Heartbleed Vulnerability - We Need to be Careful

[acoindr]

By now the community is aware of the OpenSSL Heartbleed vulnerability one of the biggest flaws in the Internet's history, affecting the basic security of as many as two-thirds of the world's websites.

Patch implementations for this vulnerability are ongoing including an advisory now to upgrade Bitcoin-Qt/Bitcoin Core.

I just watched the SXSW video featuring Ed Snowden. If you haven't seen it it's worth viewing:

https://www.youtube.com/watch?v=NGD2t2iegSY

One question asked to Snowden was he seemed to keep coming back to using encryption as good standard defense against abusive unconstitutional surveillance, and was encryption really effective? He replied matter-of-factly yes saying the govt instead of trying to brute force through it (probably impossible anyway) would look for other less expensive ways to acquire information, making broad dragnet data collection infeasible (though targeted acquisition is usually successful). Instead of being able to simply sit on the network and scoop up everything they would need to go to companies like Yahoo, Google, Facebook etc. for data at encryption endpoints.

Then out of nowhere this Heartbleed vulnerability comes up. Bloomberg just published a story saying the NSA knew about and used the Heartbleed bug for two years, though the agency denies it. That jogged my memory about something from Snowden revelations about them intentionally participating in software communities, proposing standards like potentially weak random number generators for encryption etc.

Snowden emphasizes encryption being effective against NSA/govt surveillance. Suddenly the Hearbleed issue comes out, leaking user credentials like passwords and the encryption keys themselves and the NSA denies knowledge?  

Our community is building the infrastructure to the new digital economy and security plays a big part of that. At the same time we all rely on a lot of open source technology not the least of which is Bitcoin itself. I'd say it's wise to remain vigilant going forward as Bitcoin gains more prominent mainstream acceptance and is increasingly on the radar of big governments.

[1715161580]

1715161580

[1715161580]

1715161580

[1715161580]

1715161580

[1715161580]

1715161580

[1715161580]

1715161580

[franky1]

By now the community is aware of the OpenSSL Heartbleed vulnerability one of the biggest flaws in the Internet's history, affecting the basic security of as many as two-thirds of the world's websites.

Patch implementations for this vulnerability are ongoing including an advisory now to upgrade Bitcoin-Qt/Bitcoin Core.

I just watched the SXSW video featuring Ed Snowden. If you haven't seen it it's worth viewing:

https://www.youtube.com/watch?v=NGD2t2iegSY

One question asked to Snowden was he seemed to keep coming back to using encryption as good standard defense against abusive unconstitutional surveillance, and was encryption really effective? He replied matter-of-factly yes saying the govt instead of trying to brute force through it (probably impossible anyway) would look for other less expensive ways to acquire information, making broad dragnet data collection infeasible (though targeted acquisition is usually successful). Instead of being able to simply sit on the network and scoop up everything they would need to go to companies like Yahoo, Google, Facebook etc. for data at encryption endpoints.

Then out of nowhere this Heartbleed vulnerability comes up. Bloomberg just published a story saying the NSA knew about and used the Heartbleed bug for two years, though the agency denies it. That jogged my memory about something from Snowden revelations about them intentionally participating in software communities, proposing standards like potentially weak random number generators for encryption etc.

Snowden emphasizes encryption being effective against NSA/govt surveillance. Suddenly the Hearbleed issue comes out, leaking user credentials like passwords and the encryption keys themselves and the NSA denies knowledge?  

Our community is building the infrastructure to the new digital economy and security plays a big part of that. At the same time we all rely on a lot of open source technology not the least of which is Bitcoin itself. I'd say it's wise to remain vigilant going forward as Bitcoin gains more prominent mainstream acceptance and is increasingly on the radar of big governments.

NSA dont have that much skill as you think.
1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest.
2) they employed the UK's GCHQ to brute force DPR's passwords.
(thats what i gathered from the evidence notes of the DPR case)

[foggyb]

NSA dont have that much skill as you think.
1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest.
2) they employed the UK's GCHQ to brute force DPR's passwords.
(thats what i gathered from the evidence notes of the DPR case)

If you're the NSA, you don't use / expose your secret methods for a shitty score like silk road.

If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.

For example: in WWII, the Allies knew of impending German attacks, having broken Germany's Enigma, an advanced encryption engine. However, very often Allied forces could not be warned in advance of these known impending attacks because doing so would reveal the compromised encryption, which would be immediately corrected. The Allies were after the big secrets.

[Bit_Happy]

We Need to be Careful
Remember to change all your passwords if you haven't already.

[acoindr]

We Need to be Careful
Remember to change all your passwords if you haven't already.

This bears repeating.

If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.

