing a game of chess with the NSA. It is not a theoretical concept, pleasing auditors with beautiful papers. It is more like we are swimming with sharks.
Ps. And please one day see the talk by Appelbaum @ioerror and Laura Poitras at last year’s CCC: Reconstructing narratives. Scroll to minute 24 and 25 seconds, to see Appelbaum discuss a range of attacks on different encryption technologies. Appelbaum concludes (based on these new Snowden leaks) that 3 technologies seem to be working pretty well: PGP, OTR, ToR. And he is pretty positive about HTTPS and SSH too. Because it is basic IT security knowledge, because it is important to know how these attacks work, and which technologies have issues, not because you should be worried only about the Five Eyes ;).