Print 12 comment(s) - last by ptmmac.. on Apr 16 at 1:41 PM

  (Source: The Daily Banter)
Bloomberg claims that the NSA actively exploited flaw in OpenSSL, in stunning act of global cyberterrorism

Last week the public was awakened to the fact that around 500,000 websites -- including websites in the financial and banking sectors -- were vulnerable to a flaw in the internet cryptography standard OpenSSL.  Now the first evidence has been put forth to corroborate claims that the U.S. National Security Agency (NSA) exploited the bug in a cyberterrorist effort to steal personal financial data of global leaders, a claim that the agency staunchly denies.

I. Was the NSA Sipping Off the World's Heartbleed?

The flaw was introduced in 2012 due to an apparently innocent program oversight from a German developer (Robin Seggelmann) of the standard and existed in the wild ever since.  The flaw affected the heartbeat feature of OpenSSL, which allowed banks and other sensitive portals to automatically log off users that were inactive.

Given its ties to the heartbeat feature, security professionals nicknamed the flaw "Heartbleed", a title that excited the media and quickly stuck.

[Image Source: Surfeasy]

The good news is that the majority of the cybercrime community appeared unaware of the flaw (albeit unsurprised by it).  OpenSSL and private corporations were able to quickly and quietly fix the flaw in most large banking portals before it went public.  The bad news is that some smaller local banks are still struggling to fix the flaw, even as it threatens to reveal customers passwords and cryptography keys via allowing hackers to illicitly "peek" at  64 KB chunks of the unencrypted heap of the OpenSSL server.


Heartbleed affected roughly 18 percent of sites using OpenSSL, or roughly 500,000 websites.
[Image Source: Netcraft]

The other bad new quickly emerged last week when Bloomberg reported:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA subsequently issued a swift denial, commenting:

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report.  Reports that say otherwise are wrong.

And The White House National Security Council spokesperson Caitlin Hayden commented to reporters:

If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

Now the question becomes who is lying here -- the Obama adminsitration -- or Bloomberg's sources.

II. Who's Telling the Truth?  A Look at What We Know

If the Obama administration and NSA officials are being untruthful, it will paint a compelling picture that they've gone fully rogue (if that picture hasn't been already painted by the NSA effectively admitting to spying on Congress) and represent a clear and present danger to national security and America's economy as a whole.

If Bloomberg's sources are mistaken, the claims could still generate some much-needed discussion about the NSA's well-documented practice of stockpiling security flaws in various open source and closed source products, including products by companies like Microsoft Corp. (MSFT), Apple, Inc. (AAPL), Google, Inc. (GOOG), and Yahoo! Inc. (YHOO).  At the same time if Bloomberg's report is truly erroneous it also may damage the scrutiny effort against the NSA, a la the "boy who crited wolf" of folk lore.

What we do know at this point is that the NSA clearly claimed to have some way of bypassing OpenSSL security, explicitly pointing to the ability to spy on bankportals.  "Operation BULLRUN" is part of the PRISM program.

This NSA/GCHQ slide references the ability to "exploit" "common internet encryption" technologies, as well as to target them with traditional hardware-accelerated decryption efforts.
[Image Source: NSA/GCHQ via the Guardian]

That detail was published way back in Sept. 2013 by The Guardian, the UK newspaper that former NSA contractor Edward Joseph Snowden has been leaking information to.  The anti-encryption program reportedly consumed as much as $250M USD of the U.S. spying budget annually, and was assisted by similar expenditures by the NSA's UK sister agency, the Government Communications Headquarters (GCHQ).  

The name BULLRUN is a clear reference to the first and second Battle of Bull Run, pivotal battles waged during the U.S. Civil War.  The GCHQ's effort was nicknamed "Edgehill", a similar reference to the First English Civil War.

BULLRUN breaking encryption
The NSA's goal wasn't merely to crack encryption with hardware power, but to find flaws to allow it to be directly "broken" in a cheap and rapid fashion. [Image Source: GCHQ via The Guardian]

BULLRUN's slides state that the effort gives the NSA and GCHQ great capabilities, writing:

Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive.

The NSA and GCHQ would reportedly "leverage sensitive, co-operative relationships with specific industry partners" to plant flaws in their cryptography implementations or backdoors in certain common software.

To date the only alleged example of such an effort we've heard of is RSA Software's BSAFE program and its its 
Dual EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) algorithm.  Dual EC_DRBG formed a key part of the OpenSSL's FIPS-compliant implementation (specifically used for public key generation).  Reportedly, the NSA paid RSA $10M USD to plant a flaw in the dual elliptical curve-based random number generation, which made it easy to guess at the generated values for users, essentially making their keys insecure.

