NSA Said to Have Known About and Exploited the Heartbleed Bug for Intelligence for Years

nako xl

nako xl

32,639
11,796
Joined
Jul 11, 2006
[h1]  [/h1]
[h1]NSA Said to Exploit Heartbleed Bug for Intelligence for Years[/h1]
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
[h2]Controversial Practice[/h2]
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.
[h2]Free Code[/h2]
While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.
[h2]Serious Flaws[/h2]
Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”
[h2]Flawed Protocol[/h2]
The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.
[h2]Ordinary Data[/h2]
The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.
[h2]SSL Protocol[/h2]
The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

“I knew hackers who could break it nearly 15 years ago,” Lewis said of the SSL protocol.

That may not soothe the millions of users who were left vulnerable for so long.

Following the leaks about NSA’s electronic spying, President Barack Obama convened a panel to review the country’s surveillance activities and suggest reforms. Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.

Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.
Click to expand...
It's been long known that countries do this (Russia, China, Israel etc have been doing this) and considering how easy the Heartbleed bug was to find once you actually knew where, to look this isn't surprising at all.

The fact that they let millions of people potentiall take the L as far as identity theft and credit card fraud stings though. They're supposed to be protecting and looking out for us.
 
Last edited:
nawghtyhare said:
man when are we gonna do something about how the government operates
Click to expand...
This is not the Government's fault. From a security standpoint, there are rare occasions where its actually better to keep an exploit open in order to research it. Just because the NSA knew about the Heartbleed exploit does not mean they completely understood the exploit itself... Hell, this is a rumor as it is. The NSA has much bigger and better tools at their disposal than an exploit that reveals memory in tiny chunks at a time. :lol:

I'm one if the bigger government critics and in no way should they be held accountable for this.
 
^ The criticism is that they knew the exploit existed before almost anyone else did.  And said nothing.  And there's evidence they used the exploit themselves.  At the very least, they left citizens open to harm by not saying anything.  At the worst?  They're the one's some people have to worry about when exploits like this exist.
 
Nako XL said:
^ The criticism is that they knew the exploit existed before almost anyone else did.  And said nothing.  And there's evidence they used the exploit themselves.  At the very least, they left citizens open to harm by not saying anything.  At the worst?  They're the one's some people have to worry about when exploits like this exist.
Click to expand...

There's a few problems with your assertions.

1. First, this is a RUMOR. It has not been confirmed or denied by the NSA.

2. Someone knew about the bug before the NSA, or at least shortly thereafter. Hell, Mossad is probably who told them. :lol: I knew that an exploit of this magnitude existed from my days in IRC. No one knows who found out first.

3. How is there evidence that they used it when the exploit itself leaves no trace? The only evidence I've seen is anonymous sources and journalist speculation...

Edit: since its inception, the NSA has been our state-funded hacking and code breaking group. While they may be under the umbrella of a defense sector, they have always generally been an offensive entity. Its not their job to find and report exploits, its their job to find and utilize them. :smile:
 
Last edited:
Yeah said:
This is not the Government's fault. From a security standpoint, there are rare occasions where its actually better to keep an exploit open in order to research it. Just because the NSA knew about the Heartbleed exploit does not mean they completely understood the exploit itself... Hell, this is a rumor as it is. The NSA has much bigger and better tools at their disposal than an exploit that reveals memory in tiny chunks at a time. :lol:

I'm one if the bigger government critics and in no way should they be held accountable for this.
Click to expand...

They prolly looking thru my front camera when i fap
 
Tell us something we don't know.

Clifford Cocks invented the encryption algorithm that became known as RSA, 3 years before the team at MIT did.

Let that sink in.
 
Last edited:
Yeah said:
 
nawghtyhare said:
man when are we gonna do something about how the government operates
Click to expand...
This is not the Government's fault. From a security standpoint, there are rare occasions where its actually better to keep an exploit open in order to research it. Just because the NSA knew about the Heartbleed exploit does not mean they completely understood the exploit itself... Hell, this is a rumor as it is. The NSA has much bigger and better tools at their disposal than an exploit that reveals memory in tiny chunks at a time.
laugh.gif


I'm one if the bigger government critics and in no way should they be held accountable for this.
Click to expand...
Given their history, what exactly do you think they were going to "research"?
Yeah said:
1. First, this is a RUMOR. It has not been confirmed or denied by the NSA.

