I hope you were able to read part 1 of this blog prior to coming to this part as it really sets the stage.
Around Dec. 20th, we all received reports on revelations that GCHQ (the rough British equivalent of NSA among other things) has been spying on the rest of the world also. (Wash Post article here: http://ow.ly/s1mBJ). Once again, this should not be a surprise as it is what they do. We should all just get off the whole, “I can’t believe they are doing their jobs” thing and focus instead on the larger point. Are each of these organizations following their own laws within their country and as agreed to by treaty to gather the data? Are they intentionally trying to hide their activities from their citizenry? If they are not following their own laws or they are appearing to try to hide activities that they later try to defend, then they know they are doing something wrong. They are following the old adage that it is better to ask forgiveness than permission when they get caught.
In September of 1987, Star Trek NG began. In the first episode, the Enterprise crew is introduced to a god-like alien race whose representative calls him “Q“. Later, they are placed in a moral dilemma by Q where they have to make a choice to break the prime directive or suffer some huge consequence, also created by Q. During that trial of Captain Picard and by representation, humanity, Q says something that has resonated with me during these surveillance revelations. He says, “It is a primitive civilization that cannot follow even its own rules.” This is where we seem to be. Regardless of how advanced a culture we claim to have, as a world society we are still in many ways primitive in that we do not follow our own rules or those we impress upon others.
Governments exercise their prerogative of changing the rules or bypassing them to some degree when the current environment does not meet their desires. At some point the changes get so far out of line with the perception of the people that the people cry foul and investigations ensue. In this case the US people cannot possibly get to the information they need to make a reasonable decision. When actions are challenged, the government calls it a matter of national security providing so little information in response, that there is no way to make a counter argument. I understand that some portion of what these organizations do must be performed in secrecy so they can be successful. However, it appears that though many parts of the government portray transparency, the law enforcement and intelligence community does the opposite. To facilitate the behind the scenes operations and create a facade of following the established laws, this government community has created a means of bypassing the normal court systems with the Foreign Intelligence Surveillance Act (FISA) and created the Foreign Intelligence Surveillance Court (FISC). These are not new entities. FISA was passed in 1978. Yes, 1978. However, it was not well known in the public eye until the last few years. The law was created to “prescribe procedures for the physical and electronic surveillance and collection of ’foreign intelligence information’ between ’foreign powers‘ and ‘agents of foreign powers‘…” (within the United States only) and has been significantly amended (restructured) since the attacks on the USA in 9/11/01, broadening its powers with each subsequent revision, with few of the revisions being publically announced or reviewed. The FISC was created at the same time. It is staffed by federal justices who are appointed by the Supreme Court Justices. It is the FISC that has pronounced and supported the surveillance requests and gag orders on the big three data companies, Microsoft, Google, and Facebook, as well as many others. Questions we should all be thinking about should be:
1) If there isn’t an intent to hide activities then why was this court created? We already have a court system. Why was it not good enough?
2) Why does it seem that even the Supreme Court, which appointed the FISC justices, does not have (or exercise) sufficient access or oversight into its activities?
3) Why is it that post-ruling, even security cleared, legal representation for the targeted groups can only get access to the orders which are so severely redacted that they are powerless to respond.
Now that I have had my say, let me offer a few options for those of us who have nothing to hide, yet still believe that we deserve privacy.
The first thing everyone has to realize is that you have to choose between Usability and Security. They are competing objectives on a see-saw. Most times, one or the other overbalances the system. For many consumers, usability is the focus. They want an “unfettered experience” but to get that they sacrifice security. (That is where we are on the Internet for the most part). On the other side, we have requirements for ultimate security. The system or data must be kept safe so usability is very restricted. It is only in a few cases where there is a balance achieved to attain perfection in a system.
To achieve balance in the system, many changes need to be made that will mean users will have to relinquish some usability. That will most likely not happen any time soon but the current wave of exposure will help. Until that time, here are a few options for being more secure and less open to surveillance. These are ranked from Extreme measures down to Moderate efforts. These affect surveillance but there are other things that can be done to improve security.
1) EXTREME: The first and foremost way I see of being secure is to give up on using the Internet. Every use creates a digital trail of activities to some level or another. If you want anonymity and to avoid surveillance, don’t be there. (I don’t see many of the consumers doing this but I do know a few people who go this route.)
