Internet Access: A New I've Been Mugged Topic
Heartbleed Spreads, The NSA Denies It Knew About The Security Flaw

The Heartbleed Security Flaw, How Long It Existed, And The Role of the Intelligence Community

Heartbleed logo To say that this has been an interesting week would be a severe understatement. It has been an absolutely terrible week for privacy.

The week started with the announcement about Heartbleed, which refers to a flaw in OpenSSL, the encryption technology most websites use to provide users with a secure method of entering password credentials. The flaw allows hackers to collect users' passwords. With stolen passwords, thieves can steal users' credit cards and other payment information.

This flaw struck at the heart of the Internet. The Schneier on Security blog reported:

"Heartbleed is a catastrophic bug... an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable."

On Tuesday, the Los Angeles Times reported:

"The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability. On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the "Heartbleed Bug" and urged users to change not just the password for its site but for all others as well."

Next, some security experts advised consumers to update all of their passwords, and avoid online banking until fixes were implemented. Then, experts advised consumers not to update all of their passwords. The revised advice was based upon the nature of the security flaw, and upon the fact that some websites hadn't yet fixed their security flaws.

Some websites promptly announced fixes for their users. Some sites announced that they were unaffected. Other sites said they were still investigating. Mashable published on Wednesday a "Hit List" of websites consumers should change their online passwords for. It quickly became apparent that websites implemented different versions of OpenSSL, and some versions are vulnerable. So, consumers should first check with the sites they use to see if (and when) they should change their passwords.

As if all of this wasn't enough, then we learned that the intelligence community may have known about Heartbleed for months if not far longer and used the security flaw as an opportunity to collect passwords and encryption keys:

"... when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled... and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale... Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data."

Note the "two-year old security hole" statement. It makes one wonder why the intelligence community, created to protect citizens, didn't warn somebody. I guess that when you are focused upon offensive cyber weapons, a warning is a bridge too far.

The cynic in me concluded that if the intelligence community knew about Heartbleed years ago, they probably used it and/or their contractors. Why? "The Secret War" report by Wired in June 2013 provides some context:

"Defense contractors have been eager to prove that they understand Alexander’s worldview. “Our Raytheon cyberwarriors play offense and defense,” says one help-wanted site. Consulting and engineering firms such as Invertix and Parsons are among dozens posting online want ads for “computer network exploitation specialists.” And many other companies, some unidentified, are seeking computer and network attackers... One of the most secretive of these contractors is Endgame Systems, a startup backed by VCs including Kleiner Perkins Caufield & Byers, Bessemer Venture Partners, and Paladin Capital Group. Established in Atlanta in 2008... According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them."

OpenSSL seems to me to be a commonly used program. There are several takeaways from this Wired report. One is that the finding and using of vulnerabilities in Internet-connected computers is a big, profitable business. Remember, privately-held (and secretive) corporations are beholden only to their investors. Another takeaway: corporations involved in cyberwarfare are free to sell the vulnerabilities they have found to anyone (links added):

"According to Defense News’ C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients—agencies like Cyber Command, the NSA, the CIA, and British intelligence—a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what’s called network situational awareness... It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits... The question is, who else is on the secretive company’s client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish... The companies trading in this arena can sell their wares to the highest bidder—be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists..."

Remember, there have been several instances (e.g., Lexis-Nexis, Experian, ChoicePoint, Lexis-Nexis again) where credit reporting agencies and data brokers have sold consumers' sensitive personal information to criminals and other bad guys. So, it is a real risk for cyberwarfare vendors to sell vulnerabilities to bad guys, as the report rightly mentioned.

What are your opinions of the Heartbleed security flaw? Of websites' responses and notifications? Of the role of the intelligence community?

[Editor's note: after I published this blog post this morning, Bloomberg confirmed this afternoon that the NSA used the Heartbleed bug for several years to surveil and hack sites. This is why the word "probably" appears above as strike-through text.]

Related articles:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

Dear Mr. Jenkins: Once again you provide us with important information about threats to our privacy and security. And you provide useful information about what we can do to mitigate this particular threat, at least going forward. That is, we can insist that the websites, which we use, patch their vulnerability, if any, to Heartbleed, and then change our passwords.

But the larger problem is something that no one wants to admits, because of the vast sums of profit and vast sectors of our economy and other economies, which are at stake: The Internet isn't secure; financial transactions on the Internet are not secure; though we have a reasonable expectation of privacy on at least certain of our Internet communications and transactions, none of those communications and transactions are secure; and so we don't have any privacy and/or security on the Internet.

I now have to change some passwords, but I have no beliefs that those changed passwords will make my communications and transaction on the Internet private or secure, even though my confidential communications and transactions should be both private and secure and even though I have a right and reasonable expectation that they will be private and secure.

So the secret is out: The Internet isn't private; it is not secure, and not only are ordinary people powerless to do anything about it; large firm, such as banks, brokerages, retailers, law firms, news organizations etc., are also powerless to do anything about it.

And why don't we have privacy and security? Well, aside from the technical flaws that arise in any computer system, another more powerful and the essential cause of the failure of privacy and security on the Internet is a witches' brew of: the prerogatives and security needs of empire; the profitability of dishonoring our privacy so that firms can exploit our personal information, and the willingness of government, which is supposed to be our government, in all of its branches to protect the protect and abet the imperial state's security needs and the profitability of firms who exploit our privacy.

That witches brew may well lead to governments and firms at least exploiting, if not creating, security flaws for their own purposes and profit, but the greater dangers are the immoral and harmful acts, which the state, the United States, has legalized. We, for example, have no property rights in our personal information; private firms, for the sake of their profits, set what can only be described as legalized malware on our computing devices; governments conduct massive surveillance with no other justification than that they can and that its good to know what everyone is thinking and doing, which, in the case of the U.S. government, is a violation of the U.S. Const.; people are presented with and coerced into contracts, which they can’t understand and/or which they aren’t given time and resources to review and understand, on pain of being denied needed goods and/or services, and the courts, both state and federal, have stood mute and permitted these violation of peoples rights.

Mr. Jenkins, thanks for letting us know what's going on.

The comments to this entry are closed.