Encryption Lets NSA Store Your Email Forever

If you want to prolong your email’s stay with the NSA, just encrypt it.

Among the documents leaked by whistleblower Edward Snowden is one describing the National Security Agency’s treatment of communication it intercepts authored by U.S. citizens. In short, if the domestic communication is in plain text, it has a five-year shelf life. If it’s encrypted, though, the agency can keep it forever.

“The NSA’s position is that everything is foreign intelligence until proven otherwise,” Veracode CTO Chris Wysopal told TechNewsWorld.

When communication is encrypted, the NSA will keep it until it knows what’s it contains. That could be a very long time. For instance, there are coded messages from World War II that have yet to be decrypted.

However, the treatment of encrypted and plain text communications may be murky.

“I don’t know what’s really stopping the NSA from holding things in the clear as long as they want,” Wysopal said. “We get revelations every day that more and more information is stored for longer and longer times.”

Flawed Standards

The NSA’s domestic communication retention policy may be flawed.

“We think it’s an enormous loophole in the government’s minimization procedures, given the amount of encrypted information Americans convey in the course of their everyday activity,” Patrick Toomey, a staff attorney with the American Civil Liberties Union’s National Security Project, told TechNewsWorld.

Of course, the NSA may not have to hold on to encrypted communication very long before it cracks it, especially in light of revelations that the agency tinkered with the encryption standards.

“People have good reason to wonder how secure their encrypted communications are from NSA spying,” Toomey said.

Those revelations have prompted the security community to reevaluate those standards.

“There are a lot of people looking at the different cryptographic routines now and how those standards were accepted, and looking for more smoking guns of NSA influence on choosing a particular standard,” Wysopal observed.

Changing standards in any realm can be daunting, though.

“The encryption algorithms that have been approved have been implemented in lots of hardware and software, and if you wanted to use a different algorithm, you’d have to get new software and hardware” Wysopal pointed out.

“People should start working on this, but I don’t expect anything to change very quickly,” he added.

Shutdown Creates Hacker Magnet

Not everyone is upset with the shutdown of the federal government.

The longer Uncle Sam’s workers remain furloughed, the riper government systems become for Advanced Persistent Threat attacks.

“With a 70 percent layoff in some cases, it’s going to be easier to get away with more sophisticated attacks,” Larry Slobodzian, a senior solution engineer at LockPath, told TechNewsWorld.

“With fewer people handling vulnerability scanning and network auditing, there’s a risk for federal agencies, as well as any federal contractors that have responded to the shutdown with furloughs,” he added.

System patching will also fall behind during this period, which could lead to more headaches once the employees return.

“If you’re a hacker with a zero day or undocumented threat in your toolkit, you’re going to be exploiting that like crazy right now, knowing that nobody is doing the proactive work of threat and vulnerability management,” Slobodzian explained.

“There are contingency plans about who is and isn’t an essential employee, but cybersecurity hasn’t been properly scoped into those contingency plans,” he said.

“That’s going to be the lesson learned once everyone gets back to work,” added Slobodzian. “We’re going to find that a lot of positions that were labeled nonessential were really essential when we factor in cybersecurity.”

Breach Diary

  • Oct. 1. St. Mary’s Janesville hospital in Wisconsin reveals in Web posting that 629 patients may be affected by the theft of a laptop stolen from an employee’s car. Laptop contained protected health information relating to medical visits and may have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications. The hospital said it had no reason to believe the laptop was stolen to gain access to patient information or that the information was accessed or misused in any way.
  • Oct. 2. UnityPoint Health, based in Iowa, reports a third-party employee gained unauthorized access to the personal records of 1,800 patients. Records had names, home addresses, dates of birth, health insurance account numbers and other health information. Some 180 records contained driver license and Social Security data.
  • Oct. 2. Santa Clara Valley Medical Center in California reveals health information of 571 patients was on unencrypted laptop stolen from the hospital’s audiology department. Information included patient names, medical records numbers, dates of birth, ages, sex, dates of service and brainwaves from testing.
  • Oct. 4. Adobe reveals data breach that compromised the personal information of 2.9 million users. It said hackers were able to hoover from company’s systems customers’ names, encrypted credit and debit card numbers, their expiration dates, Adobe IDs and encrypted passwords, as well as some source code.

Upcoming Security Events

  • Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: US$495; government, free; academic faculty, $295; student, $55.
  • Oct. 9. Induction Ceremonies at Cyber Security Hall of Fame for James Bidzos, David Bell, Eugene Spafford, James Anderson and Willis H. Ware. 6 p.m.-10 p.m. Hilton Baltimore, 401 W. Pratt Street, Baltimore. Dinner Admission (Black Tie Optional): $250.
  • Oct. 9. Protecting the Cloud from DDoS Attacks. Noon ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Oct. 10. PCI 3.0 Is Coming – Are You Ready? 11 a.m. ET. Webinar sponsored by Trustwave. Free with registration.
  • Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros + VAT one-day pass; On site from Oct. 28-31, 1,295 euros + VAT.
  • Nov. 6. Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, $100; industry, $599.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. “The Art of Exploiting Injection Flaws,” $1,800, by Oct. 24; $2,000, by Dec. 6; $2,300. “The Black Art of Malware Analysis,” $3,800, by Oct. 24; $4,000, by Dec. 5; $4,300. “CNSS-4016-I Risk Analysis Course,” $3,800, by Oct. 24; $4,000, by Dec. 5; $4,300.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; After Dec. 1, $725.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Privacy

Technewsworld Channels