Security Revisited: What can we learn from
Transcription
Security Revisited: What can we learn from
(Cloud) Security Revisited What can we learn from Edward Snowden mag. Borut Žnidar Security consultant borut.znidar@astec.si Astec d.o.o. Stegne 31 SI-1000 Ljubljana T: 01 / 200 83 00 E: info@astec.si W: www.astec.si Slika The NSA, as viewed by Edward Snowden Spying on pretty much everything on Internet • 20 billion „record events“ daily, • Available to NSA analysts in 60 minutes Breaking most encryption on the Internet Stable of exploits designed to break into specifically targeted computers NSA shares this technology with others “Five eyes” group: USA, Canada, UK, Australia, New Zealand The NSA capabilities Breaking most encryption on the Internet • Agreement to spy, with Telco companies in US & UK • Network devices with included surveillance • Backdoors and weakened encryption implementations DES key length, CryptoAG, _NSAKEY in Windows NT, Lotus Notes key, Dual_EC_DRBG random generator in Windows Vista, SHA-3? • Attack against Tor network • Find Tor users Firefox vulnerability • Hacking, e.g. NSA+UK FOXACID BelgaCom (EU institutions) • Quantum Insert attack: MitM to Google servers FOXACID • FOXACID • Vast set of exploits: from unknown and unpatched to known • http://baseball2.2ndhalfplays.com/nested/attribs/bins/1/define/forms9952_z1zzz.html • Risk analysis: cost-benefit on target value and technical sophistication What about Us? How to Remain Secure Against the NSA (Bruce Schneier): 1. Hide in the network. E.g. Tor The less obvious you are, the safer you are. Encrypt your communications. E.g. TLS, IPsec. You're much better protected 2. than if you communicate in the clear. 3. If you have something really important, use an Air Gap. Might not be bulletproof, but it's pretty good. 4. Be suspicious of commercial encryption software, especially from large vendors. Try to use public-domain encryption that has to be compatible with other implementations. 5. • • • TLS vs. BitLocker. Prefer symmetric cryptography over public-key cryptography. Prefer discrete-log-based systems over elliptic-curve systems. What about Cloud Security NSA is hunting information, wherever they are Additional (new) challenges for Clouds… …but is on-premise IT doing any better? Still, there are areas, that Cloud Security must address 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Access control, Data management at rest, Data protection in motion, Encryption key management, Know who’s accessing what, Limit data access based on user context, Risk based approach for accessing resources in the cloud, Intelligent network protection, Regular security scanning and penetration testing on applications and endpoint devices, Add security intelligence in cloud. NSA was pulled out on the clear Knowing their activities is bad, but not knowing it before was worse Math is Good, Code is Subverted – Let‘s put pressure on the vendors Cloud is not the target – Information is Is it time for EU Security?
Similar documents
Slides
• So NSA are probably within their rights to deep packet inspect at the terminations of international cables/sat-links. • But, it seems, that is not what they did: AT&T provided National Security A...
More informationUnderstanding Encryption and Cloud Security
If you have additional questions about IaC, compliance, governance and best practices when it comes to validating networks, be sure to contact the experts at prancer.
More information