Courtesy Peter Bright, ArsTechnica.com
Security company RSA was paid $10 million to use the flawed Dual_EC_DRBG pseudorandom number generating algorithm as the default algorithm in its BSafe crypto library, according to sources speaking to Reuters.
The Dual_EC_DRBG algorithm is included in the NIST-approved crypto standard SP 800-90 and has been viewed with suspicion since shortly after its inclusion in the 2006 specification. In 2007, researchers from Microsoft showed that the algorithm could be backdoored: if certain relationships between numbers included within the algorithm were known to an attacker, then that attacker could predict all the numbers generated by the algorithm. These suspicions of backdooring seemed to be confirmed this September with the news that the National Security Agency had worked to undermine crypto standards.
The impact of this backdooring seemed low. The 2007 research, combined with Dual_EC_DRBG’s poor performance, meant that the algorithm was largely ignored. Most software didn’t implement it, and the software that did generally didn’t use it.
One exception to this was RSA’s BSafe library of cryptographic functions. With so much suspicion about Dual_EC_DRBG, RSA quickly recommended that BSafe users switch away from the use of Dual_EC_DRBG in favor of other pseduorandom number generation algorithms that its software supported. This raised the question of why RSA had taken the unusual decision to use the algorithm in the first place given the already widespread distrust surrounding it.
RSA said that it didn’t enable backdoors in its software and that the choice of Dual_EC_DRBG was essentially down to fashion: at the time that the algorithm was picked in 2004 (predating the NIST specification), RSA says that elliptic curves (the underlying mathematics on which Dual_EC_DRBG is built) had become “the rage” and were felt to “have advantages over other algorithms.”
Reuters’ report suggests that RSA wasn’t merely following the trends when it picked the algorithm and that contrary to its previous claims, the company has inserted presumed backdoors at the behest of the spy agency. The $10 million that the agency is said to have been paid was more than a third of the annual revenue earned for the crypto library.
Other sources speaking to Reuters said that the government did not let on that it had backdoored the algorithm, presenting it instead as a technical advance.
Courtesy Tom Simonite, MIT TechnologyReview
In 2011, General Michael Hayden, who had earlier been director of both the National Security Agency and the Central Intelligence Agency, described the idea of computer hardware with hidden “backdoors” planted by an enemy as “the problem from hell.” This month, news reports based on leaked documents said that the NSA itself has used that tactic, working with U.S. companies to insert secret backdoors into chips and other hardware to aid its surveillance efforts.
That revelation particularly concerned security experts because Hayden’s assessment is widely held to be true. Compromised hardware is difficult, and often impossible, to detect. Hardware can do things such as access data in ways invisible to the software on a computer, even security software. The possibility that computer hardware in use around the world might be littered with NSA backdoors raises the prospect that other nations’ agencies are doing the same thing, or that groups other than the NSA might find and exploit the NSA’s backdoors. Critics of the NSA say the untraceable nature of hardware flaws, and the potential for building them into many systems, also increases the risk that intelligence agencies that place them will be tempted to exceed legal restrictions on surveillance.
“Hardware is like a public good because everybody has to rely on it,” says Simha Sethumadhavan, an associate professor at Columbia University who researches ways to detect backdoors in computer chips. “If hardware is compromised in some way, you lose security in a very fundamental way.”
Despite a few allegations against various governments, there are no publicly confirmed cases of backdoors in computer hardware being deployed. However, in recent years security researchers have repeatedly demonstrated the power and stealth of compromised hardware, mostly by embedding backdoors into the firmware of PC components. One presentation at the Black Hat security conference last year showed off a way to backdoor a new PC so that even switching the hard drive won’t close the door (see “A Computer Infection That Can Never Be Cured”).
Courtesy Tom Warren, theVerge
Part-time fugitive and antivirus software founder John McAfee has a new invention he’s working on. After spending some of his time filming a drug-fueled video tutorial to uninstall the antivirus program he helped create, McAfee now believes he can outsmart the NSA. Speaking at the C2SV Technology Conference on Saturday, McAfee unveiled his grand plan to create a "D-Central" gadget that communicates with smartphones, tablets, and laptops to create decentralized networks that can’t be accessed by government agencies.
