Category Archives: Cyber Issues

BlackShades malware bust ends in nearly 100 arrests worldwide

CNET reports: Law enforcement officials from 19 countries joined forces over the last two days to takedown nearly 100 alleged hackers. These purported hackers were said to be creating, selling, and using what the FBI calls a “particularly insidious” computer malware known as BlackShades.

Over the course of the operation, officials’ searched 359 houses and confiscated more than 1,100 data storage devices, such as computers, laptops, cell phones, routers, external hard drives, and USB memory sticks. Law enforcement also seized “substantial quantities” of cash, illegal firearms, and drugs, according to the European Union’s law enforcement agency Europol.

BlackShades is a type of malicious software that acts as a Remote Access Tool, or RAT — letting users remotely control a victim’s computer. Once a hacker installs BlackShades onto a victim’s computer, they can see anything on the computer, such as documents, photographs, passwords, banking credentials, and more. They can also deny access to files, record victims’ keystrokes, and activate the computer’s webcam.

One case of BlackShades use documented by Europol involved an 18-year-old man from the Netherlands who allegedly infected roughly 2,000 computers to take photos of women and girls who were using the machines.

Since 2010, BlackShades has been distributed and sold to thousands of people worldwide in more than 100 countries and used to infect more than half a million computers, according the FBI. Certain versions of the malware can be bought for as little as $40. [Continue reading…]

Facebooktwittermail

Snowden fallout still echoes across cyber industry

Reuters reports: Revelations by former NSA contractor Edward Snowden changed lives in the cyber community, from slowdowns in obtaining high-level security clearances to providing material for a “really good comedy routine.”

Experts at the Reuters Cybersecurity Summit this week were asked how Snowden, now living under asylum in Russia after exposing the National Security Agency’s phone and Internet spying programs in 2013, altered their worlds.

The creation of a mini “Snowden industry” is one on them.

“I give a lot more speeches,” said Michael Hayden, the former NSA and CIA director. “It has allowed someone of my background to comment on issues of national importance.”

The website of Leading Authorities, the speakers’ bureau that represents Hayden, shows the retired four-star general can command $20,000 to as much as $75,000 for a speech.

“It’s made my life busier,” deadpanned Robert Anderson, who steered the Snowden investigation as the FBI’s assistant director of counterintelligence. “What it has done for me is to very much broaden the way I look at an issue.”

Christopher Soghoian, principal technologist with the American Civil Liberties Union, lauded the spotlight that Snowden’s disclosures shone. [Continue reading…]

Facebooktwittermail

Who watches the watchers? Big Data goes unchecked

Politico reports: The National Security Agency might be tracking your phone calls. But private industry is prying far more deeply into your life.

Commercial data brokers know if you have diabetes. Your electric company can see what time you come home at night. And tracking companies can tell where you go on weekends by snapping photos of your car’s license plate and cataloging your movements.

Private companies already collect, mine and sell as many as 75,000 individual data points on each consumer, according to a Senate report. And they’re poised to scoop up volumes more, as technology unleashes a huge wave of connected devices — from sneaker insoles to baby onesies to cars and refrigerators — that quietly track, log and analyze our every move.

Congress and the administration have moved to rein in the National Security Agency in the year since Edward Snowden disclosed widespread government spying. But Washington has largely given private-sector data collection a free pass. The result: a widening gap in oversight as private data mining races ahead. Companies are able to scoop up ever more information — and exploit it with ever greater sophistication — yet a POLITICO review has found deep reluctance in D.C. to exercise legislative, regulatory or executive power to curb the big business of corporate cybersnooping.

The inertia — and lack of a serious legislative push — on private-sector data mining has several causes. Many Republicans are averse to any new regulation of business. Many Democrats are skittish about alienating campaign donors in Silicon Valley. [Continue reading…]

Facebooktwittermail

Ukraine crisis proves cyber conflict is a reality of modern warfare

Jarno Limnéll writes: A hundred years ago, World War I moved warfare into the skies. Today no nation regards its security as complete without an air force, and no serious future conflict will lack a cyber aspect, either.

