[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

I'm not forwarding this to get into politics. I'm forwarding it
because of the impact on operational security. Given the recent "I hunt
sysadmins" leak, I think it's not unreasonable to suggest that everyone
on this list has probably been targeted because of their privileged
access to networks/servers/services/etc.

---rsk

----- Forwarded message from Richard Forno <rforno@infowarrior.org> -----

Date: Fri, 11 Apr 2014 15:05:03 -0400
From: Richard Forno <rforno@infowarrior.org>
To: Infowarrior List <infowarrior@attrition.org>
Subject: [Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years

NSA Said to Have Used Heartbleed Bug, Exposing Consumers

By Michael Riley Apr 11, 2014 2:58 PM ET

NSA Said to Have Used Heartbleed Bug, Exposing Consumers - Bloomberg

The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security
interests threatens to renew the rancorous debate over the role of the
government's top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet's
history, a flaw in the basic security of as many as two-thirds of the
world's websites. Its discovery and the creation of a fix by researchers
five days ago prompted consumers to change their passwords, the Canadian
government to suspend electronic tax filing and computer companies
including Cisco Systems Inc. to Juniper Networks Inc. to provide patches
for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain
passwords and other basic data that are the building blocks of the
sophisticated hacking operations at the core of its mission, but at a
cost. Millions of ordinary users were left vulnerable to attack from
other nations' intelligence arms and criminal hackers.

Controversial Practice

"It flies in the face of the agency's comments that defense comes first,"
said Jason Healey, director of the cyber statecraft initiative at the
Atlantic Council and a former Air Force cyber officer. "They are going
to be completely shredded by the computer security community for this."

[snip]

The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security
interests threatens to renew the rancorous debate over the role of the
government's top computer experts.

I call B.S. Do you have any idea how many thousands of impacted NSA
servers run by contractors hung out on the Internet with sensitive NSA
data? If you told me they used it against the targets of the day while
putting out the word to patch I could buy it, but intentionally
leaving a certain bodily extension hanging in the breeze in the hopes
of gaining more valuable data than they lose would have been an
unusually gutsy move.

These two unnamed sources are liars. Bet on it.

Regards,
Bill Herrin

* bill@herrin.us (William Herrin) [Fri 11 Apr 2014, 22:04 CEST]:

I call B.S. Do you have any idea how many thousands of impacted NSA
servers run by contractors hung out on the Internet with sensitive NSA
data? If you told me they used it against the targets of the day while
putting out the word to patch I could buy it, but intentionally
leaving a certain bodily extension hanging in the breeze in the hopes
of gaining more valuable data than they lose would have been an
unusually gutsy move.

Have you been paying attention at all.

Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people.

I'm not saying this has been happening but you will have to come up with a better defense than "it seems unlikely to me personally".

  -- Niels.

I wrote:

I'm not saying this has been happening ...

but here's the same news from a much more credible source:

   NSA Said to Have Used Heartbleed Bug, Exposing Consumers - Bloomberg

Still anonymously sourced but at least via people whose ability to vet sources you can usually trust.

  -- Niels.

hum. That was included in the original post...

  Stephen

Once upon a time, Niels Bakker <niels=nanog@bakker.net> said:

but here's the same news from a much more credible source:

Actually, that's the same news _from the same source_ as originally
posted.

That article also has other wonderful bits like:

   The Heartbleed flaw, introduced in early 2012 in a minor adjustment
   to the OpenSSL protocol, highlights one of the failings of open
   source software development.

   While many Internet companies rely on the free code, its integrity
   depends on a small number of underfunded researchers who devote their
   energies to the projects.

This is fairly typical big-business denigration of Open Source, ignoring
the fact that (a) closed source software doesn't get reviewed for things
like this, and (b) code like this isn't just written by "underfunded
researchers".

Red Hat (a billion-dollar company) got their package of OpenSSL through
FIPS certification.

Even the opening of the article:

   The U.S. National Security Agency knew for at least two years about a
   flaw in the way that many websites send sensitive information,

The flaw has only existed for two years and a couple of weeks (and how
many websites deployed a brand-new OpenSSL the day it came out?). So
unless the patch was authored by the NSA (which the patch author claims
is not the case), they'd have to have known about it before it existed.

I don't even fully buy the "two-thirds of the world's websites". I'm
not sure that 2/3 of the websites I visit even use SSL. Also, many
versions of "enterprise" OSes like Red Hat Enterprise Linux weren't
affected (RHEL 5 was not affected, and RHEL 6 was only affected starting
with 6.5 from last November). There are a lot of web servers that
aren't updated that often (or stay with more "stable" release trains).

"unusually gutsy" compared to what, EXACTLY?

  Sources: NSA sucks in data from 50 companies
  http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-companies

  Report: NSA Circumvented Encryption
  http://www.bankinfosecurity.com/report-nsa-circumvented-encryption-a-6045

  [ That one is interesting, by the way. It's from September 6, 2013, and
  quotes reporting by the New York Times and Pro Publica the previous day.
  Here's an excerpt:

    Bruce Schneier, a widely followed cryptography expert,
    author and blogger, characterizes the revelation as
    explosive. "Basically, the NSA is able to decrypt most of
    the Internet," he writes in his blog. "They're doing it
    primarily by cheating, not by mathematics. ... Remember
    this: The math is good, but math has no agency. Code
    has agency, and the code has been subverted."

