It's been more than two years since Venafi publicly announced our analysis that Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. The Venafi team suspected the truth of this modus operandi shortly after the news of the NSA breach based on kill chain and other analysis. A leaked NSA memo confirms this analysis.
However, many were skeptical that keys and certificates (the very foundation of Internet trust and security) could be misused, especially at the NSA. While many were skeptical, others came to the same conclusion as Venafi. Our analysis was ultimately published in USA Today.
Before we published our findings, we asked industry experts to vet them. And when we published them, we called on the NSA and Snowden to correct us if we were wrong. We still haven't received a reply from either party. Three months after Venafi published our analysis, validation came in the form of a leaked memo from the NSA to the U.S. House Judiciary Committee. Using social engineering, Snowden had gained access, misused, and, by implication, continued to misuse a colleague’s digital certificate that provided highly privileged access to NSANet and classified documents, the memo states. We don't know how many others he may have practiced this social engineering on and, because keys and certificates are so infrequently changed and revoked, he likely had access for an extended period. Venafi is aware of APTs that have misused keys and certificates for up to 7 years because keys were not replaced.
In looking back over more than two years and reviewing confirmation of Venafi’s analysis, we’re not looking to gloat. But, instead, remind the cybersecurity community that Snowden's successful exploit is but a symptom of a disease that began undermining the Internet's foundation of trust years before. It’s a chronic problem that is finding keys and certificates becoming the ultimate cyberweapon to gain trusted status and steal data. The consequences will only become worse with the rise of DevOps and IOT. For example, one certainty is that IOT ransomware will become a reality—keys behind networks of things will be compromised and used to take over and control devices until money is paid.
The disease continues to spread, checked only by organizations that have discovered and protected every key and certificate across their networks, devices, clouds, containers, and more—from SSL/TLS to SSH, VPN, WiFi, and mobile. (Yes, even the misuse of VPN certificates is on the rise.)
The Venafi Trust Protection Platform can automate the secure lifecycle of keys and certificates, keeping the machine identities of our customers healthy, reducing risk, and bringing new levels of agility and speed.
It's worth noting that many experts in the security industry have come to recognize the threat misused keys and certificates pose to the Internet's security foundation. It isn't that we should stop using them. Even Snowden freely admits that properly implemented keys and certificates offer ironclad security. "Encryption works," Snowden has said. "Properly implemented strong crypto systems are one of the few things that you can rely on." He should know. Snowden used NSA’s own, unprotected keys and certificates against them to sneak classified information out of NSANet.
And we now have more guidance and recommendations on how to use keys and certificates than we did before. For example, National Institute for Standards and Technology (NIST) recently published a paper, Security of Interactive and Automated Access Management using Secure Shell (SSH), on securing SSH keys. And SANS has made it clear that organizations need to know everything about every key and certificate that resides in their networks and protect them, including automating as many processes as possible. And large organizations like Google have made it standard to reduce key and certificate lifetimes—now down to 3 months for public-facing keys and certificates—to reduce the impact of a possible compromise and resulting misuse.
What are your thoughts about the NSA breach, now over two years later? How are we doing securing keys and certificates in our organizations? How can we get better?