Local and Global Community News – Activism / Protests - Animal Advocacy - Animal Rescue- Archaeology/Anthropology/Paleontology/Crypto-zoology , Corporate Assault on our Lives and Our Health, Environmental- Internet/IT - Signs of the Times – Wildlife : News Affiliate of Family Survival Protocol.com
NSA Said to Exploit Heartbleed Bug for Intelligence for Years
By Michael RileyApr 11, 2014 11:00 PM CT
The
U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the matter said.
The agency’s reported
decision to keep the bug secret in pursuit of national security
interests threatens to renew the rancorous debate over the role of the
government’s top computer experts. The NSA, after declining to comment
on the report, subsequently denied that it was aware of Heartbleed until
the vulnerability was made public by a private security report earlier
this month.
“Reports that NSA or any other part of the government
were aware of the so-called Heartbleed vulnerability before 2014 are
wrong,” according to an e-mailed statement from the Office of the
Director of National Intelligence.
Heartbleed appears to be
one of the biggest flaws in the Internet’s history, affecting the basic
security of as many as two-thirds of the world’s websites. Its discovery
and the creation of a fix by researchers five days ago prompted
consumers to change their passwords, the Canadian government to suspend
electronic tax filing and computer companies including Cisco Systems Inc. (CSCO) to Juniper Networks Inc. to provide patches for their systems.
Photographer: Paul J. Richards/AFP/Getty Images
A computer workstation bears the National Security Agency (NSA) logo inside the Threat... Read More
Putting
the Heartbleed bug in its arsenal, the NSA was able to obtain passwords
and other basic data that are the building blocks of the sophisticated
hacking operations at the core of its mission, but at a cost. Millions
of ordinary users were left vulnerable to attack from other nations’
intelligence arms and criminal hackers.
Controversial Practice
“It
flies in the face of the agency’s comments that defense comes first,”
said Jason Healey, director of the cyber statecraft initiative at the
Atlantic Council and a former Air Force cyber officer. “They are going
to be completely shredded by the computer security community for this.”
Experts
say the search for flaws is central to NSA’s mission, though the
practice is controversial. A presidential board reviewing the NSA’s
activities after Edward Snowden’s leaks recommended the agency halt the
stockpiling of software vulnerabilities.
NSA Denies Report It Knew About And Exploited Heartbleed For Years
Updated with NSA denial
Bloomberg is reporting that
the National Security Agency knew about the Heartbleed flaw for at
least two years and “regularly used it to gather critical intelligence,”
according to two sources. NSA denial
The
NSA has denied the Bloomberg report. “Reports that NSA or any other part
of the government were aware of the so-called Heartbleed vulnerability
before April 2014 are wrong. The Federal government was not aware of the
recently identified vulnerability in OpenSSL until it was made public
in a private sector cybersecurity report,” according to a blog post from the Office of the Director of National Intelligence.
If
the Bloomberg story is true, it would be a major bombshell that is
certain to add fuel to the already contentious debate about the NSA’s
role in surveillance. Last year it was reported that the NSA paid
security firm RSA $10 million to intentionally weaken an encryption
algorithm and had circumvented or cracked other encryption schemes. Reuters recently reported that “NSA infiltrated RSA security more deeply than thought.”
Bloomberg said that the NSA was able to use the Heartbleed flaw to obtain passwords and other user data. Is NSA making us less secure?
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say
Edward J. Snowden, the N.S.A. leaker, speaking to European officials via videoconference last week.Credit Frederick Florin/Agence France-Presse — Getty Images
WASHINGTON
— Stepping into a heated debate within the nation’s intelligence
agencies, President Obama has decided that when the National Security
Agency discovers major flaws in Internet security, it should — in most
circumstances — reveal them to assure that they will be fixed, rather
than keep mum so that the flaws can be used in espionage or
cyberattacks, senior administration officials said Saturday.
But
Mr. Obama carved a broad exception for “a clear national security or
law enforcement need,” the officials said, a loophole that is likely to
allow the N.S.A. to continue to exploit security flaws both to crack
encryption on the Internet and to design cyberweapons.
The
White House has never publicly detailed Mr. Obama’s decision, which he
made in January as he began a three-month review of recommendations by a
presidential advisory committee on what to do in response to recent
disclosures about the National Security Agency.
