Feeds

Schneier: NSA snooping tactics will be copied by criminals in 3 to 5 years

The good news? Strong crypto still works

Beginner's guide to SSL certificates

RSA 2014 If you thought NSA snooping was bad, you ain't seen nothing yet: online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics, according to security guru Bruce Schneier.

"The NSA techniques give about a three to five year lead on what cyber-criminals will do," he told an audience at the RSA 2014 conference in San Francisco.

"These techniques for exfiltrating data aren't magical, they are just expensive. Everything we know about technology is that it gets cheaper. So the notion of putting up a fake cell tower or wireless access point, of jumping air gaps, you're going to see this stuff – it's really just a matter of time."

The mass surveillance carried out by the NSA was made possible not just thanks to the agency's huge budget and matching motivation, he said, but also because the fundamental model of the internet and the companies that operate on it allowed it. Entire business plans for Facebook, Google and others are predicated on collecting personal data and using it (with some psychological techniques) to convince us to buy stuff.

All that data is swirling around and it's going to be a top target for savvy crooks, he said. The very business model of many online firms has created hugely valuable data flows that the NSA, other countries' intelligence agencies, and ultimately the criminal community, wish to feast upon.

The good news is that there are solutions, most notably encryption. Whistleblower Edward Snowden's revelations have shown that strong crypto "drives the NSA batty," Schneier said. Too many companies aren't building encrypted communications in as standard, he said, but if the NSA is foxed by a particular technique or algorithm then criminals will be too.

Strong crypto for everyone, not just the big rigs

People used to eschew encryption due to the processor load it caused, he said, but these days it's perfectly possible to run strong crypto without crippling your systems. The NSA managed to tap into the interlinks between the data centers of Google, Yahoo! and others because they weren't encrypting that in-transit data effectively, but that has now changed.

Snowden's leaks have shown the extent to which security and trust on the internet are broken, Schneier said, and new systems needed to be implemented in order to build a secure internet. This doesn’t mean balkanizing the internet – Schneier described suggestions for country-specific internets as the "worst part" of the NSA leaks – but a fundamental rethink of how the internet and commercial software is managed.

It used to be that the US ran the internet as a "benign dictatorship," Schneier said, but those days are gone and they are never coming back. Unfortunately, the alternative of allowing internet governance to fall into the hands of the International Telecommunications Union are worse, he reckoned, and it could take 20 years before a suitable compromise is found.

In the meantime, IT buyers should be realistic and decide who they want to be spied upon by. While Cisco and Juniper sales are being hammered in China and India following claims the NSA is able to compromise and infiltrate their kit one way or another, there are very few other countries that have the capability to build their own network hardware industries and, for now, the NSA is the lesser of other evils.

"If someone's going to spy on you then better the US than Russia. I'd like there to be a huge public outcry, but the truth is you won’t be able to find the vendor that isn't vulnerable to legal pressure from somebody," he said.

"You think the Israeli companies are going to be better? Not a chance. Or the French – just not possible. It's a matter of picking who your enemy is and I hate this, I wish it wasn't so, but I think it is." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.