This reminded me of the image below which I'm sure will be lost on 50% of this forum

[grahvity]

This bears repeating

This reminded me of the image below which I'm sure will be lost on 50% of this forum

Is that a friend of my dad's?

jk

[acoindr]

This bears repeating

This reminded me of the image below which I'm sure will be lost on 50% of this forum

Is that a friend of my dad's?

jk

Back in my day Sonny we watched something called teeevee and that provided entertainment! Nothin' like these newfangled tablets and netgear gizmos all you youngsters are glued to today! Nosir!

[Radar]

And now it's a bad time Windows XP won't receive updates 

[kik1977]

NSA dont have that much skill as you think.
1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest.
2) they employed the UK's GCHQ to brute force DPR's passwords.
(thats what i gathered from the evidence notes of the DPR case)

If you're the NSA, you don't use / expose your secret methods for a shitty score like silk road.

If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.

For example: in WWII, the Allies knew of impending German attacks, having broken Germany's Enigma, an advanced encryption engine. However, very often Allied forces could not be warned in advance of these known impending attacks because doing so would reveal the compromised encryption, which would be immediately corrected. The Allies were after the big secrets.

Very much agreed.. you would not really reveal your nr.1 investigative technique if this would compromise its future utilisation.

[pening]

NSA dont have that much skill as you think.
1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest.
2) they employed the UK's GCHQ to brute force DPR's passwords.
(thats what i gathered from the evidence notes of the DPR case)

As a Brit myself, I'm the first to fly the flag, but lets be honest and clear about this:  GCHQ was employed by the US authorities to keep it nice and legal, bypassing laws around spying on own citizens.

As for the OP, the story from Bloomberg is awful journalism, there isn't even an unattributed third party making the claim the NSA knew about the bug, its pure speculation.  It's certainly probable they did know, just Bloomberg is making the assumption they must know because they have resources available.  So do thousands of open source volunteers.

If there's one thing Heartbleed has taught us is open source is *not* secure by default, and require audit and reviews to show systems are secure.

[Tzupy]

Article about an update to the heartbleed vulnerability:
http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/

[franky1]

Article about an update to the heartbleed vulnerability:
http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/

new information coming to light, thanks. and thanks again for showing a link with actual viable information, rather then speculation. now the next point, the article mentions that by stealing keys, exploiters can then set up dummy websites to phish the genuine website, so that users log in thinking its genuine.

my question is:
if heartbleed can be used not only to get the private key (certificate), but to also get users unencrypted log-in data... why need to then make a phishing site to get users to log into exploiters cloned websites.. to basically gather peoples usernames and passwords.

my speculative theory is that the heartbleed can only gather the sites private key(certificate) but cannot decrypt user data. thus needing to make a phishing site to get user data. the only user data they can decrypt is their own. which is why fillipio can only see "yellow submarine" in cleartext and the rest is jibberish. apart from the websites own certificate soon after a reboot.

[empowering]

We Need to be Careful
Remember to change all your passwords if you haven't already.

This bears repeating.

If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.

This reminded me of the image below which I'm sure will be lost on 50% of this forum

oh ah... and just one more thing Mr .....

[jparsley]

Where do i find more info on this bug

[HappMacDonald]

my speculative theory is that the heartbleed can only gather the sites private key(certificate) but cannot decrypt user data. thus needing to make a phishing site to get user data. the only user data they can decrypt is their own. which is why fillipio can only see "yellow submarine" in cleartext and the rest is jibberish. apart from the websites own certificate soon after a reboot.

This is incorrect. I used the tool offered by fillipio, and I was most certainly able to get cleartext HTTP sessions from other users out of the memory dumps.

The really important thing to keep in mind with Heartbleed, is that the entire goal of SSL is to encrypt traffic packets so that eavesdroppers of said packets (like the NSA!) cannot see what is inside of them. However, having the private keys most certainly allows an attacker to decrypt that traffic data, if they are able to get it (which the NSA almost always can).

So heartbleed can allow k1dd13s a mirror into other people's user sessions, I've seen it. Whatever is in RAM (in the heap) has a chance of being exposed directly. Indirectly, it can also allow anyone with OOB access to encrypted transit packets to decrypt them assuming they put in the trivial amount of effort to finagle the private keys out of the primary leak.

[jonald_fyookball]

NSA dont have that much skill as you think.
1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest.
2) they employed the UK's GCHQ to brute force DPR's passwords.
(thats what i gathered from the evidence notes of the DPR case)

If you're the NSA, you don't use / expose your secret methods for a shitty score like silk road.

If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.

For example: in WWII, the Allies knew of impending German attacks, having broken Germany's Enigma, an advanced encryption engine. However, very often Allied forces could not be warned in advance of these known impending attacks because doing so would reveal the compromised encryption, which would be immediately corrected. The Allies were after the big secrets.

Shitty score?  Not sure that's true.  There was major attention , interest from dea obviously ...even congress members were putting pressure to crack that case.

[kingscrown]

one of best exploits found ever!