Snowden hack left lasting impact on data security practices
Trust is no longer a shield as keys and certificates become the ultimate cyber weapon
By Kevin Bocek, Special to ThirdCertainty
Last year about this time, a leaked NSA memo revealed details about how Edward Snowden came to use a highly privileged digital certificate to access classified information.
Snowden talked a fellow civilian employee into sitting down at his (Snowden’s) computer terminal and typing in his (the civilian’s) PKI certificate.
The NSA report discloses: “Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information. The civilian was not aware that Mr. Snowden intended to unlawfully disclose classified information. However, by sharing his PKI certificate, he failed to comply with security obligations.”
The NSA memo confirmed Venafi’s earlier analysis that the misuse of cryptographic keys and digital certificates came into play to steal the agency’s classified data.
At the time, some in the security community were skeptical that keys and certificates—the very foundation of Internet trust and security—could be misused, especially at the NSA.
Today, more and more experts are acknowledging that the standard practices for using keys and certificates in organizations of all sizes can translate into a profound exposure.
Factoring in the human factor
Snowden only had to use a bit of social engineering to gain highly privileged access to NSANet and classified documents. We don’t know how many others he may have practiced this trickery on.
And because keys and certificates are so infrequently changed or revoked, he likely had access for an extended period. Venafi is aware of advanced persistent threats that have misused keys and certificates for up to seven years because keys were not replaced.
The lessons from Snowden’s NSA insider hack should stick with us. His exploit is a symptom of a disease that has long undermined the Internet’s trust foundation, and continues to be a chronic problem.
It remains too easy to turn keys and certificates into the ultimate cyber weapon to gain trusted status and steal data. The consequences will only become worse with the rise of DevOps—the movement that emphasizes rapid development of IT services, often requiring keys and certificates for secure communications.
And then there is the acceleration of the Internet of Things. IoT ransomware is on the immediate horizon. Bad guys are certain to find ways to obtain control of the keys to gain access to mission-critical aspects of corporate networks, and block control of the owners until money is paid.
The disease continues to spread, checked only by organizations that have discovered and protected every key and certificate across their networks, devices, clouds, containers and more—from secure protocols, like SSL/TLS to SSH, virtual private networks, Wi-Fi and mobile.
Technology shouldn’t be scrapped
Should we stop using public key infrastructure? No. Snowden observed that implemented keys and certificates offer ironclad security.
And we now have more guidance and recommendations on how to use keys and certificates than we did before. For example, the National Institute for Standards and Technology recently published a paper, Security of Interactive and Automated Access Management using Secure Shell (SSH), on securing SSH keys.
And the SANS Institute has made it clear that organizations need to know everything about every key and certificate that resides in their networks and protect them, including automating as many processes as possible.
Meanwhile, Google and other megasize organizations have made it standard to reduce key and certificate lifetimes. This reduces the impact of a possible compromise and resulting misuse.
Related stories on certificates, keys and encryption:
3-steps for locking down digital certificates, cryptographic keys
KeyRaider hackers swipe more than just Apple accounts from jail-broken iPhones
Control your encryption keys when using cloud services