In that case the RSA vigorously denied accepting NSA money to plant flaws, while acknowledging that such a flaw did exist, and that it had popped up while the RSA was being funded by the NSA to develop the algorithm.  The NSA was more coy, stopping short of directly denying its hand in planting the flaw.  RSA subsequently told customers to stop using Dual EC_DRBG, but the experience opened eyes about the extent the NSA and GCHQ would go to to spy on everyone.  

The question -- which is highlighted now -- is that aside from Dual EC_DRBG, what other vulnerabilities did the NSA have up its sleeve, and did it introduce those vulnerabilities itself, or discover them after the fact.

III. If the NSA is Lying, This is a Big Deal

BULLRUN's slides give little in the way of how the NSA and GCHQ were (supposedly) compromising standards like OpenSSL and they make it clear that they want it to stay that way.  One slide explicitly states:

Do not ask about or speculate on the sources or methods underpinning BULLRUN sucesses.
BULLRUN don't ask don't tell
The 1st rule of BULLRUN is you don't talk about BULLRUN. [Image Source: GCHQ via The Guardian]

According to the Electronic Frontier Foundation, a civil liberties advocacy, someone was launching Heartbleed attacks last year using IRC botnets.
It's already known that the NSA used hijacked IRC botnets that perhaps began as cybercriminal tools, but were subsequently commandeered by the more powerful NSA.  The NSA dubbed that effort "QUANTUMBOT".


The question, as the EFF says, is whether the botnets doing these attacks were NSA driven.  It certainly seems likely that they were, but it's not 100 percent proven yet.

Still, the EFF report is very, very important as it offers the first direct evidence that Bloomberg's sources may be true, and the NSA may be trying to wipe its hands clean.

Botnet attack
The EFF says that IRC botnets -- the kind the NSA operates -- were actively exploiting the Heartbleed flaw last year. [Image Source: The Finest Daily]

Assuming, for a second that the Bloomberg report is accurate, commentary from both that report's sources and the EFF indicates that the bug is believed to have been accidentally introduced.  It is not believed to have paid off the Danish coder who introduced it.  Rather, like many zero day exploits in the NSA's arsenal, Heartbleed was allegedly discovered by the agency after the fact, a key victory for the NSA's legion of tireless bug hunters.  

If correct, the report indicates that the NSA discovered the flaw in 2012 and did not disclose it to the OpenSSL project, instead actively exploiting it for the last two years.  And that is a bombshell, if true.

Again, Dual EC_DRBG sabotage was disturbing, but not really that big a deal as it did not touch many websites that U.S. consumers used on a daily basis, and at worst did minor damage to national security.  In the case of Heartbleed, the claim is far more damning as it indicates the NSA engaging in serious attacks on Americans and representing a threat to the national security of the financial sector.

Mobile Banking
The NSA allegedly has pulled off the biggest terrorist attack in history on the global financial sector. [Image Source:]

In other words, if the Heartbleed flaw was being actively exploited as part of BULLRUN/EDGEHILL, the NSA has committed the greatest terrorist act against America's financial sector in its history.

The key word there is "if".  

In coming weeks hopefully we'll gain the information to gain insight into the accuracy of these claims.  In the end, this discussion brings to bare how critical it is for the NSA to abandon its vulnerability stockpiling and exploitation tactics, something the Obama administration has thus far flatly refused to do.

Sources: EFF, The Guardian, Bloomberg

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Bigger story is if NSA is telling the truth
By Solandri on 4/14/2014 7:09:13 PM , Rating: 3
III. If the NSA is Lying, This is a Big Deal

Isn't it a bigger deal if NSA is telling the truth? They didn't know about Heartbleed, but they also claimed to have some way to break SSL security at bank portals (most of whom don't use OpenSSL).

That would imply there's another as yet undiscovered security hole in SSL.

By synapse46 on 4/15/2014 10:53:26 AM , Rating: 2

By Jeffk464 on 4/14/14, Rating: 0
RE: banking
By marvdmartian on 4/15/2014 7:25:49 AM , Rating: 3
Then Homeland Security tells us that's the reason they need to monitor online traffic, to ensure our cyber security!

Don't worry, Big Brother is watching!

get in line
By dew111 on 4/14/2014 5:43:22 PM , Rating: 2
Maybe the NSA should get in line behind the CFTC and other agencies that let, and continue to let, banks pass bad mortgages as good securities. I suppose the NSA's actions *could* have more explicit malice in the intent (if true), but one of these things crashed the world economy, and will probably do so again before anyone starts to give a #$%^.

By CZroe on 4/15/2014 1:48:40 AM , Rating: 2
I'm glad I don't get my tech news exclusively from DailyTech. DT should be ashamed to have gone this long without even mentioning Heartbleed.

I just had a thought
By inperfectdarkness on 4/15/2014 9:56:47 AM , Rating: 2
During WWII, the automotive industry (and many other industries) were commandeered by the government for the purpose of supporting the war effort. This wasn't seen as unusual, due to the high level of mobilization nationwide.

So let me ask you this. If the DOD or NSA decided to craft a dormant botnet on PC's within the USA for the specific purpose of having the capability of engaging in large-scale cyberwarfare--should the need arise--how would you react? (And keep in mind that a bot-net would have to be already in place in the event it was needed, it could NOT be effectively utilized with a "day 0" release).

Purely rhetorical...just something to think about.

NSA making any comment at all
By ptmmac on 4/16/2014 1:41:12 PM , Rating: 2
I don't understand why the NSA would answer any question posed to it. I guess this is just one more negative effect of the reports from Mr Snowden.

I am not sure about you, but I had no problem inferring from the size of the installations the NSA has been building that they are recording everything they can get their hands on. This is no different from Google except that they are much more willing to break encyption to do their job. This is what they were hired to do. If you really want to live in a country without the NSA, then you need to remember that the NSA is one of the systems designed to protect us from totalitarianism. The intelligence that the United States got from Poland during WW2 was what really made it easier to determine the proper strategy and minimize deaths in that war.

I am not naive in thinking that someone could not subvert the NSA. I do not think anyone has presented any evidence that the NSA is using it's information to determine political issues. Certainly there is evidence in the past that perhaps this has happened. The Kenedy assasination prior to the ramp up of the Vietnam War is one example. Who will guard the guardians is a problem as old as history. The only really satifactory answer is a set of beliefs that are central to all in our society that we all believe are worth fighting for. Liberty, Justice and the Pursuit of happiness was the phrase in the Declaration of Independance.

The question is do you see a cabal of NSA insiders controlling Washington right now? I can imagine the idea has been attempted or at least considered, but the regular change in political leadership has made that not very practical. It is just easier to steal the election and go from there. Certainly that was Nixon's view, and probably Johnson's view as well. I think that Mr Snowden is a bit self-centered and messianic in his beliefs to be considered a hero. He is either naive or a saint or both. None of those personality types are very long term solutions to the problem at hand: how to keep our information society secure in a connected world?

Ask your self, if you needed 20 extremely talented people to pull this off- an NSA Coup of world power- would you be able to trust that they wouldn't cheat you in some way? It just doesn't seem like a huge problem right now. There are other less difficult ways to gain power. We need to deepen the protections we now have, and not waste the chance for reform that is being brought forward. Seperating the bulk data from the NSA by leaving it on the telecoms servers is not a bad proposal. We do not need to pretend the sky is falling. Does anyone have any evidence that Heartbleed was used by anyone to undermine the financial system?

I think any careful thinker would agree that the NSA is lying to you in spirit if not in fact. If they missed heartbleed it is not because they haven't tried to find it. They would never tell anyone about it. They would monitor it closely. The only case where I would expect them to mention it to the end users if it was already being exploited in a dangerous way by other unknown hackers. Even then, I would expect them to spy on the hackers and not immediately sound an alarm.

By Argon18 on 4/14/14, Rating: -1
RE: Funny
By DaveLessnau on 4/14/2014 6:23:34 PM , Rating: 5
In this country, individuals are free to be as bone-jarring stupid as they want to be. In this country, the federal government is not authorized to be a criminal organization. One of those is freedom, the other is tyranny.

RE: Funny
By ritualm on 4/14/2014 7:09:37 PM , Rating: 1
Don't even get me started on Google and "free" Gmail accounts.

I voluntarily switched to Google's "free" Gmail account last year, and the reason? My ISP's email, which runs off Yahoo, was getting spammed like my HotMail accounts a decade ago.

I'm sure I'm getting datamined like hell right now, but the one thing I cannot stand besides all these allegations of NSA spying... is spam. That stuff already rendered three personal-use email addresses useless with its sheer volume.

Either you know nothing about the real-life implications and tradeoffs we all make with those decisions, or you sneer at us for not knowing better while doing the exact same thing as the rest of us.

RE: Funny
By ShaolinSoccer on 4/15/2014 2:23:05 PM , Rating: 2
What spam? You mean all those junk emails I get that goes directly to my junk folder? That's what bothers you?

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki