Edition: Global Global Select Region
Email: Passwd: or sign up free
One News Page
One News Page > US > Heartbleed and the NSA
Open news article

Heartbleed and the NSA

Breitbart
Saturday, 12 April 2014

The online community is still reeling from the discovery of what might just be the biggest security flaw in the history of the Internet.  It's been around for years, thousands of websites may have been compromised, it's very difficult to tell if an attacker has exploited the bug... and, according to one news outlet, the National Security Agency learned of its existence at least two years ago, but they didn't tell anyone, leaving American citizens vulnerable to identity and data theft while the NSA exploited flaw for its own purposes.

The NSA flatly denies the latter accusation, which was made in a Bloomberg News report on Friday.  The security flaw itself, now known as "Heartbleed," was by all accounts introduced by accident through the work of a single programmer at the end of 2011... literally one minute before midnight on New Year's Eve, to be precise.  He was one of many programmers contributing to an "open source" project - a popular method for developing free or inexpensive software through volunteer collaboration, although open-sourcing might grow considerably less popular because of the current crisis. 

Heartbleed is such a big deal that it has its own website, dedicated to explaining how it works and providing suggestions for how to deal with it.  Heartbleed is not a virus - it's a security vulnerability in a crucial bit of Internet software known as SSL, which stands for Secure Sockets Layer.  It's the software that encrypts Web traffic from secure sites, including banks, credit card companies, online merchants, and online email systems such as Gmail.  SSL connections essentially establish a secure, private "phone call" between your computer and sensitive websites.

If you placed such a secure phone call to someone, you wouldn't want the phone to automatically hang up if there were a few moments of silence during your conversation.  SSL handles that with code that establishes a "heartbeat" to keep the connection open between systems, even if one of the systems goes idle for a little while.  The security flaw is part of this heartbeat code, which is why it earned the memorable nickname "Heartbleed."

Hackers who understand how the Heartbleed vulnerability works can use it to pull very small chunks of data out of targeted systems, like a heart that leaks a few drops of blood every time it thumps.  The problem is that a hacker can keep harvesting these little bits of data, over and over again, until a sizable amount of information has been poached from secure communications.  The information intercepted in this manner can include the names and passwords of people using the system.  In other words, if the Heartbleed flaw is used to attack an email server, the names and passwords of all the email users might eventually be compromised.  The attacker might even be able to intercept the administrative passwords for the targeted system, potentially granting unlimited access to its data.  It's just like tapping into a phone line and listening to a sensitive conversation.

Unfortunately, the affected SSL code is used by a huge number of online systems - some estimates say over half a million.  A new version of SSL that fixes this vulnerability has been distributed, but it will take time to implement.  Meanwhile, it's very difficult to tell which systems might have been raided for passwords, because these attacks don't leave much evidence in their wake.  And changing your passwords as a precaution might not help, because if you're dealing with a system that has come under Heartbleed assault, the hackers might quickly steal your new password, too.  

There is more information about which systems may have been compromised, and security precautions that can be taken, at the Heartbleed.com website.  The problem may also have migrated into the firmware of some computer networking hardware, and the Droid smartphone operating system.  There's no compelling evidence that any data has been stolen through Heartbleed yet.  It wasn't discovered by researchers until last week, after running on some affected systems for two years.  It's possible hackers never found it... but today came allegations that the U.S. government did.

According to sources for the controversial Bloomberg News report from Friday, the NSA found Heartbleed shortly after it was introduced, but decided to keep it a secret, and may have used it for their own purposes, rather than issuing a warning to the public.  Although Bloomberg quotes a few cyber-security experts and claims to have several inside sources, the bombshell paragraph in the article is not directly sourced: "Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers."

The agency categorically denied this report in a statement: "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report.  Reports that say otherwise are wrong."
0
shares
Share on FacebookShare on Twitter Comment
 
Source: Newsy - on April 12, 2014

News video: Heartbleed Runs Deeper Than We Thought

Heartbleed Runs Deeper Than We Thought 02:25

Researchers have discovered Heartbleed can compromise clients visiting servers and leaves private SSL keys vulnerable.

