Snowden hack left lasting impact on data security practices

Trust is no longer a shield as keys and certificates become the ultimate cyber weapon

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Last year about this time, a leaked NSA memo revealed details about how Edward Snow­den came to use a high­ly priv­i­leged dig­i­tal cer­tifi­cate to access clas­si­fied information.

Ed note_Venafi_Kevin BocekSnow­den talked a fel­low civil­ian employ­ee into sit­ting down at his (Snowden’s) com­put­er ter­mi­nal and typ­ing in his (the civilian’s) PKI certificate.

The NSA report dis­clos­es: “Unbe­knownst to the civil­ian, Mr. Snow­den was able to cap­ture the pass­word, allow­ing him even greater access to clas­si­fied infor­ma­tion. The civil­ian was not aware that Mr. Snow­den intend­ed to unlaw­ful­ly dis­close clas­si­fied infor­ma­tion. How­ev­er, by shar­ing his PKI cer­tifi­cate, he failed to com­ply with secu­ri­ty obligations.”

Upcom­ing webi­nar: Navigat­ing Iden­ti­ty Theft: How to Edu­cate and Pro­tect Your Employ­ees and Clients

The NSA memo con­firmed Venafi’s ear­li­er analy­sis that the mis­use of cryp­to­graph­ic keys and dig­i­tal cer­tifi­cates came into play to steal the agency’s clas­si­fied data.

At the time, some in the secu­ri­ty com­mu­ni­ty were skep­ti­cal that keys and certificates—the very foun­da­tion of Inter­net trust and security—could be mis­used, espe­cial­ly at the NSA.

Today, more and more experts are acknowl­edg­ing that the stan­dard prac­tices for using keys and cer­tifi­cates in orga­ni­za­tions of all sizes can trans­late into a pro­found exposure.

Fac­tor­ing in the human factor

Snow­den only had to use a bit of social engi­neer­ing to gain high­ly priv­i­leged access to NSANet and clas­si­fied doc­u­ments. We don’t know how many oth­ers he may have prac­ticed this trick­ery on.

And because keys and cer­tifi­cates are so infre­quent­ly changed or revoked, he like­ly had access for an extend­ed peri­od. Venafi is aware of advanced per­sis­tent threats that have mis­used keys and cer­tifi­cates for up to sev­en years because keys were not replaced.

The lessons from Snowden’s NSA insid­er hack should stick with us. His exploit is a symp­tom of a dis­ease that has long under­mined the Internet’s trust foun­da­tion, and con­tin­ues to be a chron­ic problem.

It remains too easy to turn keys and cer­tifi­cates into the ulti­mate cyber weapon to gain trust­ed sta­tus and steal data. The con­se­quences will only become worse with the rise of DevOps—the move­ment that empha­sizes rapid devel­op­ment of IT ser­vices, often requir­ing keys and cer­tifi­cates for secure communications.

And then there is the accel­er­a­tion of the Inter­net of Things. IoT ran­somware is on the imme­di­ate hori­zon. Bad guys are cer­tain to find ways to obtain con­trol of the keys to gain access to mis­sion-crit­i­cal aspects of cor­po­rate net­works, and block con­trol of the own­ers until mon­ey is paid.

Relat­ed: Sony Pic­tures stolen keys and cer­tifi­cates pose long-run threat

The dis­ease con­tin­ues to spread, checked only by orga­ni­za­tions that have dis­cov­ered and pro­tect­ed every key and cer­tifi­cate across their net­works, devices, clouds, con­tain­ers and more—from secure pro­to­cols, like SSL/TLS to SSH, vir­tu­al pri­vate net­works, Wi-Fi and mobile.

Tech­nol­o­gy shouldn’t be scrapped

Should we stop using pub­lic key infra­struc­ture? No. Snow­den observed that imple­ment­ed keys and cer­tifi­cates offer iron­clad security.

And we now have more guid­ance and rec­om­men­da­tions on how to use keys and cer­tifi­cates than we did before. For exam­ple, the Nation­al Insti­tute for Stan­dards and Tech­nol­o­gy recent­ly pub­lished a paper, Secu­ri­ty of Inter­ac­tive and Auto­mat­ed Access Man­age­ment using Secure Shell (SSH), on secur­ing SSH keys.

And the SANS Insti­tute has made it clear that orga­ni­za­tions need to know every­thing about every key and cer­tifi­cate that resides in their net­works and pro­tect them, includ­ing automat­ing as many process­es as possible.

Mean­while, Google and oth­er mega­size orga­ni­za­tions have made it stan­dard to reduce key and cer­tifi­cate life­times. This reduces the impact of a pos­si­ble com­pro­mise and result­ing misuse.

Relat­ed sto­ries on cer­tifi­cates, keys and encryption:
3-steps for lock­ing down dig­i­tal cer­tifi­cates, cryp­to­graph­ic keys
KeyRaider hack­ers swipe more than just Apple accounts from jail-bro­ken iPhones
Con­trol your encryp­tion keys when using cloud services