http://www.bloomberg.com/news/2014-...e-used-heartbleed-bug-exposing-consumers.htmlThe U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
But if the NSA has been exploiting Heartbleed for “at least two years,” the agency would have needed to discover it not long after the code for the TLS Heartbeat Extension was added to OpenSSL 1.0.1, which was released on March 14, 2012. The first “beta” source code wasn’t available until January 3, 2012.
That means that the agency would have had to learn of the flaw in the code within days of its full release at the latest. While not impossible, that possibility seems highly unlikely unless the NSA dedicated resources to follow the project while in development, watched changes in code, and did ongoing extensive analysis. According to budget documents published by the Washington Post in August 2013, the NSA spent $25 million in 2013 on zero-day exploits from “private vendors.”
I'll wait to believe it until we get a better source.
The NSA would have to have been watching OpenSSL pretty closely to find the bug so quickly — which is not unlikely.
If they really did know about it, I'd say that's worse than just about everything else we know they've done combined.
It would be reckless endangerment of American businesses and citizens.
They'd be culpable for putting national security at risk rather than defending it.
http://time.com/60082/nsa-heartbleed-bug-denial/“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong,” NSA spokesperson Vanee’ Vines told TIME.
OTOH, the NSA's credibility is nothing to write home about.
NSA denies knowing about Heartbleed
I suppose NSA's choice is to deny it or to be silent.Yeah, that's in the story I quoted too, but I figured it was so irrelevant I didn't bother quoting that part.
Whether they did or didn't, what else are they going to say?
WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.
Hey, just to say:
This is also a golden opportunity for phishing, so when you get emails telling you to change your password, DO CHECK that they're legit. You don't want to follow a link to something that only looks like your online banking site, and hand over all your credentials.
I've known people who do not know how to type a domain into the address bar of a browser (if anything, they type keywords of what they want, and rather than erroring out, the browser does a search on the keyword and opens the first result - they get what they want most the time, so they believe they did the right thing). They don't know the difference between clicking on a popup ad, clicking a link in an email, or whatnot. These people can be told to "think" and "be careful" but they don't the basic knowledge to make such statements helpful.In my professional opinion:
The bug's a real thing. Even if it wasn't, it's a healthy reminder of paying attention to our own online safety.
We should be changing our passwords regularly anyway. (pot meet kettle)
But the quoted passage above? That's the where the casual/naive internet user is likely to get bit in the coming weeks and months. Encouraging people to read and think before clicking is an "always on" mission.
I'd suspect it's so they have a private entity to sue and place the blame on if such a bug were found in THEIR SSL software.So, in brief summary - regulated financial organisations don't use OpenSSL (largely due to mostly having their IT outsourced to people who know better).
Isn't it generally a good idea to use open-source crypto? In that you're not relying on security through obscurity, but on stuff that is exposed to the scrutiny of everyone?
According to a DarkReading flash poll, as of Friday, 60 percent of respondents said they've installed Heartbleed fixes on servers, although only about 40 percent said they'd replace digital certificates, and just 30 percent planned to force users to change their passwords.