    According to the news report, some of NSA's most
    exhaustive efforts have concentrated on encryption widely
    used in the United States, including Secure Sockets
    Layer, virtual private networks and the protection used
    on fourth generation smart phones.

  Interesting that it mentions SSL, isn't it? ]

  NSA's pipe dream: Weakening crypto will only help the "good guys"
  http://arstechnica.com/security/2013/09/nsas-pipe-dream-weakening-crypto-will-only-help-the-good-guys/

  Exclusive: NSA infiltrated RSA security more deeply than thought
  http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331?feedType=RSS&feedName=topNews&utm_source=dlvr.it&utm_medium=twitter&dlvrit=992637

  NSA Aiming To Infect "Millions" Of Computers Worldwide With Its Malware; Targets Telco/ISP Systems Administrators
  http://www.techdirt.com/articles/20140312/07334826545/nsa-aiming-to-infect-millions-computers-worldwide-with-its-malware-targets-telcoisp-systems-administrators.shtml

  NSA hacker in residence dishes on how to "hunt" system admins
  http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-how-to-hunt-system-admins/

Let me note in passing that the NSA is not the only intelligence agency
on this planet that has demonstrated both willingness and ability to
create and/or exploit large scale security breaches in order to acquire
information. Surely nobody thinks that folks in Moscow and London and
Berlin and Bejing were just sitting on their hands.

---rsk

Let me know when someone finds the second shooter on the grassy knoll.
As for me, I do have some first hand knowledge as to exactly how
sensitive several portions of the federal government are to the
security of the servers which hold their data. They may not hold YOUR
data in high regard... but the word "sensitive" does not do justice to
the attention lavished on THEIR servers' security.

In WW2 we protected the secret of having cracked enigma by
deliberately ignoring a lot of the knowledge we gained. So such things
have happened. But we didn't use enigma ourselves -- none of our
secrets were at risk. And our adversaries today have no secrets more
valuable than our own.

-Bill

You're assuming that the NSA is a single monolithic entity. IIRC, the
offense team and the defense team don't really talk much, and they
*certainly* have very different motivations. It wouldn't surprise me at all
if the offense got hold of a juicy bug, and since they're paid to capture
data, and knowing that they wouldn't get in trouble if the defense lost
data, their motivations to keep their little bug to themselves are entirely
understandable.

The interesting thing to me is that the article claims the NSA have been
using this for "over two years", but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012. That means that either:

* The NSA put it in there (still a bridge too far for me to believe without
   further evidence, although I can certainly understand why people could
   believe it) and hence were using it from day 1;

* The NSA found it *amazingly* quickly (they're very good at what they do,
   but I don't believe them have superhuman talents); or

* The article has got at least one fact wrong, in which case it's entirely
   plausible they've got other things wrong, too.

- Matt

I would imagine that federal contractors have to adhere to FIPS 140-2 standards (or some similar requirement) for sensitive environments, and none of the affected OpenSSL versions were certified to any FIPS standard... the last version that WAS certified (0.9.8j) is only rated to Level 1, which, being the lowest possible rating, I suspect is not permitted for use by NSA contractors -- they're probably required to use level 3 or 4 for everything.

Hi Matt,

I assume only individual motivations, like CYA. Folks at the bottom
don't make bold decisions. A potentially career-making or
career-ending decision like this would have been kicked up the chain
until it reached someone who could, after consulting several other
folks to cover his own posterior, authorize the risk.

This and the high odds of a leak are how I know the NSA hasn't cracked
the prime factoring problem either. And anyone surprised by Snowden's
revelations either didn't read about or didn't understand Mark Klein's
2006 AT&T documents.

There are things that folks at the NSA could plausibly be doing.
Intentionally sitting on a massive security hole in their own systems
for two years isn't one of them.

Regards,
Bill Herrin

And their Level 3 to 4 accomplished what exactly?? They were owned the
same way the own others, from the inside.

You seriously think the NSA *isn't* watching the commits to security-relevant
open source? Remember - it was a bonehead bug, it's *not* unreasonable for
somebody who was auditing the code to spot it. Heck, there's a good chance that
automated tools could have spotted it.

Some of the time, sure. And some of the time they buy Red Hat Linux
off the shelf like everybody else. They have budgets too. They can't
do everything at the highest protection level. Or did you think they
were above and immune to the ordinary business realities of the 21st
century?

Regards,
Bill Herrin

I'm not sure if anyone of you has access to those automated tools, but I'd
be interested in learning if any of them do catch the bug.

Frank

I'd be interested in the other 0 days they have..

Matt Palmer wrote:

* The NSA found it *amazingly* quickly (they're very good at what they do,
  but I don't believe them have superhuman talents); or

It's quite plausible that they watch the changes in open-source projects
to find bugs. They could do nice diffs and everything.

It's quite plausible that they watch the changes in open-source
projects to find bugs. They could do nice diffs and everything.

the point of open source is that the community is supposed to be doing
this. we failed.

randy

Versus all of the closed source bugs that nobody can know of or do anything about?

Bugs are a fact of life. The best we can do is fix, learn and evolve.

Mike

the point of open source is that the community is supposed to be doing
this. we failed.

Versus all of the closed source bugs that nobody can know of or do
anything about?

for those you can blame the vendor. this one is owned by the community.
it falls on us to try to lower the probability of a next one by actively
auditing source as our civic duty.

randy