Recent related news

Open news article

NSA Close Up

A few months ago a high-powered contingent from the electronic surveillance world gathered for a semi-public talk fest about "The National Security Agency At The...
Huffington Post 7 hours ago - Politics

Open news article

Ex-NSA Director, US Intelligence Veterans Write Open Letter To Merkel To Avoid All-Out Ukraine War

Ex-NSA Director, US Intelligence Veterans Write Open Letter To Merkel To Avoid All-Out Ukraine War
Alarmed at the anti-Russian hysteria sweeping Washington, and the specter of a new Cold War, U.S. intelligence veterans one of whom is none other than William...
Zero Hedge 21 hours ago - Markets

Open news article

Say hello to men who hate the NSA but love invading the lives of women

Say hello to men who hate the NSA but love invading the lives of women
Over the weekend someone released hundreds of revealing photos of celebrities that appear to have been stolen from private storage. In response to this, a bunch...
The Verge 1 day ago - TechnologyAlso reported by •Silicon Republic
Open news article

A Two-Faced Friendship: Turkey Is 'Partner and Target' for the NSA

A Two-Faced Friendship: Turkey Is 'Partner and Target' for the NSA
Documents from the archive of whistleblower Edward Snowden reveal wide-scale spying against Turkey by America's NSA and Britain's GCHQ. They also show the US...
Spiegel 3 days ago - World

Open news article

REPORT: The FBI Is Probing Whether Russia Hacked US Banks In Retaliation For Sanctions

REPORT: The FBI Is Probing Whether Russia Hacked US Banks In Retaliation For Sanctions
Bloomberg's Michael Riley and Jordan Robertson report the FBI is probing whether Russia may be tied to hacking and theft of data at JP Morgan and another U.S....
Business Insider 6 days ago - Business

Open news article

The Most Simple Explanation Of Cloud Computing Ever, From Google (GOOG)

The Most Simple Explanation Of Cloud Computing Ever, From Google (GOOG)
Google employs 450 full-time engineers to stop hackers and other snoopers from breaking into its data centers and cloud services. And today, Google published a...
Business Insider 6 days ago - Business

Open news article

Facebook and Twitter still suffering the effects of Snowden's NSA revelations

The effects of Edward Snowden's revelations about the activities of the NSA continue to be felt, especially in the US on social networks such as Facebook and...
ITProPortal 1 week ago - Computer IndustryAlso reported by •betanews
Open news article

Meet ICREACH: The NSA's Own Secret "Google"

Meet ICREACH: The NSA's Own Secret Google
Authored by Ryan Gallagher, originally posted at The Intercept, *The National Security Agency is secretly providing data to nearly two dozen U.S. government...
Zero Hedge 1 week ago - MarketsAlso reported by •MashableNewsy

You Might Like


Other recent news in US

Detroit POLICE looking for missing womanPolice say man followed WOMAN around in store, exposed himself
WASHINGTON Township police arrest known associate of fugitive murder suspectPolice release ages, hometowns of two shot dead in DETROIT street
Family angry with Illinois police for going silent over gay man’s DEATH during traffic stopTEXAS cops ‘swarm’ school, police call for ‘prayer’ over miscarriage in bathroom
Video Allegedly Shows Beheading Of U.S. Journalist STEVEN SOTLOFF By ISISTranscript reveals American Steven SOTLOFF's words before apparent beheading
Steven Sotloff BEHEADING video released by ISISFate of Texas' Voter ID Law to Be Determined in COURT

Twitter


Comments

Load Comments

Environmentally friendly: One News Page is hosted on servers powered solely by renewable energy
© 2014 One News Page Ltd. All Rights Reserved.  |  About us  |  Disclaimer  |  Press Room  |  Terms & Conditions  |  Privacy Policy  |  Content Accreditation
One News Page - Top Headlines RSS Feed RSS  |  News for my Website  |  Free news search widget  |  Advertise  |  Help  |  Contact us  |  DMCA / Content Removal
How are we doing? Send us your feedback  |  One News Page on Facebook LIKE us on Facebook  One News Page on Twitter FOLLOW us on Twitter  One News Page on Google+ FIND us on Google+