Snowden wants to stop governments from spying on their citizens
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
July 21, 2014
NSA leaker Edward Snowden wants governments to stop spying on their citizens, and is now asking programmers and IT people to develop software that can prevent such spying from continuing.
In a video conference call keynote address delivered to the Hope X hacker conference in New York City on Saturday, Snowden said encryption was the first step in fighting against government surveillance and that new platforms to prevent traffic analysis techniques being used to figure out users' associates were key.
Snowden added that it was the civic duty of technologists to educate the public on how systems work so that they can better understand the risks posed by the devices, apps and services they use everyday.
"You, in this room right now, have both the means and the capabilities to help build a better future by encoding our rights into the programs and protocols on which we rely on every day," Snowden told the conference's audience of hackers and hacktivists, adding that that was where he planned to focus his future work.
"Generally I say we need encryption, encryption, encryption, but when we talk about how we fix this stuff for the future, association is often the issue. How governments discover their adversaries uses the same techniques they use to discover spies and journalists," he said.
He urged technologists to develop padded protocols resistant to traffic analysis, even if they reduced performance, along with mixed routing which divorced individual connections from origination points that went further than Tor.
Smart people in the IT community should collaborate to build such platforms and then form teams to hack them to bits in order to discover and then subsequently close off avenues which a government may use to attack users.
Additionally, technology platforms had to be usable as well, Snowden said, pointing out that PGP (pretty good privacy), while still fairly effective, was "damn-near unusable" for the average user.
"We need non-attributable communications for unattributed internet access that is easy, fully transparent and reliable, as well" he said.
He specifically called on graduate students to consider how the worst people on earth may attempt to break into the systems they build.
The public needed to be educated too in order to shift the middle ground of technical illiteracy, he added.
"You are an advocate to help shift the middle ground of technical literacy. A lot of young people understand how technology works to an extent, but the system functions are hidden from them. They don't know where the dangers are and they trust their devices, and that can be a problem," added Snowden.
"Those who know even the slightest bit have a civic duty to help educate the people around us, just like the rise of literacy," he said.
Snowden said to a round of applause that a "high priesthood of technology" would be bad for everyone.
Daniel Ellsberg, who leaked the Pentagon Papers, congratulated Snowden and Wikileaks leaker Chelsea Manning (formerly known as Bradley Manning) for their work in exposing governmental and military secrets, adding that Snowden was the "only person at the NSA who did what he should have done".
"How many people should have done what you did?" he asked Snowden. "None has done more to uphold the truth," he said.
In other internet security news
Amazon Web Services' share of cloud-hosted malware atacks has more than doubled in the last six months, and is taking the IT industry by surprise. The general percecption is that AWS isn't ready for prime time.
That's according to NTT subsidiary Solutionary, which demonstrated its findings in its Q2 2014 Security Engineering Research Team (SERT) report published July 15 of this week.
Internet security researchers said that, out of the top ten ISPs and hosting providers surveyed, the proportion of malware-hosting websites served from Amazon infrastructure more than doubled from 16 percent in Q4 2013 to 41 percent in Q2 2014.
During the same period, hacker attacks on some European hosting companies grew from 10 to 13 percent; from 9 to 12 percent on Akamai; and from 6 to 9 percent on Google.
And this isn't the first time that Amazon's Cloud has been used by miscreants to host large amounts of malware-– Solutionary made the same claims in its Q4 2013 SERT file, and Kaspersky researchers discovered in 2011 that Amazon Web Services was playing host to the notorious SpyEye malware.
Part of the reason must be Amazon's scale and popularity as a cloud service, along with its Bezos-backed low prices. This means any wannabe hacker can buy server images from crooks and deploy them on AWS to build a network of malware-spreading websites.
"Overall, cloud instances of web services are extremely simple to provision on Amazon, GoDaddy, and all the majors," noted Solutionary security manager Chad Kahl.
"When you start going into the underground forums, they don't just sell a Zeus malware package, they'll sell you an entire command-and-control infrastructure and a phishing website to set up, and a drive-by-download website to set up.
"You go to them and it's CaaS (crime-as-a-service)" he explained. "It's truly script kiddies on a major scale."
Another reason why large providers may be having trouble stomping out amateur hackers on their service is that the criminals are moving rapidly between different clouds, Kahl said. "A lot of the malware operators bounce in between hosting providers, internet service providers and proxy hosts in different countries, and that's only part of the issue."
