IP Source

Friday 9 January 2015

NSA and Your Com Links

The NSA has been revealed to be collecting data from the communication links used by Google and Yahoo data centers. What does this mean for you and your business?

I'll admit I'm not a subscriber to conspiracy theories. I believe Oswald acted alone, 9/11 wasn't an inside job, and the Titanic just plain hit an iceberg and sank. That being said, the revelation by Edward Snowden that the National Security Agency (NSA) has been spying on Google and Yahoo wasn't a particular surprise to me - nor to many other people either. It wasn't a matter of a conspiracy; it was only a matter of time.

The purpose of the NSA is to gather information that might be vital to United States interests. My goal isn't to discuss whether the NSA should or should not engage in this kind of activity, but rather what it might mean for you or your business if you are a Google user or customer.

What have they been up to?

The story was reported in the Washington post on October 30th. "According to a top-secret accounting dated Jan. 9, 2013, the NSA's acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency's headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records - including 'metadata,' which would indicate who sent or received e-mails and when, as well as content such as text, audio and video."

Basically, the NSA has been looking at data in motion - network traffic - between Google's data centers. This took place overseas where the NSA is permitted to conduct these operations. The full implications have yet to unfold but Google's past and future may well be divided by this line crossing its history.

Google has condemned this activity and explicitly stated "We do not provide any government, including the U.S. government, with access to our systems."

In turn, the NSA has defended their actions (PDF) by stating: "NSA conducts all of its activities in accordance with applicable laws, regulations, and policies." They assert they are looking for "terrorists, weapons proliferators, and other valid foreign intelligence targets" and that "our focus is on targeting the communications of those targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to us."

Regardless of intent or results, if you or your business has data on Google's servers – whether in the form of Gmail, documents stored in Drive, or company information kept on private Sites, I'm sure you're wondering exactly what you should do to protect your data from unwanted interception from any third party or agency.

So, what can I do?

First I want to state that my advice applies to individuals and businesses engaging in legal activities who are concerned about their privacy. I feel you have less to worry about if you aren't a desirable target for government spying, but I understand we all have different definitions and opinions of what the feds may have planned or what constitutes a "desirable target."

Now, this may sound shocking or cavalier, but if you're a Google customer and you transmit confidential information to their systems, you shouldn't be doing anything differently - with one special exception which I'll discuss below. Why is that? Because you've had your data in the hands of others all along and safeguarding it to the best of your ability, not to mention your level of comfort, has been a priority from the get-go. Hopefully it's an ingrained habit.
This means not sending messages through Gmail containing information which might ruin your organization if leaked (such as an announcement about an impending buyout offer).


Yes, your browser connection to Gmail is encrypted via certificate as shown above, but that protects you against someone sniffing traffic between you and Google. In this case the NSA was monitoring data between Google data centers, meaning they were already inside the perimeter.
Good security practices also mean not storing information on anyone else's servers unless it's protected by strong encryption. For instance, I use TrueCrypt to create virtual encrypted disks (also known as containers) which I can mount as a drive by entering my password (which is over 18 characters). Nothing I don't wish to share with the world is kept online other than within these TrueCrypt containers. This certainly gave me peace of mind when I lost a smartphone in New York City last summer which had copies of my TrueCrypt containers on it.

If you encrypt your data with a long, random 256-bit key (some feel 128-bit is sufficient, but the key to that is the length of the key!) it is virtually impossible for someone to guess the password via "brute force" computation. Upload this encrypted information to Google Drive and you can rest easy. Yes, it may be a pain having to mount and unmount the TrueCrypt container to add or change information - not to mention resynchronizing the saved file up to your Drive account. However, that's simply the price tag for keeping sensitive material off-site.

As for passwords, you are changing those on a regular basis, right? Same goes for your encryption keys (I realize I just stated it's impossible for someone to guess the password but how many of your ex-employees might know it?). What about ensuring your company workstations are free of malware, keystroke loggers, and other threats which can impact your privacy? How about making sure your wireless networks are locked down and your routers aren't using the default passwords? Hopefully you can see where I'm going with this. Threats will always be present whether inside or outside, and require the same measures.

Now, I need to talk about that special exception of what you should do differently, which I mentioned above. Be forewarned that encryption isn't necessarily a magical shield. The NSA is working hard to defeat or reduce the complexity of encryption. For instance, not all encryption products are ironclad; the NSA has engaged security vendors to devise back doors which they can exploit. Open source products are your best bet - and TrueCrypt is one such example. Best of all, it's free.


No comments:

Post a Comment

Send a plain text, no attachments, email from any client to comment. Only registered users or OpenID have this access.