Friday, April 18, 2014

155.4 - Outrage of the Week: NSA knew about Heartbleed bug

Outrage of the Week: NSA knew about Heartbleed bug

Now for one of our regular features, the Outrage of the Week.

Okay, you've heard about the recently-revealed Heartbleed bug, the one that threatens a significant portion of the internet because it targets a vulnerability in OpenSSL, the most common encryption software used by websites to secure their data. Estimates are that about 2/3 of all websites, including an equal proportion of the largest, more traveled sites, use OpenSSL.

Major websites have been spending sleepless nights designing patches and users have been advised to change their passwords in an attempt to block or at the very least limit the potential for damage. Unlike all those "the internet is crashing" emails you've been getting from your Aunt Harriet or whoever for years, this is no hoax and no joke. This is very real and very serious.

So yes, change your passwords. And very seriously consider limiting your future exposure by limiting how much personal information you put out there and frankly, where there is an alternative, don't buy stuff online with a credit card. Do it by mail order. And don't bank online.

Okay, that's the scary part; here's the outrage part: According to a report by Bloomberg news, the NSA has known about this security flaw for at least two years and told no one about it. Instead, the agency kept the information to itself and regularly used it to gather intelligence.

Quoting the report:
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions [I would say tens of millions] of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
The Heartbleed bug was actually created accidentally by a minor adjustment in the protocols of OpenSSL. The NSA, which has more than 1,000 experts whose job it is to find and exploit just such vulnerabilities, found Heartbleed shortly after its introduction and made it a basic part of the agency’s toolkit for stealing account passwords and otherwise penetrating accounts and stealing information - and leaving no trace, which is one of the deep problems with Heartbleed: There is no way, at least no easy way, to know if you site has been attacked.

Now, I have to add that the NSA, after first refusing to comment, flatly denied knowing any single little thing about Heartbleed before it was revealed by a private security report. But through the papers released by Edward Snowden, we've known since at least last September that the NSA, together with British intelligence agencies, had successfully cracked most online encryption - and that a basic function of the agency is, as I already said, to find and exploit security holes.

But, the spooks deny it, so here's what I have to decide: Who am I going to trust - a respected news agency or the NSA?

Hmm. What a toughie.

The National Security Agency: It's definition of "security" is the Outrage of the Week.

Sources cited in links:
http://www.ft.com/cms/s/0/e3890a0c-c469-11e3-b2fb-00144feabdc0.html
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
https://twitter.com/NSA_PAO/status/454720059156754434
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

No comments:

 
// I Support The Occupy Movement : banner and script by @jeffcouturer / jeffcouturier.com (v1.2) document.write('
I support the OCCUPY movement
');function occupySwap(whichState){if(whichState==1){document.getElementById('occupyimg').src="https://sites.google.com/site/occupybanners/home/isupportoccupy-right-blue.png"}else{document.getElementById('occupyimg').src="https://sites.google.com/site/occupybanners/home/isupportoccupy-right-red.png"}} document.write('');