Worse, digital fingerprints of the viruses, Trojans and other software bugs hosted in public clouds are known and circulated in the infosec world, and can be used to identify malicious binaries, Kahl added.
"The question is, can these providers put the infrastructure in to scan everything?" he asked. Amazon and Google may be scrimping when it comes to investing in the tools needed to efficiently check the signatures of hosted files against databases of known evil binaries, he said.
"When we're talking about someone as big as Amazon or Google it would be a significant investment both in architecture and in time to go through and monitor everything as it's being put up, regular scans – to detect everything and take down these groups," the researcher said.
However, some companies are making good moves, such as Microsoft which has a number of malware-splatting initiatives.
Similarly, Google's new Project Zero team is tasked with hunting down security vulnerabilities in software before they are discovered and capitalized on by crooks.
As for Amazon, a spokesperson told us-- "AWS employs a number of mitigation techniques, both manual and automated, to prevent such misuse of these services.
"We have also added automatic systems in place that detect and block some attacks before they leave our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly and shut it down. Companies that do see malicious activity originating from AWS should contact us immediately," he added.
In other internet security news
The U.S. National Institute of Standards and Technology (NIST) has been asked to hire more cryptography experts in order that it can confidently tell the NSA to abandon the idea.
A report from NIST's Visiting Committee on Advanced Technology (VCAT), which scrutinizes and advises the institute has criticized NIST for being too dependant on the NSA's cryptography expertise (or lack thereof).
VCAT cited the adoption and backing of the use of the buggy Dual EC DRBG algorithm, an NSA-sanctioned random number generator that was later found to be flawed.
To be sure, random numbers are crucial in cryptography, as they thwart an eavesdropper attempting to decrypt intercepted enciphered data.
The report was launched in the wake of allegations from whistleblower Edward Snowden that the NSA deliberately weakened Dual EC DRBG and other algorithms for surveillance purposes.
Despite having been warned about those insecurities several years ago, the report also reveals that NIST – which is part of the U.S. Department of Commerce – relied heavily on input from the NSA in maintaining the security standard.
VCAT members believe that to guard itself from such scandals in the future, NIST will need to become more transparent and better engage with the security community as a whole.
According to the VCAT report, a lack of qualified personnel was a key shortfall for the NIST. Without enough experts on hand, the institute was unable to spot and address the security vulnerabilities in the Dual EC DRBG and the SP 800-90 standard.
To remedy the problem, the steering committee is recommending that NIST hire additional staff versed in cryptography as well as reaching out to academic institutions and security vendors when building and analyzing encryption standards.
Additionally, it was also determined that NIST will need to sever its ties with the NSA for good. "NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted," the report suggests.
"This may be accomplished by NIST itself or by engaging the cryptographic community during the development and review of any particular standard," the report added.
And the report goes on to suggest other transparency measures as well, including the utilization of open competitions to build new standards and maintaining better documentation on how standards are developed.
NIST added that it would also continue to study the advisory board's findings ahead of releasing a new cryptographic standards report and some new guidelines regarding the development process by the end of 2014.
In other internet security news
Google is warning its users that bogus SSL certificates have been issued by India's National Information Centre (NIC).
Those certificates can be used by servers to masquerade as legitimate Google websites when they're not, and then eavesdrop or tamper with users' encrypted communications.
The internet connection would appear to be secure when in fact it's not. According Google's security team, it noticed unauthorized certificates for several Google domains that popped up last Wednesday and then traced them back to India's NIC.
What's troubling about this is that the issuer holds several intermediate CA certificates that are trusted by the Indian Controller of Certifying Authorities (India CCA) and also some Western companies.
"The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn't include these certificates," said Google security engineer Adam Langley.
"However, we are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although mis-issued certificates for other sites may exist," Langley added.
Google engineers alerted both Indian agencies and Microsoft about the security issue, and the bogus certificates were revoked a day later. In the meantime, Google has revoked all the certificates using Chrome's CRL Set function and says its products are in the clear.
It also appears that Microsoft users are now covered. "We are aware of the mis-issued third-party certificates and we have not detected any of the certificates being issued against Microsoft domains," a Microsoft spokesperson said.
"We are taking all the necessary steps to help ensure that our customers remain protected at all times."
The India CCA is now running a full investigation to determine exactly what happened to lead to the certificates being issued, but it's not the first time that certification authorities have either been tricked into issuing bogus certificates, or hacked in a manner to achieve that goal.Tweet Share on Twitter.
Source: Edward Snowden.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
You can link to the Internet Security web site as much as you like.