The gadget might sound like something straight out of a Bond movie, but McAfee wants to build it and sell it for less than $100. "There will be no way [for the government] to tell who you are or where you are," McAfee says. Effectively, it works by creating small private networks that act as a dark web that’s inaccessible to others. McAfee says he has been planning the technology for a few years, but work on the project has intensified "rapidly" over the past few months. It’s not designed to replace the internet; instead it provides a localized dynamic network where users can communicate in private and share files. It will provide a private and public mode, and McAfee says he’s planning to use public nodes too.
MCAFEE WILL SELL D-CENTRAL EVEN IF IT GETS BANNED IN THE US
McAfee explains the device is localized and has a range of around three blocks. Everyone in those three blocks can then communicate with each other and that will obviously change as users move in and out of a local area. McAfee says he’s around six months away from a prototype device, and the current one is a round shape with no screens. "We have the design in place, we’re looking for partners for development of the hardware," he explains, noting there may be three or four varieties of final hardware. The whole project may never make it to retail shelves though, especially if concerns over its use result in a ban. McAfee answered questions over its criminal use by comparing D-Central to the telephone network. "Of course it will be used for nefarious purposes, just like the telephone is used for nefarious purposes." If the device gets banned in the US, McAfee says he’ll simply "sell it in England, Japan, the Third World."
While McAfee claims he has developed unique encryption that "the NSA won’t get into it," the main use for such a gadget might be at college campuses across the US. Napster rose to fame in the ’90s when it used peer-to-peer technology to make sharing MP3s quick and easy. McAfee’s gadget could be used widely to share files at colleges, making it difficult for authorities to police. "I cannot imagine any college student not standing in line to buy one of these," he claims. While the NSA claims are bold, McAfee is only outlining its use at a high level right now. A clock is ticking on his D-Central website, and we should learn more about the technology in 174 days. Until then, keep your tinfoil hat firmly in place.
Courtesy Ryan Gallagher, ArsTechnica
The National Security Agency’s spying tactics are being intensely scrutinized following the recent leaks of secret documents. However, the NSA isn’t the only US government agency using controversial surveillance methods.
Monitoring citizens’ cell phones without their knowledge is a booming business. From Arizona to California, Florida to Texas, state and federal authorities have been quietly investing millions of dollars acquiring clandestine mobile phone surveillance equipment in the past decade.
Earlier this year, a covert tool called the “Stingray” that can gather data from hundreds of phones over targeted areas attracted international attention. Rights groups alleged that its use could be unlawful. But the same company that exclusively manufacturers the Stingray—Florida-based Harris Corporation—has for years been selling government agencies an entire range of secretive mobile phone surveillance technologies from a catalogue that it conceals from the public on national security grounds.
Details about the devices are not disclosed on the Harris website, and marketing materials come with a warning that anyone distributing them outside law enforcement agencies or telecom firms could be committing a crime punishable by up to five years in jail.
These little-known cousins of the Stingray cannot only track movements—they can also perform denial-of-service attacks on phones and intercept conversations. Since 2004, Harris has earned more than $40 million from spy technology contracts with city, state, and federal authorities in the US, according to procurement records.
In an effort to inform the debate around controversial covert government tactics, Ars has compiled a list of this equipment by scrutinizing publicly available purchasing contracts published on government websites and marketing materials obtained through equipment resellers. Disclosed, in some cases for the first time, are photographs of the Harris spy tools, their cost, names, capabilities, and the agencies known to have purchased them.
What follows is the most comprehensive picture to date of the mobile phone surveillance technology that has been deployed in the US over the past decade.
Courtesy of TechCrunch
Coutesy Dan Goodin, ArsTechnica.com
Officials from RSA Security are advising customers of the company’s BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that were recently revealed to contain a backdoor engineered by the National Security Agency (NSA).
An advisory sent to select RSA customers on Thursday confirms that both products by default use something known as Dual EC_DRBG when creating cryptographic keys. The specification, which was approved in 2006 by the National Institute of Standards and Technology (NIST) and later by the International Organization for Standardization, contains a backdoor that was inserted by the NSA, The New York Times reported last week. RSA’s advisory came 24 hours after Ars asked the company if it intended to warn BSAFE customers about the deliberately crippled pseudo random number generator (PRNG), which is so weak that it undermines the security of most or all cryptography systems that use it.
"To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG," the RSA advisory stated. "Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation" on RSA’s websites.
The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications. The RSA Data Protection Manager is used to manage cryptographic keys. Confirmation that both use the backdoored RNG means that an untold number of third-party products may be bypassed not only by advanced intelligence agencies, but possibly by other adversaries who have the resources to carry out attacks that use specially designed hardware to quickly cycle through possible keys until the correct one is guessed.
McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments, where this FIPS certification has recommended it. The product uses the newer SHA1 PRNG random number generator in all other settings.
The NIST certification page lists dozens of other products that also use the weak RNG. Most of those appear to be one-off products. More significant is the embrace of BSAFE as the default RNG, because the tool has the ability to spawn a large number of derivative crypto systems that are highly susceptible to being broken.
In the beginning …
From the beginning, Dual EC_DRBG—short for Dual Elliptic Curve Deterministic Random Bit Generator—struck some cryptographers as an odd choice for one of NIST’s officially sanctioned RNGs. It was literally hundreds of times slower than typical RNGs, and its basis in "discrete logarithm" mathematics was highly unusual in production environments.
"I personally believed that it was some theoretical cryptographer’s pet project," one cryptographer who asked not to be named told Ars. "I envisioned a mathematician, annoyed at the lack of theoretical foundation in random number generation, badgering his way into an NIST standard."
A year after NIST approved the RNG as a standard, two Microsoft researchers devised an attack that allowed adversaries to guess any key created with the RNG with relatively little work.
Johns Hopkins professor Matt Green recounts that failing and a wealth of other peculiarities surrounding the embrace of Dual_EC_DRBG in an exhaustive technical analysis published Wednesday. Among them, when Dual_EC_RNG was adopted, was that it had no security proof.
"In the course of proposing this complex and slow new PRNG where the only frigging reason you’d ever use the thing is for its security reduction, NIST forgot to provide one," Green wrote. "This is like selling someone a Mercedes and forgetting to include the hood ornament."
In an e-mail, RSA Chief of Technology Sam Curry defended the decision-making process that went into making the RNG the default way for BSAFE and Data Protection Manager to generate keys.
"The length of time that Dual_EC_DRBG takes can be seen as a virtue: it also slows down an attacker trying to guess the seed," he wrote. He continued:
Plenty of other crypto functions (PBKDF2, bcrypt, scrypt) will iterate a hash 1000 times specifically to make it slower. At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard. SP800-90 (which defines Dual EC DRBG) requires new features like continuous testing of the output, mandatory re-seeding, optional prediction resistance, and the ability to configure for different strengths.
It will take time for people to ferret out all the products that use Dual_EC_DRBG, particularly as the sole or default RNG. Readers who know of others are invited to leave that information in a comment to this post.
Courtesy Sean Gallagher, ArsTechnica
The National Security Agency’s broad Internet monitoring program can do a whole lot more than provide a look inside a person’s Internet life. According to documents on the X-Keyscore program published byThe Guardian, the system can also be used to find computers that are vulnerable to attack, allowing the NSA’s Tailored Access Office to exploit them.
A training slide on the capabilities of X-Keyscore provided to The Guardian by Edward Snowden entitled “TAO” (for Tailored Access Operations, the organization within the NSA that hacks the networks of foreign governments and organizations) states that vulnerability profiles used by TAO to find targeted systems can be used to “show me all the exploitable machines in country X.” The “fingerprints” for vulnerabilities are added as a filtering criteria for X-Keyscore’s filtering application “engines”—a worldwide distributed cluster of Linux servers attached to the NSA’s Internet backbone tap points.
Enlarge / "Show me all the exploitable machines in country X"—like searching for a banana bread recipe on Google.
This capability essentially turns X-Keyscore into a sort of passive port scanner, watching for network behaviors from systems that match the profiles of systems for which the NSA’s TSO has exploits constructed, or for systems that have already been exploited by other malware that the TSO can leverage. This could allow the NSA to search broadly for systems within countries such as China or Iran by watching for the network traffic that comes from them through national firewalls, at which point the NSA could exploit those machines to have a presence within those networks.
Other slides in the set of documents explain how X-Keyscore could be used to track down VPN sessions and determine who they belong to from selected countries. The program could also be used to capture metadata on the use of PGP encryptions in e-mails and encrypted Word documents for later decryption. While X-Keyscore keeps a "buffer" of all the Internet traffic it traps at its tap locations for about three days, metadata on traffic can be kept for up to 30 days, allowing the NSA to trace and store information on who created documents passing across the Internet. "No other system performs this on raw unselected bulk traffic," the document states—implying that searches can be made across traffic that hasn’t been specifically tagged for monitoring.
Whose VPN connection shall we crack today, Brain?