Russia and Ukraine apparently traded cyber attacks during the referendum on Crimea. Media reports indicate NATO and Ukrainian media websites suffered DDoS (denial of service) assaults during the vote, and that servers in Moscow took apparently retaliatory – and bigger – strikes afterward.

Observers tend to miss, though, that these are relatively modest skirmishes in cyber space. They routinely break out among competing states, even without concurrent political or military hostilities. Angling to hobble an opponent’s web resources by clogging networks with junk traffic? Another day at the office.

I see three distinct levels or “rings” to contemporary cyber conflicts. Only the first is clearly apparent in the Ukraine crisis. Full-blown cyber war is not yet occurring. The prospect of escalation, however, is real and worrisome. The West should watch carefully, because developments in Ukraine offer a model for contemporary conflicts worldwide – which will henceforth have integral cyber elements for all but the least developed nations.

By observing Ukraine we can deduce not only the capabilities of cyber weapons, but the goals and policies behind their use. [Continue reading…]

Facebooktwittermail

Israel won’t stop spying on the U.S.

Jeff Stein reports: Whatever happened to honor among thieves? When the National Security Agency was caught eavesdropping on German Chancellor Angela Merkel’s cell phone, it was considered a rude way to treat a friend. Now U.S. intelligence officials are saying—albeit very quietly, behind closed doors on Capitol Hill—that our Israeli “friends” have gone too far with their spying operations here.

According to classified briefings on legislation that would lower visa restrictions on Israeli citizens, Jerusalem’s efforts to steal U.S. secrets under the cover of trade missions and joint defense technology contracts have “crossed red lines.”

Israel’s espionage activities in America are unrivaled and unseemly, counterspies have told members of the House Judiciary and Foreign Affairs committees, going far beyond activities by other close allies, such as Germany, France, the U.K. and Japan. A congressional staffer familiar with a briefing last January called the testimony “very sobering…alarming…even terrifying.” Another staffer called it “damaging.”

The Jewish state’s primary target: America’s industrial and technical secrets.

“No other country close to the United States continues to cross the line on espionage like the Israelis do,” said a former congressional staffer who attended another classified briefing in late 2013, one of several in recent months given by officials from the Department of Homeland Security (DHS), the State Department, the FBI and the National Counterintelligence Directorate. [Continue reading…]

Facebooktwittermail

Emails reveal close Google relationship with NSA

Jason Leopold reports: Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying.

Disclosures by former NSA contractor Edward Snowden about the agency’s vast capability for spying on Americans’ electronic communications prompted a number of tech executives whose firms cooperated with the government to insist they had done so only when compelled by a court of law.

But Al Jazeera has obtained two sets of email communications dating from a year before Snowden became a household name that suggest not all cooperation was under pressure.

On the morning of June 28, 2012, an email from Alexander invited Schmidt to attend a four-hour-long “classified threat briefing” on Aug. 8 at a “secure facility in proximity to the San Jose, CA airport.”

“The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” Alexander wrote in the email, obtained under a Freedom of Information Act (FOIA) request, the first of dozens of communications between the NSA chief and Silicon Valley executives that the agency plans to turn over.

Alexander, Schmidt and other industry executives met earlier in the month, according to the email. But Alexander wanted another meeting with Schmidt and “a small group of CEOs” later that summer because the government needed Silicon Valley’s help.

“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”

Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, said she believes information sharing between industry and the government is “absolutely essential” but “at the same time, there is some risk to user privacy and to user security from the way the vulnerability disclosure is done.” [Continue reading…]

One of the most corrosive effects of the revelations about the NSA’s exploitation of information security flaws is that this has created a perception that any kind of interaction between the NSA and Silicon Valley should be viewed with suspicion. In reality, information security would be undermined if the NSA wasn’t talking to the tech companies. The real problem comes when the NSA applies a definition of national security interests that conflicts with public interests.

Facebooktwittermail

FBI keeps internet flaws secret to defend against hackers

Bloomberg reports: The Obama administration is letting law enforcement keep computer-security flaws secret in order to further U.S. investigations of cyberspies and hackers.

The White House has carved out an exception for the Federal Bureau of Investigation and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.

