The week started with the announcement about Heartbleed, which refers to a flaw in OpenSSL, the encryption technology most websites use to provide users with a secure method of entering password credentials. The flaw allows hackers to collect users' passwords. With stolen passwords, thieves can steal users' credit cards and other payment information.
This flaw struck at the heart of the Internet. The Schneier on Security blog reported:
"Heartbleed is a catastrophic bug... an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable."
On Tuesday, the Los Angeles Times reported:
"The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability. On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the "Heartbleed Bug" and urged users to change not just the password for its site but for all others as well."
Next, some security experts advised consumers to update all of their passwords, and avoid online banking until fixes were implemented. Then, experts advised consumers not to update all of their passwords. The revised advice was based upon the nature of the security flaw, and upon the fact that some websites hadn't yet fixed their security flaws.
Some websites promptly announced fixes for their users. Some sites announced that they were unaffected. Other sites said they were still investigating. Mashable published on Wednesday a "Hit List" of websites consumers should change their online passwords for. It quickly became apparent that websites implemented different versions of OpenSSL, and some versions are vulnerable. So, consumers should first check with the sites they use to see if (and when) they should change their passwords.
As if all of this wasn't enough, then we learned that the intelligence community may have known about Heartbleed for months if not far longer and used the security flaw as an opportunity to collect passwords and encryption keys:
"... when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled... and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale... Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data."
Note the "two-year old security hole" statement. It makes one wonder why the intelligence community, created to protect citizens, didn't warn somebody. I guess that when you are focused upon offensive cyber weapons, a warning is a bridge too far.
The cynic in me concluded that if the intelligence community knew about Heartbleed years ago, they probably used it and/or their contractors. Why? "The Secret War" report by Wired in June 2013 provides some context:
"Defense contractors have been eager to prove that they understand Alexander’s worldview. “Our Raytheon cyberwarriors play offense and defense,” says one help-wanted site. Consulting and engineering firms such as Invertix and Parsons are among dozens posting online want ads for “computer network exploitation specialists.” And many other companies, some unidentified, are seeking computer and network attackers... One of the most secretive of these contractors is Endgame Systems, a startup backed by VCs including Kleiner Perkins Caufield & Byers, Bessemer Venture Partners, and Paladin Capital Group. Established in Atlanta in 2008... According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them."
OpenSSL seems to me to be a commonly used program. There are several takeaways from this Wired report. One is that the finding and using of vulnerabilities in Internet-connected computers is a big, profitable business. Remember, privately-held (and secretive) corporations are beholden only to their investors. Another takeaway: corporations involved in cyberwarfare are free to sell the vulnerabilities they have found to anyone (links added):
"According to Defense News’ C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients—agencies like Cyber Command, the NSA, the CIA, and British intelligence—a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what’s called network situational awareness... It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits... The question is, who else is on the secretive company’s client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish... The companies trading in this arena can sell their wares to the highest bidder—be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists..."
Remember, there have been several instances (e.g., Lexis-Nexis, Experian, ChoicePoint, Lexis-Nexis again) where credit reporting agencies and data brokers have sold consumers' sensitive personal information to criminals and other bad guys. So, it is a real risk for cyberwarfare vendors to sell vulnerabilities to bad guys, as the report rightly mentioned.
What are your opinions of the Heartbleed security flaw? Of websites' responses and notifications? Of the role of the intelligence community?
[Editor's note: after I published this blog post this morning, Bloomberg confirmed this afternoon that the NSA used the Heartbleed bug for several years to surveil and hack sites. This is why the word "probably" appears above as strike-through text.]