Fwd: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Rich Kulawiec rsk at gsp.org
Fri Apr 11 19:30:39 UTC 2014


I'm not forwarding this to get into politics.  I'm forwarding it
because of the impact on operational security.  Given the recent "I hunt
sysadmins" leak, I think it's not unreasonable to suggest that everyone
on this list has probably been targeted because of their privileged
access to networks/servers/services/etc.

---rsk

----- Forwarded message from Richard Forno <rforno at infowarrior.org> -----

> Date: Fri, 11 Apr 2014 15:05:03 -0400
> From: Richard Forno <rforno at infowarrior.org>
> To: Infowarrior List <infowarrior at attrition.org>
> Subject: [Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years
> 
> NSA Said to Have Used Heartbleed Bug, Exposing Consumers
> 
> By Michael Riley Apr 11, 2014 2:58 PM ET
> 
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
> 
> The U.S. National Security Agency knew for at least two years about a flaw
> in the way that many websites send sensitive information, now dubbed the
> Heartbleed bug, and regularly used it to gather critical intelligence,
> two people familiar with the matter said.
> 
> The NSA's decision to keep the bug secret in pursuit of national security
> interests threatens to renew the rancorous debate over the role of the
> government's top computer experts.
> 
> Heartbleed appears to be one of the biggest glitches in the Internet's
> history, a flaw in the basic security of as many as two-thirds of the
> world's websites. Its discovery and the creation of a fix by researchers
> five days ago prompted consumers to change their passwords, the Canadian
> government to suspend electronic tax filing and computer companies
> including Cisco Systems Inc. to Juniper Networks Inc. to provide patches
> for their systems.
> 
> Putting the Heartbleed bug in its arsenal, the NSA was able to obtain
> passwords and other basic data that are the building blocks of the
> sophisticated hacking operations at the core of its mission, but at a
> cost. Millions of ordinary users were left vulnerable to attack from
> other nations' intelligence arms and criminal hackers.
> 
> Controversial Practice
> 
> "It flies in the face of the agency's comments that defense comes first,"
> said Jason Healey, director of the cyber statecraft initiative at the
> Atlantic Council and a former Air Force cyber officer. "They are going
> to be completely shredded by the computer security community for this."

[snip]



More information about the NANOG mailing list