The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates. [Continue reading…]

Facebooktwittermail

Stop using Microsoft’s IE browser until bug is fixed, U.S. and U.K. warn

If you don’t already use Firefox, it’s probably time to install it.

CNET reports: It’s not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability — one that affects all major versions of the browser from the past decade — has forced them to raise an alarm: Stop using IE.

The zero-day exploit, the term given to a previously unknown, unpatched flaw, allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer. Security firm FireEye, which discovered the bug, said that the flaw is being used with a known Flash-based exploit technique to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. Those versions of the browser run on Microsoft’s Windows Vista, Windows 7, and Windows 8, although the exploit is present in Internet Explorer 6 and above.

While the Computer Emergency Readiness Team in England and the US regularly issue browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a specific browser. [Continue reading…]

Facebooktwittermail

Two major threats to the internet: The U.S. government and the Russian government

Ars Technica: Hector Xavier Monsegur, the hacker known as “Sabu,” became a confidential FBI informant following his 2011 arrest. But he continued to direct other hackers to attack more than 2,000 Internet domains in 2012, including sites operated by the Iranian, Syrian, and Brazilian governments.

Based on documents obtained by the New York Times, those attacks were carried out with the knowledge of the FBI agents supervising Monsegur. The Times report suggests that the data obtained in the attacks—including information on Syrian government sites—was passed to US intelligence agencies by the FBI.

Russian President Vladimir Putin clearly wants to exploit the climate of distrust that has been generated by the NSA and other branches of the U.S. government that have undermined internet security and sees in this the opportunity to push for a Russian internet — one in which the Russian government can exercise greater control over social media.

Vesti.ru reports (translation):

“The Internet emerged as a special project of the CIA USA, and continues to be developed as such,” said Putin [at the conference Mediaforum in St. Petersburg today]. Moreover, the president noted that the national search engine Yandex and the social network VKontakte are trying to develop business, mathematical and informational programming in Russia. “Our companies didn’t have resources free for such capital investments, but now they have appeared,” said the head of state. Putin expressed the hope that the Russian Internet would develop rather intensively and rapidly and will secure the interests of the Russian Federation.”

Meanwhile, ITAR-TASS reports:

Russia’s popular bloggers will now have to brace for considerable restrictions of their rights. The State Duma has just adopted a law introducing new rules they will have to abide by. The document incorporates a package of bills for effective struggle against terrorism and extremism. Earlier, the bill drew a mixed response from society, including sharp criticism from human rights activists.

The law introduces a new term: “Internet user called blogger.” Bloggers will be obliged to declare their family name and initials and e-mail address. Those authors whose personal website or page in social networks has 3,000 visitors or more a day must have themselves registered on a special list and abide by restrictions applicable to the mass media. In other words, registration requires the blogger should check the authenticity of published information and also mention age restrictions for users. Also, bloggers will have to follow mass media laws concerning electioneering, resistance to extremism and the publication of information about people’s private lives. An abuse of these requirements will be punishable with a fine of 10,000 to 30,000 roubles (roughly 300 dollars to 1,000 dollars) for individuals and 300,000 roubles (10,000 roubles) for legal entities. A second violation will be punishable with the website’s suspension for one month.

The Russian investigative journalists Andrei Soldatov and Irina Borogan write:

The NSA scandal made a perfect excuse for the Russian authorities to launch a campaign to bring global web platforms such as Gmail and Facebook under Russian law—either requiring them to be accessible in Russia by the domain extension .ru, or obliging them to be hosted on Russian territory. Under Russian control, these companies and their Russian users could protect their data from U.S. government surveillance and, most importantly, be completely transparent for Russian secret services.

Russia wants to shift supervision and control of the Internet from global companies to local or national authorities, allowing the FSB more authority and latitude to thwart penetration from outside. At December’s International Telecommunications Union (ITU) conference in Dubai, Moscow tried to win over other countries to its plan for a new system of control. The key to the project is to hand off the functions of managing distribution of domain names/IP-addresses from the U.S.-based organization ICANN to an international organization such as the ITU, where Russia can play a central role. Russia also proposed limiting the right of access to the Internet in such cases where “telecommunication services are used for the purpose of interfering in the internal affairs or undermining the sovereignty, national security, territorial integrity, and public safety of other states, or to divulge information of a sensitive nature.” Some 89 countries voted for the Russian proposals, but not the United States, United Kingdom, Western Europe, Australia, or Canada. The result is a stalemate.

Web services would be required to build backdoors for the Russian secret services to access what’s stored there. Prominent Russian MP Sergei Zheleznyak, a member of the ruling United Russia party, has called on Russia to reclaim its “digital sovereignty” and wean its citizens off foreign websites. He said he would introduce legislation this fall to create a “national server,” which analysts say would require foreign websites to register on Russian territory, thus giving the Kremlin’s own security services the access they have long been seeking. Of course, building such a national system would defeat the global value of the Internet.

Shane Harris writes:

When U.S. officials warn of the threat foreign cyber spies pose to American companies and government agencies, they usually focus on China, which has long been home to the world’s most relentless and aggressive hackers. But new information shows that Russian and Eastern European hackers, who have historically focused their energies on crime and fraud, now account for a large and growing percentage of all cyber espionage, most of which is directed at the United States.

Individuals and groups in Eastern Europe, and particularly in Russia and Russian-speaking countries, are responsible for a fifth of all cyber spying incidents in the world, according to a global study of data breaches conducted by Verizon, published this week. The spies are targeting a range of companies as varied as the global economy itself, and are stealing manufacturing designs, proprietary technology and confidential business plans. The cyber spies steal information on behalf of their governments in order to manufacture cheaper versions of technologies or weapons systems, or to give their home country’s corporations a leg up on their foreign competitors.

Facebooktwittermail

As we sweat government surveillance, companies like Google collect our data

Dan Gillmor writes: As security expert Bruce Schneier (a friend) has archly observed, “Surveillance is the business model of the internet.” I don’t expect this to change unless and until external realities force a change – and I’m not holding my breath.

Instead, the depressing news just seems to be getting worse. Google confirmed this week what many people had assumed: even if you’re not a Gmail user, your email to someone who does use their services will be scanned by the all-seeing search and the advertising company’s increasingly smart machines. The company updated their terms of service to read:

Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

My system doesn’t do this to your email when you send me a message. I pay a web-hosting company that keeps my email on a server that isn’t optimized for data collection and analysis. I would use Gmail for my email, if Google would let me pay for service that didn’t “analyze (my) content” apart from filtering out spam and malware. Google doesn’t offer that option, as far as I can tell, and that’s a shame – if not, given its clout, a small scandal. [Continue reading…]

Facebooktwittermail

The U.S. government: Paying to undermine internet security, not to fix it

By Julia Angwin, ProPublica, April 15, 2014

The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.

The United States spends more than $50 billion a year on spying and intelligence, while the folks who build important defense software 2014 in this case a program called OpenSSL that ensures that your connection to a website is encrypted 2014 are four core programmers, only one of whom calls it a full-time job.

In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations. The programmers have to rely on consulting gigs to pay for their work. “There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” says Steve Marquess, who raises money for the project.

Is it any wonder that this Heartbleed bug slipped through the cracks?

Continue reading

Facebooktwittermail

It’s time to encrypt the entire internet

Wired reports: The Heartbleed bug crushed our faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.

Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites — like Facebook and Gmail — actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.

Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.

Cutts runs Google’s web spam team. He helps the company tweak its search engine algorithms to prioritize certain sites over others. For example, the search engine prioritizes sites that load quickly, and penalizes sites that copy — or “scrape” — text from others.

If Cutts had his way, Google would prioritize sites that use HTTPS over those that don’t, he told blogger Barry Schwartz at a conference earlier this year. The change, if it were ever implemented, would likely spur an HTTPS stampede as web sites competed for better search rankings. [Continue reading…]

Facebooktwittermail

How Heartbleed broke the internet — and why it can happen again

Wired reports: Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week.

The key moment arrived at about 11 o’clock on New Year’s Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who’s an expert in internet protocols. Henson reviewed the code — an update for a critical internet security protocol called OpenSSL — and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web.

Two years would pass until the rest of the world discovered this, but this tiny piece of code contained a bug that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and it’s bad. People have used it to steal passwords and usernames from Yahoo. It could let a criminal slip into your online bank account. And in theory, it could even help the NSA or China with their surveillance efforts.

It’s no surprise that a small bug would cause such huge problems. What’s amazing, however, is that the code that contained this bug was written by a team of four coders that has only one person contributing to it full-time. And yet Henson’s situation isn’t an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. And that needs to change. Heartbleed has shown — so very clearly — that we must add more oversight to the internet’s underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.

The sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem. [Continue reading…]

Facebooktwittermail

NSA pretends it can increase national security while diminishing internet security

The New York Times reports: Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers. [Continue reading…]

Facebooktwittermail

New evidence that the NSA poses a major threat to global security

When it comes to intelligence officials, past or present, it seems much safer to assume that they are not acting in national interests than to assume otherwise. It doesn’t matter which nation or which agency, the business of intelligence is deception.

There is an inherent conflict between the declared need of such agencies to operate in secrecy and the need to provide those operations with the oversight they require in order to prevent the abuse of power.

After the latest revelations about the CIA’s torture programs and NSA operations which undermine the security of the internet, are we not already far past the point where it must be faced that the U.S. intelligence community has systemic flaws? These should not just be patched over. It’s time to ask fundamental questions about the function of the intelligence agencies.

Bloomberg reports: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.” [Continue reading…]

Update — DNI states: NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

The problem for the DNI, NSA, CIA, and the rest of the intelligence community, is that they can’t restore trust simply by issuing statements or through cosmetic reform. It’s no good saying, we wouldn’t do something like that, when we already know they already have.

Facebooktwittermail

How to stop the next Heartbleed bug: Pay open-source coders to protect us

Dan Gillmor writes: Yes, it is beyond worrisome that a bug this big existed for so long. But the discovery of Heartbleed – a truly mind-boggling flaw in OpenSSL, the widely used web security technology run on open-source code – led to one of the most rapid responses I’ve ever seen in the encryption world.

We’re not nearly finished repairing this gaping hole in our online safety, with potentially hundreds of thousands of email accounts and sites relying on a secure connection exposed to Heartbleed. And, yes, the National Security Agency probably knew about it before you did. But still, thousands of sites have moved quickly to mitigate at least some of the immediate damage.

So why is everyone pointing fingers at the beleaguered developers of OpenSSL? Because someone should have found this programming error two years ago? Sure, but don’t blame this tiny team of volunteers; go change your password (but only if your favorite sites have been updated). These aren’t just some lazy coders letting your bank account login leak into the online slipstream; they’re heroes, who have worked tirelessly during the past few years on software that can be freely downloaded and modified, that brings online safety, at a low cost, to all of us. And, seriously, there are only like 17 of them.

The last thing we want to do, as some fear-mongers have suggested this week amidst ‘the worst thing to happen to the internet‘, is turn over our communications infrastructure from open-source software to for-profit companies that want to extract cash from the ecosystem. The more eyes we have on open programming instructions, the more likely someone will find a bug. [Continue reading…]

Facebooktwittermail

Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass

The Washington Post reports: A major flaw revealed this week in widely used encryption software has highlighted one of the enduring — and terrifying — realities of the Internet: It is inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all.

The Heartbleed bug, which security experts first publicly revealed on Monday, was a product of the online world’s makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the Internet, nearly all of those companies rely on free software — often built and maintained by volunteers — to help make those services secure.

Heartbleed, security experts say, was lodged in a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.

While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolizes online encryption.

“This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.

The group that was actually dealing with it consisted of fewer than a dozen encryption enthusiasts sprawled across four continents. Many have never met each other in person. Their headquarters — to the extent one exists at all — is a sprawling home office outside Frederick, Md., on the shoulders of Sugarloaf Mountain, where a single employee lives and works amid racks of servers and an industrial-grade Internet connection. [Continue reading…]

Facebooktwittermail

NSA infiltrated RSA security more deeply than thought

Reuters reports: Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency’s ability to eavesdrop on some Internet communications, according to a team of academic researchers.

Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw – or “back door” – that allowed the NSA to crack the encryption.

A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software’s vulnerability.

The professors found that the tool, known as the “Extended Random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. [Continue reading…]

Facebooktwittermail