The potential consequences of the
NSA (and GHCQ) spying on the mobile
And what you can/should do about it
Claus Cramon Houmann
Key take aways:
• The known and the ”feared” extents of the NSA spying &
others who spy
• Spyware exists which can take full control of any mobile
device, not to mention laptops
• Defend your enterprise with Defense in depth which includes
devices outside the perimeter
• Make sure you know which data leaves the perimeter
• Do your risk assessments and protect against your REAL
• Consider any data that leaves the perimeter lost
Why am I here presenting this?
• June 6th
• ..and since then
• Truth has been
• That affects us all
Initial releases from Snowden trove
• PRISM, XKEYSCORE, other programs that combined SPY on
our lives -> and remove much of our privacy & security
– Calls being recorded in the US – private AND corporate
– Metadata for all calls and Internet in the US
– -> this alone is a quite a risk for companies operating in the US
• But THEN started the real revelations that concern any
• It turns out that the NSA&Partners collect everything (almost)
Your google searches
– Your social
• They are intercepting, analyzing and storing almost all
Internet traffic. If they cant decrypt it, it just gets stored
longer until they can
• It’s not enough to just collect and store everything
• NSA actively hacks states, companies and private individuals
• To make this EASIER they have also weakened an unknown
amount of cryptographic standards and tools
Red flags – special NSA target areas
Any bank with a swift code
Anyone using encryption
Anyone doing anything in the middle east
Anything to do with oil or gas (energy)
Anyone building security system / Infosec systems
But wait...this doesnt affect
• Raise your hand if you’re
thinking this right now
• Is that around 25% of people present raised their hands
• I hope for 0
• If 25% raised their hands, another 25% didnt – only due to
normal classroom psychology
Why are those raised hands wrong?
• Others have the means to exploit cryptographic weaknesses
– China, Russia, serious competitors?
• The NSA passes information to US Government (and
others?), it’s conceivable that information from NSA spying
ends up in US corp hands
– This has happened before (echelon anno 2000 in BBC report fx)
- Anyone can potentially get at your data! Especially on
exposed locations such as mobile devices
But then...what can we do?
• Risk Management – mitigate the risks to acceptable levels
• Defense-in-depth: Defend your data, wherever and whenever
appropriate. Follow the booming
market for innovative tools –
eventually someone will find a
way to protect smartphones
/tablets acceptably. Laptops
• ENCRYPT. EVERYTHING. NOW.
• Manage where your data is.
Control that policies are followed.
• Awareness training & GRC
Defense-in-depth. Isnt is
simple and beatiful?
The future brings....
• European or Global Crypto-standards institute
• Advanced malware protection tools (AMP’s), also for phones
• Changes to how NSA spies on US citizens...but how about the
rest of us....?
• Fortress Europe? Fortress South-america? Fortress Russia?
• Claus Cramon Houmann, 38, married to Tina and I have 3
• CISSP, ITIL Certified Expert, Prince2 practitioner
• You can contact me anytime:
– Skype: Claushj0707
– Twitter: @claushoumann
• Sources used:
– Richard Stiennon’s presentation: ”How the surveillance state is
changing IT security forever”
– Tidbits from @mikko’s TEDx presentation recently