AusCERT 2014: Security in a world of surveillance

The leaks by whistleblower Edward Snowden about the United States National Security Agency (NSA)’s spying activities has highlighted that consumers need to take a more serious approach to online security, according to Princeton University's professor of computer science and public affairs, Edward Felten

Speaking at the AusCERT security conference on the Gold Coast, Felten told delegates the Snowden leaks have confirmed that the NSA and other agencies, including the Australian Signals Directorate (ASD), have been co-operating in order to build surveillance and data collection systems.

In December 2013, the ASD received a formal complaint from UK-based privacy group Privacy International, following allegations that the ASD offered to share information about Australian citizens with international counterparts.

According to documents leaked by Snowden, the ASD indicated that it could share medical, legal and religious information with agencies in the United States, Britain, Canada and New Zealand during a 2008 intelligence conference in England.

At the time, the ASD was called the Defence Signals Directorate (DSD). According to the leaked documents, DSD said that it could make this information available without some of the privacy restraints imposed by some other countries.

Felten acknowledged that there is a need to conduct surveillance against terrorist groups. However, he said data collection by agencies needs to be “targeted against those people who are meaning to attack us and not targeted broadly against a crowd".

“How can we ensure that the surveillance that does occur, has a focus so that it doesn’t affect us all the time?," he asked.

Felten ran through some security strategies. The first was to talk about the methods that intelligence agencies use and try to improve those systems so they are more protective of civil liberties.

He cited a report sanctioned by United States president Barack Obama called <i>Liberty and Security in a Changing World</i> [PDF], published on 12 December 2013.

The report was undertaken following the NSA spying allegations.

“One of the recommendations of this report was that legislation should be enacted that terminates the storage of bulk telephony meta data by the [US] government and moves the storage of that information outside the government to a data custodian,” he said.

The other approach from the report review committee, which was also endorsed by president Obama, was to leave the data in the hands of the US telco providers such as Verizon and AT&T.

The NSA and other intelligence agencies would need to file a request to get access to data which they wanted to analyse.

The next strategy was to “take the notion of trust seriously".

Felten said that one of the best examples of “unclear thinking” about trust comes from websites that use HTTPS encryption settings.

“You might go to the AusCERT website that, good for them, uses HTTPS by default. If you click on the lock [on the website] you see an explanation of what the certificate is and you can choose whether to trust AusCERT or not.”

However, Felten pointed out that further examination of the AusCERT site’s HTTPS certificate can be traced back to a company in Sweden called AddTrust.

“My [Web] browser tells me that I trust AddTrust, but that as a factual matter is a false statement. I don’t know who AddTrust is.”

According to Felten, this puts AddTrust in a position where it can certify that any website is safe and his browser will 'trust' these websites.

He said this is an issue because there are a “substantial number” of forged SSL certificates used on unsafe websites.

Felten added that the typical Internet user goes to sites, such as CNN, that use standard HTTP, rather than HTTPS.

“In the context of HTTP sites, there is a method called opportunistic encryption. It is essentially HTTPS without authentication.”

According to Felten, this method, if done right, is secure against some online threats but is not secure against an active adversary such as cyber criminals who can “mess with the messages between the two end points".

Hamish Barwick attended the AusCERT conference as a guest of AusCERT

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia