(Source: The Daily Banter)
Bloomberg claims that the NSA actively exploited flaw in OpenSSL, in stunning act of global cyberterrorism

Last week the public was awakened to the fact that around 500,000 websites -- including websites in the financial and banking sectors -- were vulnerable to a flaw in the internet cryptography standard OpenSSL.  Now the first evidence has been put forth to corroborate claims that the U.S. National Security Agency (NSA) exploited the bug in a cyberterrorist effort to steal personal financial data of global leaders, a claim that the agency staunchly denies.

I. Was the NSA Sipping Off the World's Heartbleed?

The flaw was introduced in 2012 due to an apparently innocent program oversight from a German developer (Robin Seggelmann) of the standard and existed in the wild ever since.  The flaw affected the heartbeat feature of OpenSSL, which allowed banks and other sensitive portals to automatically log off users that were inactive.

Given its ties to the heartbeat feature, security professionals nicknamed the flaw "Heartbleed", a title that excited the media and quickly stuck.

[Image Source: Surfeasy]

The good news is that the majority of the cybercrime community appeared unaware of the flaw (albeit unsurprised by it).  OpenSSL and private corporations were able to quickly and quietly fix the flaw in most large banking portals before it went public.  The bad news is that some smaller local banks are still struggling to fix the flaw, even as it threatens to reveal customers passwords and cryptography keys via allowing hackers to illicitly "peek" at  64 KB chunks of the unencrypted heap of the OpenSSL server.


Heartbleed affected roughly 18 percent of sites using OpenSSL, or roughly 500,000 websites.
[Image Source: Netcraft]

The other bad new quickly emerged last week when Bloomberg reported:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA subsequently issued a swift denial, commenting:

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report.  Reports that say otherwise are wrong.

And The White House National Security Council spokesperson Caitlin Hayden commented to reporters:

If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

Now the question becomes who is lying here -- the Obama adminsitration -- or Bloomberg's sources.

II. Who's Telling the Truth?  A Look at What We Know

If the Obama administration and NSA officials are being untruthful, it will paint a compelling picture that they've gone fully rogue (if that picture hasn't been already painted by the NSA effectively admitting to spying on Congress) and represent a clear and present danger to national security and America's economy as a whole.

If Bloomberg's sources are mistaken, the claims could still generate some much-needed discussion about the NSA's well-documented practice of stockpiling security flaws in various open source and closed source products, including products by companies like Microsoft Corp. (MSFT), Apple, Inc. (AAPL), Google, Inc. (GOOG), and Yahoo! Inc. (YHOO).  At the same time if Bloomberg's report is truly erroneous it also may damage the scrutiny effort against the NSA, a la the "boy who crited wolf" of folk lore.

What we do know at this point is that the NSA clearly claimed to have some way of bypassing OpenSSL security, explicitly pointing to the ability to spy on bankportals.  "Operation BULLRUN" is part of the PRISM program.

This NSA/GCHQ slide references the ability to "exploit" "common internet encryption" technologies, as well as to target them with traditional hardware-accelerated decryption efforts.
[Image Source: NSA/GCHQ via the Guardian]

That detail was published way back in Sept. 2013 by The Guardian, the UK newspaper that former NSA contractor Edward Joseph Snowden has been leaking information to.  The anti-encryption program reportedly consumed as much as $250M USD of the U.S. spying budget annually, and was assisted by similar expenditures by the NSA's UK sister agency, the Government Communications Headquarters (GCHQ).  

The name BULLRUN is a clear reference to the first and second Battle of Bull Run, pivotal battles waged during the U.S. Civil War.  The GCHQ's effort was nicknamed "Edgehill", a similar reference to the First English Civil War.

BULLRUN breaking encryption
The NSA's goal wasn't merely to crack encryption with hardware power, but to find flaws to allow it to be directly "broken" in a cheap and rapid fashion. [Image Source: GCHQ via The Guardian]

BULLRUN's slides state that the effort gives the NSA and GCHQ great capabilities, writing:

Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive.

