NSA Said to Exploit Heartbleed Bug for Intelligence for Years

pookle
Their job is not to protect YOU, so why should they?

Their job is to protect national security. The passwords of Americans on a national level are a matter of national security. By sitting on this information government agencies and employees were compromised. A huge number of individual financial crimes were also carried out. North Korea keeps its government afloat largely through US financial fraud. This bug allowed them to steal billions from us through identity theft.

If you don't think that's a matter of national security let me give you a real world worst case scenario:

Scenario A: Communications are secure, terrorists can operate in total secrecy (all other protections fail). They smuggle a nuclear weapon into downtown LA and detonate it.

Scenario B: Financial terrorists want to watch the world burn, taking advantage of the fact that communications aren't secure they systematically obtain the passwords providing financial access to a few of the worlds top investors. They use this information to pull all of these investors money out of the global derivatives market causing a panic and worldwide collapse of all monetary systems as the money supply shrinks drastically. In the US for example the M4 money supply which is at last estimate is around 20 trillion dollars would shrink to just the M0 supply of 8.88 billion, a loss of 99.966%.

brazenalderpadrescorpio
reply to post by SaturnFX

 

I don't think that they're bad at their job. I believe that things like this are a distraction from deeper things that they are involved in.

It's doing things like this that make them bad at their job. There is a global protocol to software when it comes to hacking and bug reporting specifically because it makes everyone more secure. The software vendors either learn about vulnerabilities and patch them or the people know of the vulnerable software and avoid it. This for example is why antivirus companies all cooperate with each other to provide the most comprehensive virus definitions.

This is not a distraction, things like this are the NSA's #1 priority. They attack technology from many angles (hacking attempts, bribing vendors, and more) to create or find software vulnerabilities and then use said vulnerabilities to monitor communications. Keeping heartbleed secret for their own use (and the use of anyone else who finds it) is the #1 goal of the agency. I would bet every dollar I'll earn for the rest of my life that whoever published this bug, has gotten a visit from the NSA and told not to do such things in the future.

pookle
And how does one check?

Attack the website yourself. See first hand if it's vulnerable.

reply to post by SaturnFX


Hmm. Canada's Tax Revenue system was compromised by Heartbleed - and peoples' personal information was stolen. What if NSA wasn't the only thief at the party? What if they were?

What a poser.

F&S& Great find.

reply to post by Aazadan


My point is that I'm positive that things like this are a smokescreen. The NSA deals in magic.

brazenalderpadrescorpio
reply to post by Aazadan

 

My point is that I'm positive that things like this are a smokescreen. The NSA deals in magic.

Technology isn't magic. They have some advanced programs of which we only know a fraction but their primary mission statement is to use things like heartbleed against everyone in the world, including US citizens. Their job is to find or create these exploits and then use them.

They spend billions per year to destroy our security. This whole story is an example of what they do. Now think about all the software vulnerabilities they hoard that we don't know about.

swanne

SaturnFX
two people familiar with the matter said.

two people familiar with the matter. Hm, how can we be sure that this is not just yet another counter-Intel tactic from the Kremlin? See Operation INFEKTION.

edit on 11-4-2014 by swanne because: (no reason given)

Generally, when trusted sources want to speak on a matter close to them or their agency, they will request anonymity from the journalist. As such, it is to only be expected that Michael Riley not out the individuals who may have told him or another about the situation. Not everything has to be a Russian operation to destroy the reputation of the USA...

reply to post by Aazadan


I can see that you don't seem to understand what I'm saying. Just forget about it.

brazenalderpadrescorpio
reply to post by SaturnFX

 

I don't think that they're bad at their job. I believe that things like this are a distraction from deeper things that they are involved in.

Well, if this is a distraction to avoid other stuff, it was probably a bad move overall considering your going to have a significant number of people now calling for the entire departmental restructuring, not to mention its now prime time for whistleblowers to come out now that the ship is on fire.

Just my thoughts on it.

reply to post by SaturnFX


I don't know what to tell you. I just find it hard to believe that these are amateurs.

Almost sure they didn't just exploit it, they had developed it and many similar. Makes you wonder how many others, malware, backdoors, etc., that their tentacles are latched into. Sadly it's probably more of the trusted avenues of net use and or these as such that are left to "wreak havok" over time.

pookle
You do realise who controls the CA's (Certificate Authorities) right?

I fail to see the relevance of who controls CA's and being infected by the heartbleed bug. I hope you will enlighten me.

Now, w/regard to the heartbleed bug: we can't know if the NSA knew about it or not. They are a secret (SECRET) service after all. But we know for a fact that the NSA did not plant the bug: it was inadvertedy introduced by a German coder, a mr Seggelman. Seggelman simply made a very very common mistake: he forgot to include a bounds check. So, it was a stupid (but dangerous) mistake.

What is a bit discomforting though is that in a high profile security related Open Source software project such a commonly known mistake was not spotted before the software was released. The author clearly did not have a checklist or something like that to help him guard himself against such stupid common mistakes. Nor did the peer reviewer that should have explicitly searched for mistakes like these. This is alarming as it shows that at least a few years ago the OpenSSL community did not have sufficient quality controls in place - maybe the Bazaar folks should learn a few tricks from the Cathedral builders after all

On the other hand: it WAS detected and because the source code was readily available was repaired within hours. Now, the missing QC is troubling and should be addressed. But it makes me wonder in how many American controlled CLOSED source projects the NSA _DID_ introduce backdoors..

Any proof of this? Not that I'd put it past them, but a couple unnamed "sources" without proof is hardly something to hang your hat on. If this were the case, you'd think Snowden would have certainly known, and leaked this as well.

I started out on DOS, along time ago...retired in 2006....my 2 cents....as far as software...."what can be written, can be read" is all you need to know. realize that whatever you try and hide online will not work....ever....period...there are alternatives for sensitive communication, think outside the box (I know, cliché), and use them.

What people need to remember is that writing code quite often is very boring....you quite often copy/paste stuff that does 90% of what you want and then change it to fit your needs and you trust that everyone else has done their homework, now perhaps he thought it had already been checked so didn't need to do a second check and have someone drag him up for wasting cpu cycles checking stuff that had already been done.

But this is not 1999 and basic stuff like range/size checking etc should really be done in a central point so its simple for security people to be able to test so when a packet arrives its checked and dumped quickly if not correct

Aazadan

brazenalderpadrescorpio
reply to post by SaturnFX

 

I don't think that they're bad at their job. I believe that things like this are a distraction from deeper things that they are involved in.


I agree, the only reason this flaw wasnt fixed was because it showed they were watching but it also gave them a great way to spy in a way they couldnt overtly before...they had a free pass and they took it!

It's doing things like this that make them bad at their job. There is a global protocol to software when it comes to hacking and bug reporting specifically because it makes everyone more secure. The software vendors either learn about vulnerabilities and patch them or the people know of the vulnerable software and avoid it. This for example is why antivirus companies all cooperate with each other to provide the most comprehensive virus definitions.

This is not a distraction, things like this are the NSA's #1 priority. They attack technology from many angles (hacking attempts, bribing vendors, and more) to create or find software vulnerabilities and then use said vulnerabilities to monitor communications. Keeping heartbleed secret for their own use (and the use of anyone else who finds it) is the #1 goal of the agency. I would bet every dollar I'll earn for the rest of my life that whoever published this bug, has gotten a visit from the NSA and told not to do such things in the future.

pookle
And how does one check?

Attack the website yourself. See first hand if it's vulnerable.

Microsoft knows who's running pirate versions of windows when sending updates or if they are that thick then who on earth can trust their windows software.

Just turning updates off from the control panel does not stop updates and these security fixes, all 20,000 are about closing leaked back doors and adding a load of new ones.

You know when you try to drag a file from one location to another and it freezes well that's Microsoft scanning the file and I know this because I have watched what goes on when a window machine talks to what it thinks is a remote file server.

China has developed its own microprocessors and OS and that has the USA running around like a headless chicken because the cyber war plans they had won't work on these systems so it's no good trying to tell me that Microsoft is on our side.

Longtime luker finally getting around to joining (first post!)...

Anyway, just wondering if anyone knows if any of the NSA's person stuff was affected by the bug? It seems like if they did know about it or even create it they would have had to take measures against it exposing themselves or their associates. I'd be suspicious if they switched away from using openSSL shortly after the bad update (or warned their friends to), and "VERY" suspicious if they did so right BEFORE it showed up!

eloheim
Longtime luker finally getting around to joining (first post!)...

Anyway, just wondering if anyone knows if any of the NSA's person stuff was affected by the bug? It seems like if they did know about it or even create it they would have had to take measures against it exposing themselves or their associates. I'd be suspicious if they switched away from using openSSL shortly after the bad update (or warned their friends to), and "VERY" suspicious if they did so right BEFORE it showed up!

The NSA can't do that. If they take actions to move to a more secure method of communication they will tip off precisely the people that they want to spy on, that the current method is insecure. The philosophy is that if the method of communication is insecure but they are the only ones who know about the vulnerability then to everyone not being targeted by them, it's secure.

It's the very definition of security through obscurity which is something they practice and has been proven in the world to not work.