Commentary on the economic , geopolitical and simply fascinating things going on. Served occasionally with a side of snark.
Friday, April 11, 2014
Did the NSA exploit the Heart Bleed bug ? From Bloomberg - NSA Abused Heartbleed Bug For Years, Left Consumers Exposed To Attack ...... In rebuttal , Government Denies It Knew About, Abused Heartbleed Bug ( does it make you feel worse that the government couldn't detect this bug despite spending countless billions for so called Homeland Security , NSA , FBI and Military dollars or worse because you believe this is just a lie ? ) Of course , after the " official denial " of using Heartbleed - note what the Government then said --- REPORT: OBAMA: NSA Can Exploit Bugs Like Heartbleed For National Security Purposes !
It is one thing for the NSA to spy on everyone in the world, especially US citizens because all of them are obviously potential "terrorizers" just waiting for their opportunity to blow shit up (except for anything in close proximity to the Boston marathon - those things the NSA promptly filters out), but when the NSA itself is found to have not only known and itself abused the prevalent and widespread Heartbleed bug, but left consumers exposed, then it may be time to finally launch a class action lawsuit against Obama's favorite means to eavesdropping on the entire world.
NSA SAID TO EXPLOIT HEARTBLEED BUG FOR INTELLIGENCE FOR YEARS
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug,and regularly used it to gather critical intelligence, two people familiar with the matter said.
And the punchline:
NSA SAID TO HAVE USED HEARTBLEED BUG AND LEFT CONSUMERS EXPOSED
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost.Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer.“They are going to be completely shredded by the computer security community for this.”
The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.
Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility. If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.
Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.
The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.
“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”
Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.
Thank you NSA, for once again showing that you are from the government and are there to "help" and of course "protect" everyone.
How much more abuse from the government can the (granted mostly obese) US population take before it finally snaps ?
And with this official denial we can be certain that Bloomberg's disgruntled NSA sources were right.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Now if only the NSA can also release a fabricated YouTube clip proving it never knew abused any compromised network anywhere, then all will be promptly forgiven and forgotten.
REPORT: OBAMA: NSA Can Exploit Bugs Like Heartbleed For National Security Purposes
The New York Times' David Sanger reports President Obama carved out a national security exemption for the NSA in January when it discovers a hole in Internet security that could affect the general public.
That exemption: the NSA doesn't have to say anything about the flaw.
The fruits of this policy became evident Friday when Bloomberg's Michael Riley reported the NSA had been exploiting the Heartbleed Bug, which is forcing users across the world, to change their password, for years. The NSA has denied the report.
Here's what administration officials told the Times' Sanger:
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
Millions of Android Devices Vulnerable to Heartbleed Bug
Millions of smartphones and tablets running Google Inc. (GOOG)’s Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into consumer devices.
While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the “limited exception” was one version dubbed 4.1.1, which was released in 2012.
Security researchers said that version of Android is still used in millions of smartphones and tablets, including popular models made by Samsung Electronics Co., HTC Corp. and other manufacturers. Google statisticsshow that 34 percent of Android devices use variations of the 4.1 software. The company said less than 10 percent of active devices are vulnerable. More than 900 million Android devices have been activated worldwide.
The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices.
Long Cycle
“One of the major issues with Android is the update cycle is really long,” said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd., a cyber-security company focused on advanced mobile threats. “The device manufacturers and the carriers need to do something with the patch, and that’s usually a really long process.”
Christopher Katsaros, a spokesman for Mountain View, California-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has “assessed the SSL vulnerability and applied patches to key Google services.”
Microsoft Corp. said yesterday that the Windows and Windows Phone operating systems and most services aren’t impacted.
“A few services continue to be reviewed and updated with further protections,” Tracey Pretorius, director of Microsoft Trustworthy Computing, wrote in an e-mailed statement.
Apple Inc. didn’t respond to messages for comment.
Mobile Risk
Verizon Wireless, the biggest U.S. mobile-phone company, said yesterday no other devices are impacted.
“Verizon is aware of the OpenSSL security vulnerability referred to as ‘Heartbleed,’ and we are working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1,” spokesman Albert Aydin wrote in an e-mail. “Other mobile operating systems we offer are not affected by this vulnerability and we have no reason to believe that the issue has resulted in any compromise of Verizon customer accounts, websites, or data.”
The Heartbleed bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 percent of all active Internet sites. The bug, which lets hackers silently extract data from computers’ memory, and a fix for it wereannounced simultaneously on April 7.
Broad Fallout
The reach of the vulnerability continues to widen as Cisco Systems Inc. (CSCO) and Juniper Networks Inc. (JNPR) said earlier this week that some of their networking-gear products are affected and will be patched. The Canadian government has ordered websites operated by the federal government that use the vulnerable version of OpenSSL to be taken offline until they can be fixed.
The vast majority of large companies protected their systems immediately and the push is now on to make smaller companies do the same, said Robert Hansen, a specialist in Web application security and vice president of the advanced technologies group of WhiteHat Security Inc.
Hackers have been detected scanning the Internet looking for vulnerable servers, especially in traffic coming fromChina, though it’s difficult to know how many have been successful, said Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC. Many attempts have hit dead ends, Blasco said.
German Users
More than 80 percent of people running Android 4.1.1 who have shared data with mobile security firm Lookout Inc. are affected, said Marc Rogers, principal security researcher at the San Francisco-based company. Users inGermany are nearly five times as likely as those in the U.S. to be affected, probably because there is a device that uses that version of Android that is popular there, Rogers wrote in an e-mail.
Still, there are no signs that hackers are trying to attack Android devices through the vulnerability as it would be complicated to set up and the success rate would be low, Rogers said. Individual devices are less attractive to go after because they need to be targeted one by one, he said.
“Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don’t expect to see any attacks against devices until after the server attacks have been completely exhausted,” Rogers wrote in an e-mail.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
You see, this sort of stupidity stems from:
The belief that we're smarter than everyone else. That is, no other nation (like China, for instance) has also tasked smart people with discovering flaws like this.
Thus, we can ignore the commercial and government implications of this bug. Even though if it is exploited not only personal and corporate secrets will be stolen so will government secrets.
The NSA of course couldn't tell any government agency not to use a particular thing, because if they did then it would get investigated by someone, and the secret would get out.
But the pure arrogance in a belief that we're much smarter than everyone else, particularly on a bug that can be exploited without leaving a traceback that can be easily detected, is into the realm of insanity.
When (not if) we find out that the Chinese used this same bug to steal our government's (including our military's) secrets (and I believe we will) those at the NSA who made this decision should be indicted as accessories before the fact to the criminal espionage they assisted in.
When ex-government contractor Edward Snowden exposed the NSA’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said last June. “Properly implemented strong crypto systems are one of the few things that you can rely on.”
But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery.
This week, that caveat hit home — in a big way — when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to ten, cryptographer Bruce Schneier ranks the flaw an eleven.
Though security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data. “It really is the worst and most widespread vulnerability in SSL that has come out,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania. But the bug is also unusually worrisome because it could possibly be used by hackers to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — and by spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them.
A Google employee was among those who discovered the hole, and the company said it had already patched any of its vulnerable systems prior to the announcement. But other services may still be vulnerable, and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale.
“It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Blaze says. “It’s certainly something that the NSA would find extremely useful in their arsenal.”
NSA Sets Its Sights on SSL
Although the NSA could use the Heartbleed vulnerability to obtain usernames and passwords (as well as so-called session cookies to access your online accounts), this would only allow them to hijack specific accounts whose data they obtained. For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain.
According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time, and there were suggestions that they might have succeeded. “Vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” GCHQ reported in one top-secret 2010 document. Although this was dated two years before the Heartbleed vulnerability existed, it highlights the agency’s efforts to get at encrypted traffic.
The Snowden documents cite a number of methods the spy agencies have used under a program codenamed “Project Bullrun” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under Bullrun, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”
Security experts have speculated about whether the NSA cracked SSL communications and if so how the agency might have accomplished the feat. Now, Heartbleed raises the possibility that in some cases the NSA might not have needed to crack SSL. Instead, it’s possible the agency used the vulnerability to obtain the private keys of companies to decrypt their traffic.
The Good News
So far, though, there’s no evidence to suggest this is the case. And there are reasons why this method wouldn’t be very efficient for the NSA.
First, the vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems. Heartbleed allows an attacker to siphon up to 64kb of data from a system’s memory by sending a query. But the data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. Though there’s no limit to the number of queries an attacker can make, no one has yet produced a proof-of-concept exploit for reliably and consistently extracting a server’s persistent key from memory using Heartbleed.
“It is very likely that it is possible in at least some cases, but it hasn’t been demonstrated to work all the time. So even if a site is vulnerable, there’s no guarantee you’re going to be able to use [Heartbleed] to actually get keys,” Blaze says. “Then you’ve got the problem that it’s an active attack rather than a passive attack, which means they need to be able to do multiple round trips with the server. This is potentially detectable if they get too greedy doing it.”
The vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems.
The security firm CloudFlare, which has spent the last three days testing various configurations to determine if, and under what conditions, it’s possible to extract private keys using the Heartbleed vulnerability, says it hasn’t been able to do so successfully yet, though its tests have been limited to configurations that include the Linux operating system on Nginx web servers.
Nick Sullivan, a Cloudflare systems engineer, says he has “high confidence” that a private key can’t be extracted in most ordinary scenarios. Though it may be possible to obtain the key under certain conditions, he doubts it has occurred.
“I think it is extremely unlikely that a malicious attacker has obtained a private key from an Nginx server of a busy website,” he says.
So far, they believe private keys can’t be extracted from Apache servers either, though they don’t have the same level of confidence in that yet. “If it is possible with Apache, it’s going to be difficult,” he says.
A few other researchers have claimed on Twitter and on online forums that they have retrieved private keys under various circumstances, though there doesn’t appear to be a uniform method that works across the board.
Either way, there are now signatures available to detect exploits against Heartbleed, as Dutch security firm Fox-IT points out on its website, and depending on how much logging companies do with their intrusion-detection systems, it may be possible to review activity retroactively to uncover any attacks going back over the last two years.
“I suspect there are many people doing exactly that right now,” Blaze says.
So what might the world’s spy agencies say about all this? The GCHQ has a standard response for anyone who might wonder if the spooks used this or any other vulnerability to undermine SSL for their BULLRUN program. In a PowerPoint presentation the British spy agency prepared about BULLRUN for fellow spies, they warned: “Do not ask about or speculate on source or methods underpinning BULLRUN successes.” In other words, they’ll never say.
BOSTON (Reuters) - The U.S. government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the "Heartbleed" bug, as a German programmer took responsibility for the widespread security crisis.
On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks, adding that hackers were attempting to exploit the bug in widely used OpenSSL code by scanning targeted networks.
Federal regulators also advised financial institutions to patch and test their systems to make sure they are safe.
OpenSSL is technology used to encrypt communications, including access to email, as well as websites of big Internet companies like Facebook Inc, Google Inc and Yahoo Inc.
The bug, which surfaced Monday, allows hackers to steal data without a trace. No organization has identified itself as a victim, yet security firms say they have seen well-known hacking groups scanning the Web in search of vulnerable networks.
"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems," said Larry Zelvin, director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center, in a blog post on the White House website.
A magnifying glass is held in front of a computer screen in this picture illustration taken in Berli …
The German government released an advisory that echoed the one by Washington, describing the bug as "critical."
Technology companies spent the week searching for vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.
Companies including Cisco Systems Inc, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others are still in the works.
That means some networks are vulnerable to attack, said Kaspersky Lab researcher Kurt Baumgartner.
"I have seen multiple networks with large user bases still unpatched today," he said. "The problem is a difficult one to solve."
OpenSSL software helps encrypt traffic with digital certificates and "keys" that keep information secure while it is in transit over the Internet and corporate networks.
The vulnerability went undetected for several years, so experts worry that hackers have likely stolen some certificates and keys, leaving data vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.
"Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch," said the FFIEC, a consortium of regulators including the Federal Reserve and the Treasury Department.
Comodo Group, the No. 2 provider of SSL certificates, said customers have requested tens of thousands of replacements this week.
"We are very busy, but we are coping. My gut feeling is that we are going to be very busy all the way through next week," said Comodo Chief Technology Officer Robin Alden.