But
elements of the decision became evident on Friday, when the White House
denied that it had any prior knowledge of the Heartbleed bug, a newly
known hole in Internet security that sent Americans scrambling last week
to change their online passwords. The White House statement said that
when such flaws are discovered, there is now a “bias” in the government
to share that knowledge with computer and software manufacturers so a
remedy can be created and distributed to industry and consumers.
Caitlin
Hayden, the spokeswoman for the National Security Council, said the
review of the recommendations was now complete, and it had resulted in a
“reinvigorated” process to weigh the value of disclosure when a
security flaw is discovered, against the value of keeping the discovery
secret for later use by the intelligence community.
“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
Until
now, the White House has declined to say what action Mr. Obama had
taken on this recommendation of the president’s advisory committee,
whose report is better known for its determination that the government
get out of the business of collecting bulk telephone data about the
calls made by every American. Mr. Obama announced last month that he
would end the bulk collection, and leave the data in the hands of
telecommunications companies, with a procedure for the government to
obtain it with court orders when needed.
But
while the surveillance recommendations were noteworthy, inside the
intelligence agencies other recommendations, concerning encryption and
cyber operations, set off a roaring debate with echoes of the Cold War
battles that dominated Washington a half-century ago.
One
recommendation urged the N.S.A. to get out of the business of weakening
commercial encryption systems or trying to build in “back doors” that
would make it far easier for the agency to crack the communications of
America’s adversaries. Tempting as it was to create easy ways to break
codes — the reason the N.S.A. was established by Harry S. Truman 62
years ago — the committee concluded that the practice would undercut
trust in American software and hardware products. In recent months,
Silicon Valley companies have urged the United States to abandon such
practices, while Germany and Brazil, among other nations, have said they
were considering shunning American-made equipment and software. Their
motives were hardly pure: Foreign companies see the N.S.A. disclosures
as a way to bar American competitors.
By Ellen Messmer, Network World
April 10, 2014 12:22 PM ET
Network World - The
Heartbleed Bug, basically a flaw in OpenSSL that would let savvy
attackers eavesdrop on Web, e-mail and some VPN communications that use
OpenSSL, has sent companies scurrying to patch servers and change
digital encryption certificates and users to change their passwords. But
who's to blame for this flaw in the open-source protocol that some say
also could impact routers and even mobile devices as well?
A
German software engineer named Robin Seggelmann of Munster, Germany has
reportedly accepted responsibility for inserting what experts are
calling a mistake of catastrophic proportions into the open-source
protocol OpenSSL used by millions of websites and servers, leaving them
open to stealing data and passwords that many think has already been
exploited by cyber-criminals and government intelligence agencies.
“Half
a million websites are vulnerable, including my own,” wrote security
expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability.
He described Heartbleed as a “catastrophic bug” in OpenSSL because it
“allows anyone on the Internet to read the memory of the systems
protected by the vulnerable versions of the OpenSSL software.” It
compromises secret keys used to identify service providers and encrypt
traffic, he pointed out. “This means anything in memory—SSL private
keys, user keys, anything—is vulnerable.” +More on Network World: The Heartbleed Bug: How to keep your info safe | The worst data breaches of 2014…so far (Q1)+
The
Heartbleed Bug was discovered by security analysts from Google and
Codenomicon and disclosed by the OpenSSL open-source group on April 7 as
an OpenSSL Advisory and a fix prepared by OpenSSL open-source
contributors Adam Langley and Bodo Miller. Across the world, companies
and vendors have been scrambling to either patch their systems or assure
users that their services weren’t using OpenSSL.
Microsoft for
example, issued an advisory that “Microsoft Azure Web Sites, Microsoft
Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to
terminate SSL connections. Windows comes with its own encryption
component called Secure Channel (a.k.a. SChannel), which is not
susceptible to the Heartbleed vulnerability.”
But Microsoft added,
“However, if you are using Microsoft Azure’s IaaS to host linux images,
then you should make sure that your OpenSSL implementation is not
vulnerable.”
Twitter also said its services weren’t impacted by
Heartbleed. However, websites including Yahoo Mail, Yahoo Messenger and
others were impacted. As news stories about the Heartbleed Bug filled
the news, there was widespread concern and bewilderment in the general
public, and it wasn’t uncommon to hear the problem described by people
as a computer virus, rather than a software flaw.
