Co-authored by Dr. Stephen Bryen, Chairman Ziklag Systems
The latest computer security disaster, called Heartbleed, came about after a "bug" was exposed in code put together by a volunteer group called the Open SSL Project. The Open SSL Project personnel are not paid. However, the Open SSL Foundation, with a home base in Maryland,
tries to find paid security work for its personnel. Many top security and IT companies, and the Department of Homeland Security, are affiliated with the Open SSL Project. The full membership of the Open SSL Project team is not available on the Internet, but according to their Foundation, it consists of people on three continents and in 15 different time zones.
Many questions arise in connection with the Project, and generally on how computer security is handled today.
There are a number of murky issues that surround the Heartbleed "bug." Was the bug a coding accident, or an intentional assault on the Open SSL framework? Are any of the personnel involved in the coding of Open SSL connected with foreign governments or with hacking groups who would have an interest in exploiting Internet operations such as bill paying, banking, credit cards or the security of public and private institutions? Is there any form of vetting for Open SSL personnel? How is the code for Open SSL validated and checked, and who does that?
Open SSL affects the security of web sites used for transactions of all kinds. The "bug" also may have compromised security certificates that are used to add an even stronger layer of protection for government agencies and corporations. At the moment we only have informal assessments of the level of damage sustained because of Heartbleed. We do not have any coherent or acceptable information on how the bug was discovered, nor do we understand fully on how the discovery was handled. In fact, there does not seem to be any protocol to handle such "events" or at least not one that was followed.
If the bug was intentionally put into the Open SSL code, then much of the damage has already occurred and probably cannot be recovered. For example, passwords, certificates, emails, transaction data, names and identification of personnel, even the exploitation of vital command and control government networks, may already have taken place.
A significantly bad piece of karma is the recent discovery that the National Security Agency and the National Institute for Standards and Technology may have colluded in "bugging" an encryption system widely used by industry by using a bogus Random Number Generator vital to determining encryption codes.
Nor was this the only example. Researchers from John's Hopkins University believe they have uncovered another case where codes were modified improperly, probably by the same agencies.
And in recent years it has been found that smart cards, which are used to store security information and generate encryption keys, have also been found compromised. Taiwan, which purchased smart cards from a German vendor for the entire Island population, found them to be functionally defective so that many of the cards were not even producing anything approximating an encrypted transaction.
In short, given recent history and reasonable suspicion, we cannot rule out a hidden hand or hands in the Open SSL debacle, or in many other instances where a supposedly secure system turned out out to be full of rat holes.
But who can investigate the matter? This is a non-trivial question because the government is no longer trustworthy.
Congress could set up an independent commission to investigate compromises to computer security. It should be staffed by experts in cryptography and by national security specialists. The Commission, if empowered, should also make recommendations on a way forward for internet security. What is needed is a system that is accountable, where the participants are reliable, and where there is security from interference of any kind. Right now, no one can, or should, trust the Internet.
The latest computer security disaster, called Heartbleed, came about after a "bug" was exposed in code put together by a volunteer group called the Open SSL Project. The Open SSL Project personnel are not paid. However, the Open SSL Foundation, with a home base in Maryland,
tries to find paid security work for its personnel. Many top security and IT companies, and the Department of Homeland Security, are affiliated with the Open SSL Project. The full membership of the Open SSL Project team is not available on the Internet, but according to their Foundation, it consists of people on three continents and in 15 different time zones.
Many questions arise in connection with the Project, and generally on how computer security is handled today.
There are a number of murky issues that surround the Heartbleed "bug." Was the bug a coding accident, or an intentional assault on the Open SSL framework? Are any of the personnel involved in the coding of Open SSL connected with foreign governments or with hacking groups who would have an interest in exploiting Internet operations such as bill paying, banking, credit cards or the security of public and private institutions? Is there any form of vetting for Open SSL personnel? How is the code for Open SSL validated and checked, and who does that?
Open SSL affects the security of web sites used for transactions of all kinds. The "bug" also may have compromised security certificates that are used to add an even stronger layer of protection for government agencies and corporations. At the moment we only have informal assessments of the level of damage sustained because of Heartbleed. We do not have any coherent or acceptable information on how the bug was discovered, nor do we understand fully on how the discovery was handled. In fact, there does not seem to be any protocol to handle such "events" or at least not one that was followed.
If the bug was intentionally put into the Open SSL code, then much of the damage has already occurred and probably cannot be recovered. For example, passwords, certificates, emails, transaction data, names and identification of personnel, even the exploitation of vital command and control government networks, may already have taken place.
A significantly bad piece of karma is the recent discovery that the National Security Agency and the National Institute for Standards and Technology may have colluded in "bugging" an encryption system widely used by industry by using a bogus Random Number Generator vital to determining encryption codes.
Nor was this the only example. Researchers from John's Hopkins University believe they have uncovered another case where codes were modified improperly, probably by the same agencies.
And in recent years it has been found that smart cards, which are used to store security information and generate encryption keys, have also been found compromised. Taiwan, which purchased smart cards from a German vendor for the entire Island population, found them to be functionally defective so that many of the cards were not even producing anything approximating an encrypted transaction.
In short, given recent history and reasonable suspicion, we cannot rule out a hidden hand or hands in the Open SSL debacle, or in many other instances where a supposedly secure system turned out out to be full of rat holes.
But who can investigate the matter? This is a non-trivial question because the government is no longer trustworthy.
Congress could set up an independent commission to investigate compromises to computer security. It should be staffed by experts in cryptography and by national security specialists. The Commission, if empowered, should also make recommendations on a way forward for internet security. What is needed is a system that is accountable, where the participants are reliable, and where there is security from interference of any kind. Right now, no one can, or should, trust the Internet.