background preloader

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Related: Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Controversial Practice Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Free Code Serious Flaws Flawed Protocol Ordinary Data

Test your server for Heartbleed (CVE-2014-0160) If there are problems, head to the FAQ Results are now cached globally for up to 6 hours. Enter a URL or a hostname to test the server for CVE-2014-0160. All good, seems fixed or unaffected! Uh-oh, something went wrong: Check what it means at the FAQ. Here is some data we pulled from the server memory: (we put YELLOW SUBMARINE there, and it should not have come back) Please take immediate action! You can specify a port like this example.com:4433. 443 by default. Go here for all your Heartbleed information needs. If you want to donate something, I've put a couple of buttons here.

NSA denies report it exploited Heartbleed for years The Heartbleed security flaw that exposes a vulnerability in encryption has reportedly extended its reach well beyond Web services. According to Bloomberg, citing "two people familiar with the matter," the National Security Agency knew about Heartbleed for at least two years and used the hole in encryption technology to gather intelligence. However, the agency strongly denied the substance of Bloomberg's report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,'' the agency said in a statement. This follows a separate Bloomberg report the security flaw impacts Android smartphones and tablets that run the 4.1.1 version of the Google operating system. In a statement on Google's online security blog, the company says patching information has been submitted to partners.

Heartbleed Bug NSA denies report that it knew about Heartbleed from the start [Updated] Citing two anonymous sources “familiar with the matter,” Bloomberg News reports that the National Security Agency has known about Heartbleed, the security flaw in the OpenSSL encryption software used by a majority of websites and a multitude of other pieces of Internet infrastructure, for nearly the entire lifetime of the bug—“at least two years.” The sources told Bloomberg that the NSA regularly used the flaw to collect intelligence information, including obtaining usernames and passwords from targeted sites. “When Edward Snowden warned that the NSA is ‘setting fire to the future of the internet,’ this is presumably the kind of thing he was talking about," said Jameel Jaffer, deputy legal director at the American Civil Liberties Union, in a statement emailed to Ars. "If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function.

The Heartbleed Hit List: The Passwords You Need to Change Right Now An encryption flaw called the Heartbleed bug is already being dubbed one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years. But it hasn't always been clear which sites have been affected. Mashable reached out to some of the most popular social, email, banking and commerce sites on the web. We've rounded up their responses below. Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. Although changing your password regularly is always good practice, if a site or service hasn't yet patched the problem, your information will still be vulnerable. We'll keep updating the list as new information comes in. Social Networks Other Companies Email Stores and Commerce Other

Heartbleed is a Sucking Chest Wound in the NSA's Reputation —Kevin Drum on Sat. April 12, 2014 8:01 AM PDT On Friday, Bloomberg's Michael Riley reported that the NSA was aware of the Heartbleed bug from nearly the day it was introduced: The U.S. Henry Farrell explains just how bad this is here. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. You know, I'm honestly not sure which would be worse.

HeartBleed : une chance qu'OpenSSL soit un logiciel libre ! SSL/TLS, la base des communications chiffrées, pas si chiffrées que ça en fait Lorsque vous naviguez sur Internet, vous utilisez parfois sans le savoir des liaisons sécurisées. Ce sont en fait des liaisons chiffrées. C'est le cas lorsque vous vous connectez à votre webmail favori ou au site de votre banque. La majorité des serveurs sécurisés utilisent le protocole dit HTTPS. Le spectre de la NSA Il y a un point extrêmement gênant si on recroise avec l'affaire NSA/Prism. Le rôle du logiciel libre dans la gestion de HeartBleed Quelles leçons tirer de tout cela ? Les 4 libertés, l'accès direct à un correctif N'ayant pas accès au code-source, une personne qui aurait constaté un comportement anormal (ici, l'accès à une zone mémoire théoriquement inaccessible) n'aurait pas pu comprendre l'origine même du problème (ici une non-vérification d'une borne dans un tableau). Le logiciel libre, distribué mais organisé « Communauté », j'écris ton nom

Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA | Threa... Photo: Carolyn Kaster/AP After years of studied silence on the government’s secret and controversial use of security vulnerabilities, the White House has finally acknowledged that the NSA and other agencies exploit some of the software holes they uncover, rather than disclose them to vendors to be fixed. The acknowledgement comes in a news report indicating that President Obama decided in January that from now on any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others so that it can be patched, according to the New York Times. But Obama included a major loophole in his decision, which falls far short of recommendations made by a presidential review board last December: According to Obama, any flaws that have “a clear national security or law enforcement” use can be kept secret and exploited. A so-called zero-day vulnerability is one that’s unknown to the software vendor and for which no patch therefore exists.

Related: