Security industry tainted in latest RSA revelations
Report of $10 million payment from NSA to provide way to crack its encryption threatens reputation of industry
CSO - Trust in the security industry has taken a blow with a recent report that RSA was paid by the U.S. National Security Agency to provide a way to crack its encryption.
RSA denies the Reuters report published Friday that said the NSA paid RSA $10 million to use a flawed encryption formula. The agency-developed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) was used in RSA's BSAFE product.
The report shook up the security industry, because of RSA's influence. The company's annual user conference in San Francisco is one of the largest security events of the year. On Monday, Mikko Hypponen, a widely know security expert, sent a letter to RSA cancelling his talk for the 2014 RSA Conference, because of RSA's dealings with the NSA.
In a statement released Sunday, RSA said, "We categorically deny this allegation."
The company went on to say that it had "never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyones use."
Nevertheless, RSA failed to sway some security experts. "RSA's response has not instilled confidence in much of the security community," Carl Livitt, managing security associate for consulting firm Bishop Fox, said Monday.
"RSA's response is very cagey and blatantly ignores big, important questions," he said.
Matthew Green, a well-known cryptographer and assistant research professor at Johns Hopkins University, said the RSA revelation has threatened the reputation of the security industry.
"Most of the people I've spoken to agree that from our point of view, this is like you are a doctor trying to heal patients and you find out someone is making them sick on purpose," he said. "I think you'd be pretty upset about it."
Green said the job of security professionals is to make products secure, and the thought of a government agency purposely breaking them is upsetting.
"It makes me pretty angry," he said.
Last week, an independent White House Panel released a report that questioned whether the NSA's massive data collection, brought to light by documents from ex-NSA contractor Edward Snowden, was necessary to prevent terrorist attacks, as the agency claims.
The documents Snowden released to select media described information gathering from Internet and telecommunication companies on Americans and foreigners, including leaders in other countries.
Within the panel's list of recommendations was one that said efforts to undermine cryptography should be discarded.
In the RSA case, the company embedded in 2004 the NSA-developed algorithm in its BSAFE product, which is software used to encrypt data in business applications. The National Institutes of Standards and Technology eventually approved the technology for use.
Once it was discovered the Dual EC DRBG was developed to be cracked, NIST recommended it not be used. RSA then dropped the technology from BSAFE.
Because the NSA is a top-secret organization with the job of supporting national security, companies are legally bound to remain silent on any dealings they may have with the agency. Given the tight restrictions, there is nothing a company can do if asked to cooperate with the NSA, which can only be reigned in through new laws passed by Congress.
Therefore, a company has to accept the risk when choosing a security vendor.
"The reality is that at some point you're going to have to trust someone; what you need to be careful of is who you trust, how much, and for how long," Joseph DeMesy, senior security analyst for Bishop Fox, said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Protection for Every Enterprise: How BlackBerry Security Works Get an IT-level review of BlackBerry® Security, addressing data leakage protection, certified encryption, containerization and much more.
- Future Focus: What's Coming in Enterprise Mobility Management (EMM) Find out why Enterprise Mobility Management (EMM) solutions that are truly future-ready must be designed to enable Machine-to-Machine (M2M) capabilities and much more.
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the... All Cyberwarfare White Papers | Webcasts