"RSA always acts in the best interests of its customers and under no circumstances does RSA design or enable any backdoors in our products," the company said in a Sept. 20 advisory. In most instances, swapping out Dual EC DRBG is viewed as a simple configuration change, but in some cases it won't be. Many hundreds of high-tech products, including those from Cisco, BMC and EMC storage products as well, have included Dual EC DRBG because of RSA BSAFE.
Whether the smoking gun related to Dual EC DRBG is ever found, the damage to U.S. industry from this and other NSA revelations has been done.
"NIST standards are vetted by the NSA," says Tatu Ylonen, CEO of Finland-based SSH Communications Security, saying he senses a crisis in confidence and credibility around U.S. products and services. "U.S. cloud services have been put into question for good reason."
And if the NSA expresses confidence in some technology, such as the Trusted Platform Module (TPM), hardware security standardized by the Trusted Computing Group, reaction is often suspicious whether that's really deserved or not, he notes. As an example of the far reaching implications, Ylonen says that since the Snowden documents about the NSA were leaked, Finland stopped electronically communicating top secret material between embassies, preferring to courier this kind of information instead.
Malcolm Harkins, Intel's vice president and chief information security and privacy officer, says Intel has no reason to suspect a backdoor in TPM and adds Intel itself "does not support anything that creates a backdoor in security and trust in technology."
He says Intel is concerned about supply chain safety and buys from its own list of approved and trusted suppliers. However, he acknowledges the Snowden revelations are creating a stir and, to some extent, a backlash. From his own perspective, he isn't observing too much in the way of CISOs expressing lack of confidence in technology from U.S.-based providers, but they are sometimes hearing this expressed at the upper management and executive level.
Ylonen of SSH admits occasionally feeling "paranoid" about the potential for the NSA or other countries' spy agencies to cyber-snoop, acknowledging that he has even worried that they would use undocumented SSH keys to gain entry into systems, a known vulnerability. But he never imagined the extent of what the Snowden leaks suggest about the NSA.
The leaked Snowden documents suggest NSA has been busy subverting network products for years, perhaps working with its ally in the United Kingdom, the GCHQ, to place "moles" in high-tech firms for that purpose.
The NSA is suspected, for example, of using fraudulent X.509 certificates to perform man-in-the-middle attacks against its targets.
Sign up for Computerworld eNewsletters.