The NSA and GCHQ would reportedly "leverage sensitive, co-operative relationships with specific industry partners" to plant flaws in their cryptography implementations or backdoors in certain common software.

To date the only alleged example of such an effort we've heard of is RSA Software's BSAFE program and its its 
Dual EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) algorithm.  Dual EC_DRBG formed a key part of the OpenSSL's FIPS-compliant implementation (specifically used for public key generation).  Reportedly, the NSA paid RSA $10M USD to plant a flaw in the dual elliptical curve-based random number generation, which made it easy to guess at the generated values for users, essentially making their keys insecure.

In that case the RSA vigorously denied accepting NSA money to plant flaws, while acknowledging that such a flaw did exist, and that it had popped up while the RSA was being funded by the NSA to develop the algorithm.  The NSA was more coy, stopping short of directly denying its hand in planting the flaw.  RSA subsequently told customers to stop using Dual EC_DRBG, but the experience opened eyes about the extent the NSA and GCHQ would go to to spy on everyone.  

The question -- which is highlighted now -- is that aside from Dual EC_DRBG, what other vulnerabilities did the NSA have up its sleeve, and did it introduce those vulnerabilities itself, or discover them after the fact.

III. If the NSA is Lying, This is a Big Deal

BULLRUN's slides give little in the way of how the NSA and GCHQ were (supposedly) compromising standards like OpenSSL and they make it clear that they want it to stay that way.  One slide explicitly states:

Do not ask about or speculate on the sources or methods underpinning BULLRUN sucesses.
BULLRUN don't ask don't tell
The 1st rule of BULLRUN is you don't talk about BULLRUN. [Image Source: GCHQ via The Guardian]

According to the Electronic Frontier Foundation, a civil liberties advocacy, someone was launching Heartbleed attacks last year using IRC botnets.
It's already known that the NSA used hijacked IRC botnets that perhaps began as cybercriminal tools, but were subsequently commandeered by the more powerful NSA.  The NSA dubbed that effort "QUANTUMBOT".


The question, as the EFF says, is whether the botnets doing these attacks were NSA driven.  It certainly seems likely that they were, but it's not 100 percent proven yet.

Still, the EFF report is very, very important as it offers the first direct evidence that Bloomberg's sources may be true, and the NSA may be trying to wipe its hands clean.

Botnet attack
The EFF says that IRC botnets -- the kind the NSA operates -- were actively exploiting the Heartbleed flaw last year. [Image Source: The Finest Daily]

Assuming, for a second that the Bloomberg report is accurate, commentary from both that report's sources and the EFF indicates that the bug is believed to have been accidentally introduced.  It is not believed to have paid off the Danish coder who introduced it.  Rather, like many zero day exploits in the NSA's arsenal, Heartbleed was allegedly discovered by the agency after the fact, a key victory for the NSA's legion of tireless bug hunters.  

If correct, the report indicates that the NSA discovered the flaw in 2012 and did not disclose it to the OpenSSL project, instead actively exploiting it for the last two years.  And that is a bombshell, if true.

Again, Dual EC_DRBG sabotage was disturbing, but not really that big a deal as it did not touch many websites that U.S. consumers used on a daily basis, and at worst did minor damage to national security.  In the case of Heartbleed, the claim is far more damning as it indicates the NSA engaging in serious attacks on Americans and representing a threat to the national security of the financial sector.

Mobile Banking
The NSA allegedly has pulled off the biggest terrorist attack in history on the global financial sector. [Image Source:]

In other words, if the Heartbleed flaw was being actively exploited as part of BULLRUN/EDGEHILL, the NSA has committed the greatest terrorist act against America's financial sector in its history.

The key word there is "if".  

In coming weeks hopefully we'll gain the information to gain insight into the accuracy of these claims.  In the end, this discussion brings to bare how critical it is for the NSA to abandon its vulnerability stockpiling and exploitation tactics, something the Obama administration has thus far flatly refused to do.

Sources: EFF, The Guardian, Bloomberg

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki