NSA Abused Heartbleed Bug For Years, Left Consumers Exposed To Attack
Submitted by Tyler Durden on 04/11/2014 16:26 -0400
It is one thing for the NSA to spy on everyone in the world, especially US citizens because all of them are obviously potential "terrorizers" just waiting for their opportunity to blow shit up (except for anything in close proximity to the Boston marathon - those things the NSA promptly filters out), but when the NSA itself is found to have not only known and itself abused the prevalent and widespread Heartbleed bug, but left consumers exposed, then it may be time to finally launch a class action lawsuit against Obama's favorite means to eavesdropping on the entire world.
NSA SAID TO EXPLOIT HEARTBLEED BUG FOR INTELLIGENCE FOR YEARSThe U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug,and regularly used it to gather critical intelligence, two people familiar with the matter said.
And the punchline:
NSA SAID TO HAVE USED HEARTBLEED BUG AND LEFT CONSUMERS EXPOSEDPutting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost.Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer.“They are going to be completely shredded by the computer security community for this.”
The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility. If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.
Thank you NSA, for once again showing that you are from the government and are there to "help" and of course "protect" everyone.
How much more abuse from the government can the (granted mostly obese) US population take before it finally snaps ?
Government Denies It Knew About, Abused Heartbleed Bug
Submitted by Tyler Durden on 04/11/2014 16:52 -0400
And with this official denial we can be certain that Bloomberg's disgruntled NSA sources were right.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Now if only the NSA can also release a fabricated YouTube clip proving it never knew abused any compromised network anywhere, then all will be promptly forgiven and forgotten.
The New York Times' David Sanger reports President Obama carved out a national security exemption for the NSA in January when it discovers a hole in Internet security that could affect the general public.
REPORT: OBAMA: NSA Can Exploit Bugs Like Heartbleed For National Security Purposes
That exemption: the NSA doesn't have to say anything about the flaw.
The fruits of this policy became evident Friday when Bloomberg's Michael Riley reported the NSA had been exploiting the Heartbleed Bug, which is forcing users across the world, to change their password, for years. The NSA has denied the report.
Here's what administration officials told the Times' Sanger:
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
Millions of Android Devices Vulnerable to Heartbleed Bug