This story came out a little while ago and hasn’t received that much coverage. This isn’t surprising considering what it’s about. Apparently, a major encryption company was paid by the NSA to weaken their encryption system.
Now what company would do something this asinine? Apparently it was RSA, a division of EMC Corporation. For those of you who may not know, RSA provides the security systems used by many major corporations for their VPN, (Virtual Private Networking), systems. If you have one of those little key shaped plastic tokens that says RSA SecurID on it with a small panel that has numbers that change every minute, this is what we’re talking about. Here are some of the details of this from Reuters:
As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
RSA’s SecurID system is used by companies around the world. I have one and use it to log into my Real World Job. My late father had one so he could log into his job. To knowingly sell a system that is crippled is the height of stupidity. To continue:
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
So, all it took was $10 million to give the NSA the means to rampage through corporate networks. Now I do not know how the application works, and there is this mention of it being the default choice. I’m assuming this is used during the set up and configuration of the servers and tokens. I do NOT know if this weakness was also written into the non-default choices, if there are any. I suspect that most admins, unless specifically told not to, chose the defaults when possible in order to save time. They would have assumed that the encryption was top of the line, since that was what their companies had paid for.
The earlier disclosures of RSA’s entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
Hey, RSA? Say bye bye to any credibility you had. I suspect that when it comes time for companies to renew/replace their current systems, you will be far down on the list of their choices.
RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness.
This is called locking the barn door after the horse has left, run two states over, frolicked merrily, been rounded up and shot in the head then turned into dog food and glue. It isn’t going to do anything to help you regain the trust of the computer security industry.
RSA and EMC declined to answer questions for this story,
Now there’s a surprise!
but RSA said in a statement: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”
Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA’s corporate evolution away from pure cryptography products as one of the reasons it occurred. But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance.
“They did not show their true hand,” one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption.
I think the phrase goes: Lie down with cows, get covered in manure.” RSA let its greed get ahead of its common sense. The system used to generate the random numbers is called Dual Elliptic Curve ((Dual Elliptic Curve)) and apparently some people who understand this stuff saw some problems early on. I am NOT any sort of an expert in cryptography, but I do know it is very easy to make a mistake in your algorithms. This is one reason the code needs to be reviewed by many people who understand this stuff and know what to look for.
Another interesting note was a major scandal that came out a couple of years ago. The Key Database for this stuff was stolen by hackers. RSA had to send out new tokens and software recoded to stop anyone from being able to use the database to hack into secure networks. I was one of those who was issued a new token. Now I wonder if this wasn’t actually part of the NSA’s plan to get this Duel Elliptic Curve algorithm into wider use? Might they have been the ones to steal the database? Could it be that the whole thing was a cock and bull story from the very beginning? Do you know where my tin foil hat is?
The NSA, much like the EPA, is out of control. While we do need the NSA, (Unlike the EPA. Them we can do without), it needs a major shakeup and certain managers need to be fired or prosecuted. No one really has an issue with the NSA doing things like this to other nations and people who are NOT American Citizens, Resident Legal Aliens and American Corporations. However, the NSA has been caught repeatedly trolling for information on Americans and thanks to several court rulings, in violation of the 4th Amendment of the United States Constitution. They need to be reigned in and soon.
Thatisall
~The Angry Webmaster~
(1 votes, average: 1.00 out of 5)
Loading...
NSA bribes security companies for back doors? – #angercentralarchives http://t.co/R1OoYSd0Z0
NSA bribes security companies for back doors? http://t.co/7z3haQP4Rw
NSA bribes security companies for back doors? http://t.co/c1HvqrmKQq #angercentral #nsa #rsa #encryption #twitchypolitics
NSA bribes security companies for back doors? http://t.co/T0sFl7D9Ix #angercentral #nsa #rsa #encryption… http://t.co/Nh6jBEM8j9