Did NSA Take Advantage of HeartBleed Virus?

[Clementine]

Did NSA take advantage of security flaws to get private information on citizens? I would bet they did. Of course, the claim is that they had no idea about any of this until a private security company discovered the problem. How many times now has this administration claimed they had no knowledge of something until someone in the private sector pointed it out? And yet, they bash the private sector and seek to control it more every day. Clearly, the private sector is better about finding out about scandals (so Obama can learn things on the news) and the private sector is on top of security issues. Maybe we should let the private sector take the lead in protecting us since they are better able to find out what's going on and warn us.

NSA denies report that agency knew about, exploited 'Heartbleed' flaw | Fox News

 

[KNB]

There are things we know that we know and things that we know that we don't know, there are also known unknowns and unknown unknowns, or whatever.

Why weren't Teabaggers outraged by the USAPATRIOT Act in 2001?

 

[Clementine]

I'm sure some were upset over the Patriot Act. Sure doesn't explain why the loudest critics are silent now as Obama goes farther than anyone else when it comes to spying on the American people.

 

[KNB]

Maybe you missed the Occupy movement because you were too busy defending the police state.

 

[waltky]

Heartbleed bleedin' all over the internet...

Heartbleed could harm a variety of systems
Apr 11,`14 -- It now appears that the "Heartbleed" security problem affects not just websites, but also the networking equipment that connects homes and businesses to the Internet.

A defect in the security technology used by many websites and equipment makers have put millions of passwords, credit card numbers and other personal information at risk. The extent of the damage caused by Heartbleed isn't known. The threat went undetected for more than two years, and it's difficult to tell if any attacks resulted from it because they don't leave behind distinct footprints. But now that the threat is public, there's a good chance hackers will try to exploit it before fixes are in place, says Mike Weber, vice president of the information-technology audit and compliance firm Coalfire.

Two of the biggest makers of networking equipment, Cisco and Juniper, have acknowledged that some of their products contain the bug, but experts warn that the problem may extend to other companies as well as a range of Internet-connected devices such as Blu-ray players. "I think this is very concerning for many people," says Darren Hayes, professor of security and computer forensics at Pace University. "It's going to keep security professionals very busy over the coming weeks and months. Customers need to make sure they're getting the answers they need." Here's a look at what consumers and businesses should know about Heartbleed and its effects on networking devices.

- How is networking equipment affected?

Just like websites, the software used to run some networking equipment - such as routers, switches and firewalls - also uses the variant of SSL/TLS known as OpenSSL. OpenSSL is the set of tools that has the Heartbleed vulnerability. As with a website, hackers could potentially use the bug as a way to breach a system and gather and steal passwords and other sensitive information.

- What can you do?

Security experts continue to advise people and businesses to change their passwords, but that won't be enough unless the company that created the software in question has put the needed fixes in place. When it comes to devices, this could take a while. Although websites can be fixed relatively quickly by installing a software update, device makers will have to check each product to see if it needs to be fixed. Both Cisco Systems Inc. and Juniper Networks Inc. continue to advise customers through their websites on which product is still vulnerable, fixed and unaffected. Owners may need to install software updates for products that are "fixed."

Hayes praises Cisco and Juniper for being upfront with customers. He cautions, though, that many other companies make similar products that likely have the bug, too, but haven't come forward to say so. As a result, businesses and consumers need to check the websites for devices that they think could have problems. They must be diligent about installing any software updates they receive. Weber says that while there are some checks companies can do to see if their networking equipment is safe, they're largely beholden to the device makers to let them know what's going on. Companies also need to make sure that business partners with access to their systems aren't compromised as well.

- Are other devices at risk?

Hayes says the bug could potentially affect any home device that's connected to the Internet, including something as simple as a Wi-Fi-enabled Blu-ray player. He also points to recent advances in home automation, such as smart thermostats, security and lighting systems. "We simply don't know the extent of this and it could affect those kinds of devices in the home," he says.

AP Newswire | Stars and Stripes

See also:

3 things you can do to protect from Heartbleed
Apr 11,`14: The "Heartbleed" bug has caused anxiety for people and businesses. Now, it appears that the computer bug is affecting not just websites, but also networking equipment including routers, switches and firewalls.

The extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of the Internet's Web servers and went undetected for more than two years. Although it's conceivable that the flaw was never discovered by hackers, it's difficult to tell. There isn't much that people can do to protect themselves completely until the affected websites implement a fix. And in the case of networking equipment, that could be a while. Here are three things you can do to reduce the threat:

- Change your passwords. This isn't a full-proof solution. It'll only help if the website in question has put in place required security patches. You also might want to wait a week and then change them again.

- Worried about the websites you're surfing? There's a free add-on for the Firefox browser to check a site's vulnerability and provide color-codes flags. Green means go and red means stop. You can download it here: https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/

- Check the website of the company that made your home router to see if it has announced any problems. Also be diligent about downloading and installing and software updates you may receive.

AP Newswire | Stars and Stripes

Related:

Report: NSA knew about Heartbleed bug, exploited it to gather intel
April 11, 2014 ~ The National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather intelligence, Bloomberg reported Friday.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems. Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

Controversial practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber-officer. “They are going to be completely shredded by the computer security community for this.” Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities. The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets. The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

Free code

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects. In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks. The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor. The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

Serious flaws

 

[Politico]

Maybe you missed the Occupy movement because you were too busy defending the police state.

The occupy movement missed the occupy movement.

 

[waltky]

When a salesman tried to sell Granny a Blackberry, she gave him the raspberry...

Millions of Android devices vulnerable to Heartbleed
Mon, Apr 14, 2014 - OPERATING AT RISK: Handset makers and wireless carriers have to update the system software, Google said, but experts said individual users face little danger

Millions of smartphones and tablets running Google Inc’s Android operating system have the Heartbleed software bug. While Google said in a blog post on Wednesday last week that all versions of Android are immune to the flaw, it added that the “limited exception” was one version dubbed 4.1.1, which was released in 2012. Security researchers said that version of Android is still used in millions of smartphones and tablets, including popular models made by Samsung Electronics Co, HTC Corp and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software. The company said that less than 10 percent of active devices are vulnerable. Over 900 million Android devices have been activated worldwide.

The Heartbleed vulnerability was made public last week and can expose people to hacking of their passwords and other information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices. “One of the major issues with Android is the update cycle is really long,” said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd, a cybersecurity company focused on advanced mobile threats. “The device manufacturers and the carriers need to do something with the patch, and that’s usually a really long process,” he added.

Microsoft Corp said on Friday that the Windows and Windows Phone operating systems and most services are not impacted. “A few services continue to be reviewed and updated with further protections,” Microsoft Trustworthy Computing director Tracey Pretorius wrote in an e-mailed statement. Apple Inc did not respond to messages for comment. The Heartbleed bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 percent of all active Internet sites.

Still, there are no signs that hackers are trying to attack Android devices through the vulnerability, as it would be complicated to set up and the success rate would be low, said Marc Rogers, principal security researcher at the San Francisco-based Lookout Inc. Individual devices are less attractive because they need to be targeted one-by-one, he said. “Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don’t expect to see any attacks against devices until after the server attacks have been completely exhausted,” Rogers wrote in an e-mail.

Millions of Android devices vulnerable to Heartbleed - Taipei Times

 

[depotoo]

Just great. Thanks for posting. I guess just about everything anyone owns is vulnerable.

 

[waltky]

Obamacare vulnerable to Heartbleed...

Health care site flagged in Heartbleed review
Apr 19,`14 WASHINGTON (AP) -- People who have accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the confounding Heartbleed computer virus.

Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government's Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page. The Heartbleed computer bug has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the bug and are also recommending that users change their website passwords.

Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that will be posted on the health care website starting Saturday reads: "While there's no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers' passwords out of an abundance of caution." The health care website became a prime target for critics of the Obamacare law last fall when the opening of the insurance enrollment period revealed widespread flaws in the online system. Critics have also raised concerns about potential security vulnerabilities on a site where users input large amounts of personal data.

The website troubles were largely fixed during the second month of enrollment and sign-ups ultimately surpassed initial expectations. Obama announced this week that about 8 million people had enrolled in the insurance plans. The full extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of the Internet's Web servers and went undetected for more than two years. Although it's conceivable that the flaw was never discovered by hackers, it's difficult to tell. The White House has said the federal government was not aware of the Heartbleed vulnerability until it was made public in a private sector cybersecurity report earlier this month. The federal government relies on the encryption technology that is impacted - OpenSSL - to protect the privacy of users of government websites and other online services.

The Homeland Security Department has been leading the review of the government's potential vulnerabilities. The Internal Revenue Service, a widely used website with massive amounts of personal data on Americans, has already said it was not impacted by Heartbleed. "We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems," Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, wrote in a blog post on the agenda website. "And we will continue to adapt our response if we learn about additional issues created by the vulnerability." Officials wouldn't say how government websites they expect to flag as part of the Heartbleed security review, but said it's likely to be a limited number. The officials insisted on anonymity because they were not authorized to discuss the security review by name.

AP Newswire | Stars and Stripes

See also:

White House updating online privacy policy
Apr 18,`14 ~ A new Obama administration privacy policy released Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites, and it clarifies that online comments, whether tirades or tributes, are in the open domain.

"Information you choose to share with the White House (directly and via third party sites) may be treated as public information," the new policy says. The Obama administration also promises not to sell the data of online visitors. But it cannot make the same assurances for users who go to third-party White House sites on Facebook, Twitter or Google Plus. There will be no significant changes in actual practices under the new policy. But legal jargon and bureaucratic language has been stripped out, making it easier for readers to now understand that the White House stores the date, time and duration of online visits; the originating Internet Protocol address; how much data users transmit from WhiteHouse.gov to their computers; and more. The administration also tracks whether emails from the White House are opened, forwarded or printed.

The updates were needed because "Our old privacy policy was just that - old," blogged Obama's digital director Nathaniel Lubin. After coming to office in a campaign lauded for its online savvy, President Barack Obama's White House has quickly adapted to online engagement since taking office in 2008, embracing using the Internet in all of its manifestations. The first administration with an Office of Digital Strategy, Obama's online strategy now includes a We the People petitions platform, live online chats and more than a dozen social media sites including Google Plus, LinkedIn, Pinterest, Instagram, Vine, MySpace and seven different Facebook pages including La Casa Blanca and Education to Innovate.

Visitors who link to those social media sites are advised: "Your activity on those sites is governed by the third-party website's security and privacy policies," which frequently allow those companies to sell users' data. In addition, the White House archives Twitter, Facebook and Google Plus content to comply with the Presidential Records Act. The policy says Obama will keep some information - automatically generated email data, Mobile App use data and some cookie data - until the end of the current administration. The White House is also explicit about what it doesn't do, including collecting geolocation information from mobile-app users or sharing information for commercial purposes.

The policy is being released at a time when the administration is facing unprecedented criticism over disclosures from former intelligence contractor Edward Snowden that expose sweeping U.S. government surveillance programs. The policy aims to address at least some of those concerns. White House spokesman Matt Lehrich said they also do not give third parties, including the political organization Obama for America or the U.S. National Security Agency, access to their email database or other systems. "Within the White House, we restrict access to personally identifiable information to employees, contractors, and vendors subject to non-disclosure requirements who require access to this information in order to perform their official duties and exercise controls to limit what data they can view based on the specific needs of their position," the policy says.

MORE