One of the things which makes security such an interesting business is that sometimes it's not a black-or-white proposition.
Here's a good example of the shades of grey we sometimes deal with.
But, being able to award trust in a thoughtful way is one of the hallmarks of being a security professional. At some point we have no choice but to trust others ... even if we don't want to.
For example; we trust NIST and the crypto research community to give us good encryption algorithms, we trust certification labs to test the implementation of those algorithms, we trust our vendors to try to give us good products ... and then we trust them to tell us when they failed.
And it's not just things we have to trust, we have to trust people in numerous ways - nothing chills my heart more than to contemplate the "insider threat".
Unfortunately, over the last few months, I believe that our ability to trust has been seriously challenged. I have three examples I'd like to mention of recent events which challenge our ability to trust.
The first is that NSA "thing."
Most folks, including any terrorist with half a clue, have assumed for years that the NSA is siphoning up all their information. But a lot of us were blind-sided when it was revealed that the NSA has been tampering with bits of the fundamental encryption we depend on. They went so far as to pay at least one company to make their products default to insecure algorithms, specifically so the NSA could then compromise those products.
There's a worldwide infrastructure focused on providing trustworthy encryption products. And the foundation of that infrastructure is our trust in the NIST certification and testing process. What we're being told now is that the core of that trust has been undermined ... specifically that the NSA has been planting known-to-them vulnerable encryption algorithms into the public approval process and then paying companies to adopt those vulnerable algorithms. Not to whine too much, but if you can't trust NIST and RSA to give us good random-number generators, who can you trust?
The second example of trust gone awry I'll mention is the whole home-router scandal. (...Be sure to see my update at the bottom...)
I've honestly lost track of how many "home" routers have turned out to have a back door built into them. This isn't an example of some idiot engineer installing another Sendmail WIZ bug, this looks like a conscious decision by a bunch of the home router manufacturers to put back doors into their products. I wouldn't be surprised to learn that almost all routers intended for the retail home/small business market have some sort of back-door in them. Scarily, it's not much of a leap to find a common thread between home router back-doors, and the NSA paying RSA to leave their products vulnerable.
My final observation of broken trust is just to notice that the NSA trusted Edward Snowden. How'd that work out for them?
So, other than venting, what's the point here? Simple, we need to remember what's at the core of trust and learn from these experiences. Merrian Webster defines trust as the "belief that somebody or something is reliable, good, honest, effective, etc." Ultimately, the level of trust you can have in something is directly proportional to how much control you have over its construction or use. If you've built something yourself from scratch, you can have a lot of trust in it - otherwise you're stuck having to make the assumption that everybody involved in producing it has been reliable, honest and effective. With a loaf of bread, that's relatively easy, but with a core router on the Internet, the chain of entities you have to trust is very long and complex.
While that sounds like an argument for "don't trust anything", drawing that conclusion is a mistake. You can't have zero risk and still get anything to work. Sadly, we have to trust some things.
So if we have to trust the untrustworthy, what can we do? We've been forcefully reminded that we're at risk when we trust things we don't control. However, that's nothing new and our response should not be a surprise.
Enter open source. In the home router arena, there have been open source replacements for manufacturer's router code for awhile. While nothing is guaranteed, one of the great things about open source is that it's very hard to hide a back-door in open source code. This doesn't completely solve the problem, there are still opportunities for vendors to hide back doors, even if you're running open source software on them. But it does dramatically raise the bar, and often that's the best you can do.
We can also apply this lesson more broadly. Think about the entire network stack you're using and ask, where do I have to trust the vendor, and where can I mitigate that trust by using open source? Think open source OS and applications (e.g. Linux and OpenOffice.) Then, think about going beyond that, do you really have to use Google? Maybe you can up your game a bit and use something like duckduckgo, or running your searches though a TOR connection (yes, both of those solutions have their own problems ... nothing's perfect.) Do you really want to buy that Nest, maybe one of the open-source thermostats would be more secure (and fun)?
There's one other lesson I think we should take away. It's an oldie, but a goodie and really ties back to trust. I'm speaking of defense in depth. The reason I love defense in depth so much is that it's an explicit acknowledgement that you can't completely trust anything. The point of defense in depth is that when a layer of defense lets you down, i.e. when it turns out you couldn't trust it after all, you've got additional layers to pick up the slack.
When it turns out that the random number generator you used to protect your SSL session was defective and <mumble> is snooping on your email connection, wouldn't it be nice if you had PGP encrypted your sensitive email? When Unit 61398 takes an interest in your home router, wouldn't it be nice if your data was housed on a server running OpenBSD instead of Windows XP? When your carefully vetted employee decides that your organization is evil, and needs to be taken down a notch or two, wouldn't it be nice if his access truly was limited based on need-to-know?
So, here's the bottom line. It's easy to get freaked out by some of the recent revelations, but really nothing has changed. There have always been very serious, very smart, well resourced attackers on the Internet. However, the principals you need to use to protect yourself haven't changed, we've just been reminded that they actually matter.
Here's a random collection of links related to the NSA issue and the home router problems.
NSA
http://topics.nytimes.com/top/reference/timestopics/organizations/n/national_security_agency/
https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html
Home Router Back Doors
http://www.devttys0.com/2013/10/from-china-with-love/
http://www.reddit.com/r/netsec/comments/1orepx/great_new_backdoor_in_tenda_w302r_routers/
http://blog.nruns.com/blog/2013/11/29/In-the-Wild-Malware-for-Routers-Sergio/
http://www.reddit.com/r/netsec/comments/1rn37d/dlink_vulnerability_of_the_week_telnet_interface/
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10001
http://krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/
http://www.h725.co.vu/2013/11/d-link-whats-wrong-with-you.html
http://shadow-file.blogspot.nl/2013/10/netgear-root-compromise-via-command.html
http://www.exploit-db.com/exploits/16149/
http://www.securityfocus.com/archive/1/530119
Update: 4/22/2014 Added this link. One of the primary suppliers of router hardware/software (http://www.sercomm.com/home.aspx?langid=1) claimed to have fixed the products, only to have been caught just hiding it deeper! OM#$!@*!G
http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/
http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf
I am speechless ...
(But my point still remains, trust is a necessary evil so mitigate it as best as you can.)
