Skip to main content
banner image
venafi logo

Venafi Analysis of Snowden NSA Breach Confirmed – 2 Years Later

Venafi Analysis of Snowden NSA Breach Confirmed – 2 Years Later

January 14, 2016 | Kevin Bocek
Key Takeaways
  • Following the NSA breach more than two years ago, Venafi analysis correctly indicated the misuse of keys and certificates
  • A leaked NSA memo confirms that a highly privileged digital certificate was used in the compromise
  • Over two years later, more and more experts are recognizing the threat keys and certificates are to enterprise security

It's been more than two years since Venafi publicly announced our analysis that Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. The Venafi team suspected the truth of this modus operandi shortly after the news of the NSA breach based on kill chain and other analysis. A leaked NSA memo confirms this analysis.

In November 2013, the Venafi team published two primary pieces of analysis that made a compelling case: "Infographic: How Snowden Breached the NSA" and "Deciphering How Snowden Breached the NSA."

However, many were skeptical that keys and certificates (the very foundation of Internet trust and security) could be misused, especially at the NSA. While many were skeptical, others came to the same conclusion as Venafi. Our analysis was ultimately published in USA Today.

Before we published our findings, we asked industry experts to vet them. And when we published them, we called on the NSA and Snowden to correct us if we were wrong. We still haven't received a reply from either party. Three months after Venafi published our analysis, validation came in the form of a leaked memo from the NSA to the U.S. House Judiciary Committee. Using social engineering, Snowden had gained access, misused, and, by implication, continued to misuse a colleague’s digital certificate that provided highly privileged access to NSANet and classified documents, the memo states. We don't know how many others he may have practiced this social engineering on and, because keys and certificates are so infrequently changed and revoked, he likely had access for an extended period. Venafi is aware of APTs that have misused keys and certificates for up to 7 years because keys were not replaced.

how Snowden breached the NSA

In looking back over more than two years and reviewing confirmation of Venafi’s analysis, we’re not looking to gloat. But, instead, remind the cybersecurity community that Snowden's successful exploit is but a symptom of a disease that began undermining the Internet's foundation of trust years before. It’s a chronic problem that is finding keys and certificates becoming the ultimate cyberweapon to gain trusted status and steal data. The consequences will only become worse with the rise of DevOps and IOT. For example, one certainty is that IOT ransomware will become a reality—keys behind networks of things will be compromised and used to take over and control devices until money is paid.

The disease continues to spread, checked only by organizations that have discovered and protected every key and certificate across their networks, devices, clouds, containers, and more—from SSL/TLS to SSH, VPN, WiFi, and mobile. (Yes, even the misuse of VPN certificates is on the rise.)

The Venafi Trust Protection Platform can automate the secure lifecycle of keys and certificates, keeping the machine identities of our customers healthy, reducing risk, and bringing new levels of agility and speed.

It's worth noting that many experts in the security industry have come to recognize the threat misused keys and certificates pose to the Internet's security foundation. It isn't that we should stop using them. Even Snowden freely admits that properly implemented keys and certificates offer ironclad security. "Encryption works," Snowden has said. "Properly implemented strong crypto systems are one of the few things that you can rely on." He should know. Snowden used NSA’s own, unprotected keys and certificates against them to sneak classified information out of NSANet.

Download the latest NIST paper

And we now have more guidance and recommendations on how to use keys and certificates than we did before. For example, National Institute for Standards and Technology (NIST) recently published a paper, Security of Interactive and Automated Access Management using Secure Shell (SSH), on securing SSH keys. And SANS has made it clear that organizations need to know everything about every key and certificate that resides in their networks and protect them, including automating as many processes as possible. And large organizations like Google have made it standard to reduce key and certificate lifetimes—now down to 3 months for public-facing keys and certificates—to reduce the impact of a possible compromise and resulting misuse.

What are your thoughts about the NSA breach, now over two years later? How are we doing securing keys and certificates in our organizations? How can we get better?

Like this blog? We think you will love this.
Featured Blog

Surge in Machine and Human Identities Drive Security Policies at Organizations [Report]

‘Explosion’ of machine identities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more