TAKING RESPONSIBILITY
Robin Seggelmann, a German programmer who volunteers as a developer on the OpenSSL team, said in a blog post published on Friday that he had written the faulty code responsible for the vulnerability while working on a research project at the University of Münster.
"I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed," said Seggelmann, now an employee with German telecommunications provider Deutsche Telekom AG.
He said the developer who reviewed the code failed to notice the bug, which enables attackers to steal data without leaving a trace. "It is impossible to say whether the vulnerability, which has since been identified and removed, has been exploited by intelligence services or other parties," he said.
Seggelmann said such errors could be avoided in the future if OpenSSL were to get more support from developers around the world.
OpenSSL is an open source project, which means that it is supported by developers worldwide who volunteer to update and secure its code. It is not as well tended to as programs such as Linux, which is widely supported by a flourishing developer community around the globe and corporate backers.
"OpenSSL in particular still lacks the support it needs, despite being extremely widely available and used by millions. Although there are plenty of users, there are very few actively involved in the project," Seggelmann said in a post on a Deutsche Telekom website.
Fedor Indutny, a core member of the node.js team, has proved that it is in fact possible for an attacker to sniff out the private SSL keys from a server left exposed by theHeartbleed bug. The proof came in response to a challenge from CloudFlare that called on the security community to grab the keys from a demo server.
The public revelation of Heartbleed rocked the tech world earlier this week. The bug, an innocuous mistake in the “heartbeat” protocol of the critical SSL standard, had for years put the majority of the Web at risk of having exposed encryption keys, passwords and other sensitive data. To make matters worse, the exploit is virtually undetectable, making it difficult to tell whether attackers had already discovered the bug and taken advantage of it.
CloudFlare set up the competition after its own team was unsuccessful in exposing their own servers’ keys during testing. The company posited earlier on Friday that using Heartbleed to get private keys is “at a minimum very hard…it may in fact be impossible.”
Sadly, it appears that this level of attack is in fact possible. Ferreting out the private keys didn’t even prove to be particularly time intensive, as Indutny claims his final script took just three hours to track down the private SSL key. Server administrators who have put off revoking and re-issuing and their SSL certificates should definitely take note.
CloudFlare has promised to provide details about how Indutny obtained the keys, but neither party is likely to reveal the exact method right away in order to give administrators more time to change their SSL credentials. Matthew Prince, CloudFlare’s CEO did mention that he suspects that the keys were leaked when the team rebooted the challenge server.
Revoking SSL certificates will be a time-intensive and expensive process for website owners, but failure to do so jeopardizes them and their users, as attackers that have the private keys can impersonate servers even if they have already been patched.
It's a shame that the NSA, with all its manpower, can't be contributing to Internet safety for the greater good. What is your take on the time sensitivity of an issue such as this as far as hackers now having greater knowledge of weaknesses they can exploit? I realize the public had to be informed, but was this done in the best way to protect consumers interests? For an updated list of major sites affected by Heartbleed, check out our Heartbleed bug coverage.
Good afternoon ! Alex , doesn't this remind you of the technical problem Mt Gox allegedly had - which then was rapidly exploited by hackers ? And also , recall the bitcoin flaw at issue there ( transaction malleability ) was alos known but not remedied until after the fact. I would think that sensitive information such as cyber virures could be brought to the attention of those that need to address the issue before publication is made generally.
Submitted by Tyler Durden on 04/11/2014 16:26 -0400
It's not American exceptionalism, it's arrogance.
It's a shame that the NSA, with all its manpower, can't be contributing to Internet safety for the greater good. What is your take on the time sensitivity of an issue such as this as far as hackers now having greater knowledge of weaknesses they can exploit? I realize the public had to be informed, but was this done in the best way to protect consumers interests? For an updated list of major sites affected by Heartbleed, check out our Heartbleed bug coverage.
ReplyDeleteGood afternoon ! Alex , doesn't this remind you of the technical problem Mt Gox allegedly had - which then was rapidly exploited by hackers ? And also , recall the bitcoin flaw at issue there ( transaction malleability ) was alos known but not remedied until after the fact. I would think that sensitive information such as cyber virures could be brought to the attention of those that need to address the issue before publication is made generally.
Delete