2) SEVERE: This is a lot of work but it gives access to Internet services with a high amount of anonymity.
a) First, create a virtual machine (VM) that has all of the software on it you will need and configure the browser to reject third party cookies / prompt you to approve cookies. Once that is done, make snapshot/copy. Never use the original to access the Internet.
b) Use a copy once and only once for a session. Connect that system through an anonymity service like the TOR network, VPN services like AnchorFree, or anonymous proxy services that can be used to reduce the ability to be tracked while surfing.
c) When you are finished, copy the data you need to a connected drive and delete the image. Denying cookies helps stop monitoring within a session. Using the anonymity service stops external monitors from tracking you between sessions. Destroying the VM will get rid of all local digital residue such as remaining temp files, cookies and registry entries.
d) This approach requires discipline most users find too inconvenient.
3) MODERATE: You can use both browser settings and third party software to reject and/or remove cookies and temp files from your machine, leaving a smaller digital residue of activities. This will impact usability in such ways as the check boxes that are used on web sites to “remember me”. Those features are managed by persistent cookies, meaning a little extra effort each time we log into sites. Also, some websites require the acceptance of cookies to function. Setting browsers to refuse cookies will break those sites. Most, if not all, browsers and software are not 100% effective at removing all cookies and temp files. Part of that is a convenient/useful “design flaw”. Another point is that sites stick cookies all over the place, regardless of what the specs say so the browser or third party software may not be able to effectively identify and remove them. Using more than one method is often more effective but also impacts your user experience (blocking and functionality reductions) and the bottom line (purchasing the third party software).
4) LOW: This is low as it only affects email, not the entire Internet experience as # 3. For secure communications, there are secure personal email services like hushmail, mykolab, and others as well as commercial services such as Zixcorp and Proofpoint. The key is to ensure that either all communicating parties are on the service or that the service offers the option of the sender actually holding the message in a secure location with all recipients having to go to that secure location to view the communication. If “secure” content is sent out to Yahoo or Google or Hotmail, it may no longer encrypted and therefore surveilled.
5) The following is an item that users have no control over but advocacy should be given to change the Internet Advertising Industry: The industry should move to using encrypted cookies. This has been suggested by various organizations over time but loses traction due to the money involved in online targeted advertising. Ultimately to take hold, it may mean the end of many of the free services we use today because stopping ad revenue stops the free service subsidies. If each site used its own public key from a certificate to encrypt its cookies then only the organization with the corresponding private key would be able to access the cookie info. Restrictions on key distribution would have to be enforced. End users have no direct control over this as there is no way for them to click a check box to implement this sort of solution. To do this effectively, some of the salient points are: the cookie would have to be placed in a generic internet cache area so there were no clues on which group placed it and the entire cookie would have to be encrypted leaving no indicative file name or metadata. That would produce some pretty interesting overhead for the endpoint in having to parse through a whole bunch of random files so the browser could locate the proper cookie which is one of the reasons that I think it hasn’t been done. There has to be no way to identify who placed/encrypted the cookie or it’s no better than a regular one for this application. It can help cookie poisoning but that is another topic.
6) These items are good practices that can improve security but don’t necessarily address external surveillance:
a) Don’t click on links in emails or untrusted websites. In the vast majority of cases, this is how malware and spyware get a foothold on your system. Once you click on a link, you invite additional surveillance and attacks on to your system and are fighting an uphill battle from that point.
b) Keep up to date on security patches. Attackers use flaws in your programs and operating systems to gain access to your system. They then use privilege escalation techniques to get the highest level of access and, if successful, they control all.
c) General data encryption is always a good bet when holding data. This is a good practice for anyone that has data that they don’t want siphoned off by malware or surveillance. There are many technologies out there, both open source and for purchase, such as TrueCrypt, Axcrypt and PGP. They are considered reliable but they take user work and coordination of various degrees. Again usability vs. security comes into play. This is especially a good idea when moving into cloud applications. The cloud provider or intelligence or law enforcement may be able to get to the data if it is not secured by the data owner with a system that the data owner controls the keys. These types of protection do not stop someone from getting the data but they get it in an unusable form unless they have the keys used to encrypt it or the encryption scheme is flawed.
I hope you have enjoyed the blog. It was a long one but due to the recent events, I think it can be very helpful.
Until next time….
David Monahan | Research Director, Enterprise Management | @SecurityMonahan
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.