Security industry tainted in latest RSA revelations

Trust in the security industry has taken a blow with a recent report that RSA was paid by the U.S. National Security Agency to provide a way to crack its encryption.

[Lessons for CSOs in Snowden exploit of NSA networks]

RSA denies the Reuters report published Friday that said the NSA paid RSA $10 million to use a flawed encryption formula. The agency-developed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) was used in RSA's BSAFE product.

The report shook up the security industry, because of RSA's influence. The company's annual user conference in San Francisco is one of the largest security events of the year. On Monday, Mikko Hypponen, a widely know security expert, sent a letter to RSA cancelling his talk for the 2014 RSA Conference, because of RSA's dealings with the NSA.

In a statement released Sunday, RSA said, "We categorically deny this allegation."

The company went on to say that it had "never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyones use."

Nevertheless, RSA failed to sway some security experts. "RSA's response has not instilled confidence in much of the security community," Carl Livitt, managing security associate for consulting firm Bishop Fox, said Monday.

"RSA's response is very cagey and blatantly ignores big, important questions," he said.

Matthew Green, a well-known cryptographer and assistant research professor at Johns Hopkins University, said the RSA revelation has threatened the reputation of the security industry.

"Most of the people I've spoken to agree that from our point of view, this is like you are a doctor trying to heal patients and you find out someone is making them sick on purpose," he said. "I think you'd be pretty upset about it."

Green said the job of security professionals is to make products secure, and the thought of a government agency purposely breaking them is upsetting.

"It makes me pretty angry," he said.

Last week, an independent White House Panel released a report that questioned whether the NSA's massive data collection, brought to light by documents from ex-NSA contractor Edward Snowden, was necessary to prevent terrorist attacks, as the agency claims.

The documents Snowden released to select media described information gathering from Internet and telecommunication companies on Americans and foreigners, including leaders in other countries.

[NSA spreading malware to further goals for more power]

Within the panel's list of recommendations was one that said efforts to undermine cryptography should be discarded.

In the RSA case, the company embedded in 2004 the NSA-developed algorithm in its BSAFE product, which is software used to encrypt data in business applications. The National Institutes of Standards and Technology eventually approved the technology for use.

Once it was discovered the Dual EC DRBG was developed to be cracked, NIST recommended it not be used. RSA then dropped the technology from BSAFE.

Because the NSA is a top-secret organization with the job of supporting national security, companies are legally bound to remain silent on any dealings they may have with the agency. Given the tight restrictions, there is nothing a company can do if asked to cooperate with the NSA, which can only be reigned in through new laws passed by Congress.

Therefore, a company has to accept the risk when choosing a security vendor.

"The reality is that at some point you're going to have to trust someone; what you need to be careful of is who you trust, how much, and for how long," Joseph DeMesy, senior security analyst for Bishop Fox, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityrsa

More about National Security AgencyNSAReuters AustraliaRSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts