Sunday, April 13, 2014

Heartbleed and the NSA

The Heartbleed bug hit some two thirds of this nation's internet servers. Usernames and passwords stored on those servers are at risk. There's a patch, but it's too little and too late.
The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further.

Security expert Bruce Schneier calls Heartbleed a catastrophic vulnerability. "On the scale of 1 to 10, this is an 11," he said in a blog post today.
You've probably heard that those clever lads and lasses at the NSA found this security hole months ago and have been using it to worm into the system. That revelation came from a Bloomberg story which the Obama administration officially contradicts. The denial comes from Caitlin Hayden, spokesperson for the White House National Security Council.
"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Hayden added.

Hayden said that when US agencies discover a new vulnerability in commercial and open-source software, "it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose".
I don't know how seriously anyone is going to take this government's ringing declaration of its own virtuousness. I feel certain that the original Bloomberg story got it right.

The big question: If No Such Agency did exploit the bug, were they acting opportunistically, or did they plan this whole Heartbleed thing all along?

A German named Robin Seggelmann was supposed to examine the code for such flaws. The thing got past him. He insists that he is not a spook (for any service) and has never worked for spooks.
After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson.

Dr Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe".
Well...okay. But I'd like to hear more about this Henson fellow. (He is also mentioned here.)

So when and how did the NSA discover the vulnerability? The Electronic Frontier Foundation traces it back to November of 2013...
It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure.
A lot of the narratives around Heartbleed have viewed this bug through a worst-case lens, supposing that it might have been used for some time, and that there might be tricks to obtain private keys somewhat reliably with it. At least the first half of that scenario is starting to look likely.
Even worse, we now have an indication that the "fix" doesn't fix enough...
The results are a strong indication that merely updating servers to a version of OpenSSL that's not vulnerable to Heartbleed isn't enough. Because Heartbleed exploits don't by default show up in server logs, there's no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect. Anyone visiting the bogus site would see the same https prefix and padlock icon accompanying the site's authentic server.
So what does this mean?

When you visit your web-based email site, are you really there, or are you somewhere else?

I've read some comments indicating that OpenVPN is vulnerable. I don't know if any other VPNs have been compromised.

The recommended course of action: Change all of your passwords. Personally, I wouldn't do that until we hear that the Heartbleed problem has been solved once and for all.

5 comments:

Stephen Morgan said...

I won't be changing my passwords. They will only have been lost to hackers if you were logged into a site via SSL encryption at the exact moment they looked into RAM, and even then it's somewhat unlikely. The NSA, I rather expect them to have all my passwords anyway. Even if they haven't, I expect that they have someone working at my e-mail provider who can give them all my e-mails. And a tap on the trunkline that carries the information so they can siphon it all off onto the servers.

If you intend to change yours you must wait until you know your server has the newly patched version of OpenSSL, assuming they were vulnerable in the first place. The patch does solve the problem, which was a very simple problem to solve when spotted. Someone just forgot to put in a check so that response to heartbeat requests would be as small as possible, hence they instead sent out random chunks of RAM.

There's no reason to listen to the doom and gloom, either. As it's only stuff active in RAM that can be read private keys are probably safe, certainly no-one has shown them to be vulnerable. Of course if their servers have proper security the private key won't have been available in RAM at all, assuming they're using Perfect Forward Secrecy. And again, we already know that the NSA have impersonated Slashdot and other sites without this bug, so don't worry about that either.

Arbusto205 said...

Joe, apologies for an offtopic question. I'm just curious if you ever knew any brussel sprouts in cali? I'm travelling in europe and saw something that made me think of your film past. Thanks,

Joseph Cannon said...

Not sure what you are talking about, but if I had spent my life on better terms with leafy vegetables, I might now be able to get out of this chair without saying OOF.

Eric said...

Private keys have been shown to be vulnerable. Cloudfare asked people to find their private key and several people did. Still, I am not changing my passwords because I do not do anything important online anyway.

jo6pac said...

Brussel sprouts are grown in Watsonville, Calif. area. They are harvested around Feb.