Home Mail MemberMap Chat (0) Wallpapers
Go Back   ChiefsPlanet > The Ed & Dave Lounge > D.C.

Reply
 
Thread Tools Display Modes
Old 04-11-2014, 03:38 PM  
teedubya teedubya is offline
Waiting Until Next Year!
 
teedubya's Avatar
 
Join Date: Oct 2003
Casino cash: $6768
The NSA Used Heartbleed to Spy on People for Years

'Murica

http://www.bloomberg.com/news/2014-0...consumers.html

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.



Photographer: Brooks Kraft/Corbis
Security personnel outside the National Threat Operations Center at the National... Read More
Controversial Practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

Free Code

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

Serious Flaws

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

Flawed Protocol

The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

Ordinary Data

The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

SSL Protocol

The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

“I knew hackers who could break it nearly 15 years ago,” Lewis said of the SSL protocol.

That may not soothe the millions of users who were left vulnerable for so long.

Following the leaks about NSA’s electronic spying, President Barack Obama convened a panel to review the country’s surveillance activities and suggest reforms. Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.

Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.
Posts: 8,143
teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.teedubya is obviously part of the inner Circle.
  Reply With Quote
Old 04-11-2014, 05:30 PM   #2
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
Quote:
“It flies in the face of the agency’s comments that defense comes first,
yup. The US is the most technologically advanced (and dependent) country. I wonder what foreign countries were exploiting the heartbleed vulnerability on the exposed US homeland.

btw, I plan on eventually responding to patteau's comments in this thread, but i've been way too tired and too busy.
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Old 04-13-2014, 11:27 AM   #3
Donger Donger is offline
"Think BOOM!"
 
Donger's Avatar
 

Join Date: Nov 2003
Location: 33.675° N 106.475° W
Casino cash: $1505
VARSITY
Good.
__________________
I think the young people enjoy it when I "get down," verbally, don't you?
Posts: 76,798
Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.Donger is obviously part of the inner Circle.
  Reply With Quote
Old 04-14-2014, 02:03 PM   #4
theelusiveeightrop theelusiveeightrop is offline
Spiraling down the Drain
 
theelusiveeightrop's Avatar
 

Join Date: Oct 2012
Location: Dante's Ninth Circle
Casino cash: $8168
Breaking news: the interwebz has security flaws, and the government exploits them
__________________
"We're both part of the same hypocrisy, Senator, but never think it applies to my family."

2014 Adopt a Chief - Travis Kelce #87
Posts: 19,943
theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.theelusiveeightrop is obviously part of the inner Circle.
  Reply With Quote
Old 04-14-2014, 02:17 PM   #5
Garcia Bronco Garcia Bronco is offline
No Keys, No Problem
 

Join Date: Sep 2000
Location: Denver
Casino cash: $5767
Of course they ****ing did.

If they didn't know about it...then they're dumbasses and have to be refitted.
If they did know and used it, then they are a criminal organization operating with our government.....

take your pick.
Posts: 22,186
Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.Garcia Bronco Forgot to Remove His Claytex and Got Toxic Shock Syndrome.
  Reply With Quote
Old 04-14-2014, 04:46 PM   #6
thecoffeeguy thecoffeeguy is offline
That Rascally wabbit!
 
thecoffeeguy's Avatar
 

Join Date: Aug 2009
Location: San Diego
Casino cash: $5500
...and know that heartbleed is fixed, they are using an existing vulnerability not yet found to continue their process. When that one is found, they will just go to the next one... and so on.
Posts: 1,420
thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.thecoffeeguy must have mowed badgirl's lawn.
  Reply With Quote
Old 04-29-2014, 03:40 PM   #7
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
After Heartbleed, NSA reveals some flaws are kept secret

TL;DR: Essentially the government, in an attempt to protect US citizens, decided not to reveal a major vulnerability that endangered vast amounts of our personal information.

If that's not a contradiction then nothing is.
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Old 04-29-2014, 03:43 PM   #8
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
Zero-day Flash bug under active attack in Windows threatens OS X, Linux too
Quote:
A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft's Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

The exploitation of critical vulnerabilities by state-sponsored or state-motivated adversaries has grown increasingly common in recent years. Most notable examples include the Stuxnet, Flame, and Red October malware campaigns. A raft of other smaller campaigns have regularly targeted the Macs and Windows PCs belonging to dissidents of China and other countries as well as private companies and government agencies, although many such attacks don't rely on previously unknown vulnerabilities in widely used products.
to be clear, the government believed to be responsible is Syria. IMO, US opened up pandora's box with Stuxnet and Flame malware. The NSA leaving vulnerabilities unpatched that they know about allow them to go on the offensive, but it also leaves the homeland equally vulnerable when others stumble on vulnerabilities independently and take advantage.

Last edited by planetdoc; 04-29-2014 at 03:49 PM..
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump




All times are GMT -6. The time now is 05:09 PM.


Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.