1

How the NSA Shot Itself In the Foot By Denying Prior Knowledge Of Heartbleed Vulnerability

Zack Whittaker | Zdnet | April 12th 2014

nsaIn 2012, during a classified but widely-known operation at Fort Meade, MD, government crypotographers and developers downloaded the OpenSSL source code, as it does with dozens of other software published on the Web. The operation’s objective was to find weaknesses in the library and exploit those vulnerabilities as part of wider efforts by the intelligence agency to conduct mass-scale surveillance.

fter the code was downloaded and compiled, the developers were soon able to pinpoint a programming flaw in the code, which would have allowed the agency to collect usernames and passwords far quicker, more efficiently, and at a lower cost than its bulk data collection programs, notably its fiber cable tapping operation named Upstream.

Executives and senior officials heralded it as one of the biggest vulnerability discoveries in the intelligence agency’s recent history. A single programming flaw that it could exploit and use to tap directly into the communications of hundreds of millions of users, and gain system administrative privileges to vacuum up every shred of data it could find. Not just once, but at will, and it was untraceable.

It was the NSA’s golden goose.

Except, none of that happened, according to a statement by the U.S.’ director of national intelligence, James Clapper, who said on Friday following the Bloomberg report citing two people familiar with the situation. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.”

“Reports that say otherwise are wrong,” he added, noting that the U.S. government “relies” on OpenSSL to protect its users on government websites. “If the… government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

Either one of two things happened: Bloomberg got screwed over by its sources, or the U.S. government is outright lying and clambering to save face with the already disgruntled public.

Clapper’s response instead disclosed a seismic vulnerability in the intelligence agency’s own mission, to “protect U.S. national security systems and to produce foreign signals intelligence information.”

Clapper has, either intentionally (though more likely inadvertently) revealed the agency’s own core internal weaknesses and deficiencies probably more so than any other revelation leaked by whistleblower Edward Snowden, who remains responsible for the biggest global intelligence leak in post-World War II history.

The NSA’s job, first and foremost, has been blown up by the Snowden leaks in a specific and precise way than the agency’s simplistic “protect America” rhetoric — from tapping fiber cables, demanding data from Silicon Valley servers, intercepting wireless transmissions, and exploiting vulnerabilities and flaws in common encryption standards in order to vacuum up all the data things.

[read full post here]




Report: NSA Exploited Heartbleed to Siphon Passwords for Two Years; NSA Denies Allegations

Image: Codenomicon

Image: Codenomicon

Source: Wired.com

Wired.com Update: The NSA has issued a statement denying any knowledge of Heartbleed prior to its public disclosure this week. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”

The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” Caitlin Hayden said in a statement.

Report: NSA Exploited Heartbleed to Siphon Passwords for Two Years

The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.

Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important encryption protocol.

That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.

The flaw “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” the publication reports. [See NSA response above]

OpenSSL is used by many websites and systems to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to 10, cryptographer Bruce Schneier ranks the flaw an 11.

The flaw is critical because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data, and can be used by hackers to steal usernames and passwords — for sensitive services like banking, ecommerce, and web-based email.

There are also concerns that the flaw can be used to steal the private keys that vulnerable web sites use to encrypt traffic to them, which would make it possible for the NSA or other spy agencies to decipher encrypted data in some cases and to impersonate legitimate web sites in order to conduct a man-in-the-middle attack and trick users into revealing passwords and other sensitive data to fake web sites they control.

Heartbleed allows an attacker to craft a query to vulnerable web sites that tricks the web server into leaking up to 64kb of data from the system’s memory. The data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. But this means that any passwords, spreadsheets, email, credit card numbers or other data that’s in the memory at the time of the query could be siphoned. Although the amount of data that can be siphoned in one query is small, there’s no limit to the number of queries an attacker can make, allowing them to collect a lot of data over time.

Read the rest of the article at Wired.com