TrustyCon 2014: Government Surveillance – The View from Outside Washington

Christopher Soghoian, along with the Electronic Frontier Foundation's Marcia Hofmann, takes questions from the TrustyCon audience
Christopher Soghoian, along with the Electronic Frontier Foundation's Marcia Hofmann, takes questions from the TrustyCon audience

Located in a movie theater virtually on top of this year’s RSA Conference, TrustyCon featured some of the speakers who opted out of their RSA talks in protest of the allegations that the conference’s namesake – RSA Security – may have accepted payment from the NSA to weaken one of its crypto products to aid the government’s monitoring efforts.

Mikko Hypponen, chief research officer at F-Secure, and perhaps the most vocal of RSA’s critics, kicked off the talks with his overview of government-produced malware. This included Operation Olympic Games, the alleged joint US-Israeli effort to sabotage Iran’s nuclear program via the now-infamous Stuxnet malware.

Speculation about the source of the attacks on oil giant Saudi Aramco, as an Iranian response to Stuxnet, “do not make sense” Hypponen observed. But when it comes to another now-famous malware discovery – Flame – he agreed with assessments that it must have been created by numerous researchers with a vast amount of resources at their disposal (read: a nation-state)

Taking a step back to evaluate the evolution of computer viruses, Hypponen recalled that “in 1991, viruses were written by 15-year-olds for fun.” Today’s reality, he added, is very different. People and organizations can protect themselves against internet based thieves, he asserted. “It’s much harder to defend against governments”, he lamented. “But we won’t give up. [The security industry] is asleep right now, not seeing what’s going on in the world, and we need to wake up.”

When it comes to the tech companies themselves, however, there appears to be an evolution in how they value the privacy of their customers and defending it as part of routine business practice. That’s according to Chris Soghoian, principal technologist at the ACLU, who also spoke at TrustyCon.

He observed that the government would rather approach the Verizon’s and AT&T’s of the world – the telecoms providers – than Google or Twitter with a request for customer information. “Tech companies”, Soghoian said, “tend to push back more against government requests for data.”

What he warned against is that in their continuous drive to innovate, tech companies often roll out features for their customers that the government and law enforcement can subsequently leverage to access customer information. These features then are used by the government in ways that the tech companies never intended.

“It’s difficult to build a feature and keep it away from the government”, Soghoian declared. He gave as an example law enforcement’s successful attempts to bypass lock screen gestures and passcodes on mobile devices in their possession, using the password reset feature that allows owners to access the device if they forget the method to access a lock screen.

One of the more worrying surveillance developments to Soghoian is a shift from monitoring the communication lines to gaining access on the endpoint itself. “For sophisticated people using encrypted communications services, the FBI and government will need to infect endpoint devices rather than intercepting data over the wires.” The two primary attack methods he points to are watering hole attacks and phishing emails.

Soghoian closed with perhaps his most dire warning about government surveillance capabilities. For this, he focused on major tech vendors and their automatic hardware/software updates. Recalling how the flame malware used bogus signed certificates posing as those from Microsoft, the reality is that it’s possible to use the update process to infect specific machines, or on a large scale.

“The trust we have in big companies is a weakness that the government will exploit”, he warned.

“Government can use automatic updates to get code onto a computer”, Soghoian commented, adding that, to date, there is no evidence this has happed – but it is possible. “I would hope that if and when Google gets a [court] order to do this, they will fight it all the way to the Supreme Court.”

What’s Hot on Infosecurity Magazine?