 
Click to expand...
Given Showden's revelations, why would we expect the NSA to be transparent about anything? If anything, they're trying to tighten their security and privacy measures to prevent us from finding out about their exploits.
 
crcballer55 said:
Given their history, what exactly do you think they were going to "research"?

Given Showden's revelations, why would we expect the NSA to be transparent about anything? If anything, they're trying to tighten their security and privacy measures to prevent us from finding out about their exploits.
Click to expand...
Research why the Exploit happens in that specific implementation, see if they can trace anyone using it, ensuring that each pertinent govt agency is patched, and extensively work with the exploit in order to see how much access it will allow. That doesn't begin to include investigating the person who made the commit that caused the implementation to fail, what (if any) motivations they had...a lot goes into this stuff.

And I wouldn't expect them to be transparent about anything. That doesn't mean that I'll operate under the assumption that every rumor I hear about the agency is true.
 
You know whats crazy. This site doesnt even encrypt traffic or have a SSl so anyone can get your info/password from this site traffic

Especially if your on a open network
 
rillo561 said:
Any proof of this?
Click to expand...

Don't listen to Superb about anything related to technology. His card has been pulled multiple times in various threads. :rofl:

He's like that 8th grader who tries his hardest to be liked by high schoolers.

I'm pretty sure cryptography wasn't even Snowden's thing. :lol:
 
Last edited:
Yeah said:
Don't listen to Superb about anything related to technology. His card has been pulled multiple times in various threads.
roll.gif


He's like that 8th grader who tries his hardest to be liked by high schoolers.

I'm pretty sure cryptography wasn't even Snowden's thing.
laugh.gif
Click to expand...
 Peasant go away
 
Yeah said:
You can't pay back your student loans, yet I'm a peasant.
laugh.gif


You love my style.
Click to expand...
Correction: I choose not to pay back my student loans at this time

back on my ignore list by the way. i dunno why it wasnt working
 
Superb said:
Correction: I choose not to pay back my student loans at this time

back on my ignore list by the way. i dunno why it wasnt working
Click to expand...

Is it because your job at Apple keeps you too busy, or is that the time it takes you to withdraw 2k a day and "play" with it?

You patch the Heartbleed exploit on those networks you manage, by the way? :lol:

:rofl:
 
Yeah said:
Is it because your job at Apple keeps you too busy, or is that the time it takes you to withdraw 2k a day and "play" with it?

You patch the Heartbleed exploit on those networks you manage, by the way?
laugh.gif


roll.gif
Click to expand...
very busy between my job with Apple and my wholesale business ranking in the cash. good thing i took a leave of absence with apple for a few months to get my side biz going, and Im still getting biweekly checks from apple

Whats your life like? 
roll.gif
 
Last edited:
You must log in or register to reply here.

Similar threads

frenchbreadbuilds
atmos Will To Close Its US Stores And Website To Focus On Japan/Asia Business
Replies
16
Views
2K
Beruseruku Desu
Beruseruku Desu
barrebaby
So will we ever see JB drop the retro 4+ blue speckle that was supposed to be after 25 years of waiting?
Replies
11
Views
3K
airdhazzal
airdhazzal
DrewS75
  • Locked
Question about the resale cost of the Air Jordan 1 OG Chicago 'Lost and Found'
Replies
5
Views
3K
SteveSteve72
SteveSteve72

The ultimate sneaker enthusiast community.

NikeTalk was created as a way of giving back to both the sneaker enthusiast community and to the greater global community of which we are all a part.

NikeTalk is NOT affiliated with Nike Inc. in any way, shape, or form. All opinions expressed herein do not necessarily reflect those of Nike, Inc.

© 1999-2024 NikeTalk.com

Share this page

Back
Top Bottom