First off, I would like to mention that one of the best analysis that I have seen in regards to what the NSA is able to do was written by Johannes Ullrich and published on the Internet Storm Center's diary this morning. In believe his entry entitled SSL is broken. So what? adequately summarizes the real nature of what occurred and what the appropriate technical response should be.
Despite all the attention that it is receiving, the fact of the matter appears to be that the NSA isn't actually cracking the encryption, they just have a way to get around much of it. The fact that the NSA has a way around encryption probably does mean that eventually others will too. The good news in my opinion is that now that this vulnerability has been exposed, there will no doubt be efforts to address it. Hopefully the necessary changes to fix the issue can be made before the ways to actually exploit the various backdoors are leaked.
Ultimately however, this capability of the NSA doesn't really change anything. Encryption is still import for securing internet transactions, and most of the bad guys don't have the resources to break the encryption. As Dr. Ullrich mentioned in his article, in many cases vulnerabilities in client software, or social engineering techniques resulted in data leaks, not failures in the encryption infrastructure. It is much easier for hackers to get what they want through insecure human behaviour.
One of these insecure human behaviours is running out of date software. I can't even count the number of times over the years that I have had to install new software on servers specifically to address issues with the SSL implementation. New notices regarding adjustments to how systems are setup, encryption key lengths, etc. are released all the time. It is of vital importance to stay on top of these, not to ignore them. In many cases Iowa counties rely on a vendor for these services. When is the last time you checked on how they are doing in this regard? Do you have tools in place to check for vulnerabilities in your systems where possible? Just making sure you keep the systems you are responsible for up to date can go a long way in keeping your private communications private.
Another insecure human behaviour is just how easily we can be manipulated by clever people. The bad guys exploit this all the time. It is usually much easier to just bypass the technology than trying to break it. That is essentially what the NSA has done. They have convinced others, whether it be encryption software developers or service providers, to give them the keys to their kingdom. Hackers try to do the same thing to us, through phishing e-mails or compromised web sites we visit. The best way to combat this is through education. By increasing awareness of how these devices work, how to spot them, and what to do when we fall prey, we can better protect ourselves, our organizations, and the internet transactions we depend on.
Like most organizations, counties certainly fall into the category of having "limited time and limited resources to fight unlimited worries." By focusing on the things we have control over and not getting distracted by the latest sensational headline, we can continue to make our counties more secure.
Despite all the attention that it is receiving, the fact of the matter appears to be that the NSA isn't actually cracking the encryption, they just have a way to get around much of it. The fact that the NSA has a way around encryption probably does mean that eventually others will too. The good news in my opinion is that now that this vulnerability has been exposed, there will no doubt be efforts to address it. Hopefully the necessary changes to fix the issue can be made before the ways to actually exploit the various backdoors are leaked.
Ultimately however, this capability of the NSA doesn't really change anything. Encryption is still import for securing internet transactions, and most of the bad guys don't have the resources to break the encryption. As Dr. Ullrich mentioned in his article, in many cases vulnerabilities in client software, or social engineering techniques resulted in data leaks, not failures in the encryption infrastructure. It is much easier for hackers to get what they want through insecure human behaviour.
One of these insecure human behaviours is running out of date software. I can't even count the number of times over the years that I have had to install new software on servers specifically to address issues with the SSL implementation. New notices regarding adjustments to how systems are setup, encryption key lengths, etc. are released all the time. It is of vital importance to stay on top of these, not to ignore them. In many cases Iowa counties rely on a vendor for these services. When is the last time you checked on how they are doing in this regard? Do you have tools in place to check for vulnerabilities in your systems where possible? Just making sure you keep the systems you are responsible for up to date can go a long way in keeping your private communications private.
Another insecure human behaviour is just how easily we can be manipulated by clever people. The bad guys exploit this all the time. It is usually much easier to just bypass the technology than trying to break it. That is essentially what the NSA has done. They have convinced others, whether it be encryption software developers or service providers, to give them the keys to their kingdom. Hackers try to do the same thing to us, through phishing e-mails or compromised web sites we visit. The best way to combat this is through education. By increasing awareness of how these devices work, how to spot them, and what to do when we fall prey, we can better protect ourselves, our organizations, and the internet transactions we depend on.
Like most organizations, counties certainly fall into the category of having "limited time and limited resources to fight unlimited worries." By focusing on the things we have control over and not getting distracted by the latest sensational headline, we can continue to make our counties more secure.
No comments:
Post a Comment