Re: [cryptography] Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
Jeffrey Walton shares: | https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 | | ... | The second log seems much more troubling. We have spoken to Ars | Technica's second source, Terrence Koeman, who reports finding some | inbound packets, immediately following the setup and termination of a | normal handshake, containing another Client Hello message followed by | the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs | from November 2013. These bytes are a TLS Heartbeat with contradictory | length fields, and are the same as those in the widely circulated | proof-of-concept exploit. | ... First, one must assume that one is never the first discoverer. Second, the article continues with | ... | To reach a firmer conclusion about Heartbleed's history, it would | be best for the networking community to try to replicate Koeman's | findings. | ... and one should remember that the installed base of such firms as NetWitness (bought by, and brought into, EMC after the RSA APT attack) do exactly what is being asked for above, as do other such products that have not appeared in commercial offerings. (For timely reasons, one wonders how all the tax preparation sites plus irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday...) . Combining points one and two inside any entity where competent data analysis at scale is routine, a novel attack using an extant flaw may well become available to such entities by *observation* rather than by synthesis and/or invention. Like organisms that borrow genes across species barriers, the best on the offense side would have no qualms about capturing what can be observed. There are neither patents nor false modesty in that space. EFF, or someone here, would do well to devise a nomogram whereby one laid one's straight-edge on the page and read off If this attack occured against a target of this value, then detection implies first use was N months ago. For diseases with guessable intervals between infection and clinical signs, this is how you look for Patient Zero. --dan ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
So I trust EFF's analysis more here. However this is newer than the latest article I've seen from EFF. So, where's Bloomberg's technical analysis on the subject? On Apr 11, 2014 5:50 PM, Jeffrey Walton noloa...@gmail.com wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems. ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
On 11/04/2014 17:50 pm, Jeffrey Walton wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. Bingo! What lessons are we picking up from this? Here's what I'm feeling so far, flame away: 1. score 1 up for closed source. Although this bug would as equally exist in closed source, the likelihood of discovery, publication and exploitation is much lower. 2. Score another 1 up for interpreted languages that handle array allocation cleanly. This is more or less a buffer overflow, in a wider sense. 3. We have evidence of NSA exploitation in the above, and there was another prior indication that was suggested to be agency. https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 4. This should put to rest any silly claims that the NSA put the bug into play themselves. The programmer and the reviewer missed it. 5. I've seen no evidence yet of attacker-inflicted damages, nor of new exploits, but it's only been a week. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. 6. It is becoming clearer that the NSA's mission is offensive first, defensive ever? They aren't our friends, they might be our enemy. Has impact on all sorts of cooperation questions (NIST, IETF). Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. 7. In contrast to damages, the rework bill is immense. All those sites multiplied by average refit cost. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ http://happyplace.someecards.com/30541/the-heartbleed-bug-which-sites-you-should-change-your-passwords-for-and-how-to-panic Does anyone have a view as to the average cost to refit? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
On 04/11/2014 03:51 PM, ianG wrote: On 11/04/2014 17:50 pm, Jeffrey Walton wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. 1. score 1 up for closed source. Although this bug would as equally exist in closed source, the likelihood of discovery, publication and exploitation is much lower. Isn't that a naive assumption? Every US-based company that has anything to do with crypto has to send in their source-code to a special address before you can be granted a License Exception (US BIS rules) to export to foreign customers. (The only exception is open-source - whose creators must still notify a special e-mail address about the new FOSS). In either case, NSA knows about it. Is it any less worse that only the NSA might have exploited unknown loopholes than random attackers after your money? They're undermining trust in the internet - which is now a multi-billion - perhaps even a trillion - dollar industry involving millions of jobs. Given that the US is probably the largest creator of technology products, the end result is likely to be a boon for technology companies around the world as US jobs are lost due to lost exports. As I see it, only open-source software has a chance to be trusted since users can see what they're deploying; of course, it has to be verified, but that was always true. Arshad Noor StrongAuth, Inc. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography