The President delivers remark at the Summit on Cybersecurity and Consumer Protection at Stanford University to help shape public and private sector efforts to protect American consumers and companies from growing threats to consumers and commercial networks. The Summit brings together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data, now and in the future.
Another hacking incident today, and this time it went beyond a compromised Twitter account; the hackers posted something on the UPI homepage: UPI Website, Twitter Account Hacked.
WASHINGTON, Jan. 16 (UPI) — United Press International’s website and Twitter account were hacked Friday afternoon, with someone attempting to publish false stories.
It started on Twitter, where six fake headlines were posted in about 10 minutes, starting about 1:20 p.m. Some of them were about the Federal Reserve; others contained a false report that the USS George Washington had been attacked.
I happened to have one of these tweets open, and grabbed this screenshot because I knew it wouldn’t last long:
At the same time, the New York Post Twitter account was also compromised; here’s a screenshot of what appeared in their timeline:
Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.
Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.
The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.
This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.
But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.
The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.
Tell me again about how much we need to fear our elected government: Google Knew About Heartbleed and Didn’t Tell the Government.
Google knew about a critical flaw in Internet security, but it didn’t alert anyone in the government.
Neel Mehta, a Google engineer, first discovered “Heartbleed”—a bug that undermines the widely used encryption technology OpenSSL—some time in March. A team at the Finnish security firm Codenomicon discovered the flaw around the same time. Google was able to patch most of its services—such as email, search, and YouTube—before the companies publicized the bug on April 7.
The researchers also notified a handful of other companies about the bug before going public. The security firm CloudFlare, for example, said it fixed the flaw on March 31.
But the White House said Friday that no one in the federal government knew about the problem until April. The administration made the statement to deny an earlier Bloomberg report that the National Security Agency had been exploiting Heartbleed for years.
The hyperbolic headline from Bloomberg that stirred up the mighty Greenwald army today: NSA Said to Have Used Heartbleed Bug, Exposing Consumers - Bloomberg.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. …
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
Notice the source? Two anonymous people “familiar with the matter.” And lo, the clicks pour in.
It looks like the NSA has realized they need to answer these hyperbolic stories right away, at least, because they wasted no time coming out with an official response: NSA Denies It Used ‘Heartbleed’ Bug to Gather Intelligence - NBC News.com
The National Security Agency on Friday denied a report that it has been aware for years of the enormous ‘Heartbleed’ security flaw affecting millions of websites, but kept the information secret and used it for its own purposes.
Bloomberg, citing unidentified sources, reported Friday that the NSA knew about Heartbleed for two years before the public disclosure of the bug by security researchers last week.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong,” the agency said in a statement to NBC News.
The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.
There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.
The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.
Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
And about that noobish speculation:
A number of conspiracy theorists have speculated the bug was inserted maliciously.
Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.
“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.
Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)
Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.
And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.
I’ll need to put the LGF web server into maintenance mode for a short time, probably within the next 3 hours, in order to complete some work cleaning up the mess created by this nasty Heartbleed apocalypse you might have heard about. The good news is that our servers are completely patched against the bug, and our SSL certificate has been revoked, reissued and reinstalled. When all the necessary back-end stuff is complete, I’ll be asking all registered LGF users to change their passwords ASAP, but hold off until I give the signal.
It’s a really interesting mental exercise to exhaustively go though a server and identify everything that might be a security problem if it’s in the server’s memory. That’s what makes Heartbleed insidious — it essentially gives an attacker access to the server’s entire memory (in 64K chunks, with repeated requests), and when encrypted data is in RAM it’s in decrypted form. Basically, the exploit based on this OpenSSL bug makes everything that should be private on a server easily accessible if it’s ever read into RAM, and it leaves not a single trace of its filthy work.
In the meantime, here’s an open thread as I get things set up so this maintenance time can be as short as possible.
Here's where you can check to see if a website you visit is vulnerable to the “Heartbleed” bug: http://t.co/5ulKoSZsPW
We went into and out of maintenance mode so fast you may not have noticed it, but LGF’s servers are now fully protected from the Heartbleed monster. Time to change your LGF passwords, folks.
And if you’re not already using 1Password, you really should look into it. It makes password management 271% less stressful.
The tiny padlock icon that sits next to many web addresses, suggesting protection of users’ most sensitive information — like passwords, stored files, bank details, even Social Security numbers — is broken.
A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.
On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.
This post could also be titled “When Hacktivists Attack (Each Other),” as the site cryptome.org publishes an email from Edward Snowden’s lawyer Jesselyn Radack to Glenn Greenwald — that was supposed to have been encrypted with PGP: Jesselyn Radack Emails Glenn Greenwald.
Alleged Jesselyn Radack Email (BG may be Barton Gellman):
Congrats on the McGill award!! I look forward to seeing you at Polks.
On that note, is my client making a surprise appearance? BG said you mentioned this to him at the Polk media event.
I won’t tell anyone, including BG, if it’s a surprise, but as his attorney, I’d like to know…and also what medium would be used (Google or the BEAMbot).
Here’s what apparently happened: Radack looked up a PGP key that was named for “Glenn Greenwald” on the MIT key server (see Greenwald’s tweet below), and used it to send this email.
But she never checked to make sure it was really Greenwald’s key. And it wasn’t. Whoever supplied Radack’s email to cryptome.org (presumably the person who created the false key) was therefore able to intercept and decrypt the email.
These are the people who think they know better than anyone else how the US should manage its national security, the people who started a media company with a side business selling security tools, the ones who like to pretend they’re experts on securing stolen NSA material — falling for a pathetically simple social engineering hack like this. They can’t even keep their own email secure.
Imagine if she had been emailing (what she thought were) encrypted NSA documents from Edward Snowden to Glenn Greenwald, and also sending them to an unknown third party.
What’s even more hilarious is that after it became obvious Radack had been tricked into using a false PGP key, she went back and deleted several tweets in which she admitted she did send the email and complained that Cryptome was being unfair to her. Favstar still has a copy of one:
Here’s Greenwald’s only comment, uncharacteristically terse; notice that he somehow fails to mention Snowden’s lawyer actually used this key:
FYI - this is a fake PGP key that someone created http://t.co/MueZoKJqIV
Here’s a screenshot showing more of the tweets Radack deleted when she realized what had happened:
Bob Cesca points out some of the problems in President Obama’s proposal to privatize the NSA’s metadata collection program:
First of all, corporations have a terrible track record when it comes to securing storing customer data. I’m old enough to remember how hackers — or as Greenwald calls them: activists exercising their speech rights — broke into Target’s servers and stole millions of credit card numbers. The same thing happened to Neiman Marcus days later.
Now toss into the equation the fact that, yes, the phone companies not only store your metadata, but also couple it with your name, address and billing information. NSA’s metadata storage, which is considerably more secure in the bowels of its Fort Meade facility, is completely anonymous and all inadvertent collection is minimized per the law.
What else separates NSA storage from corporate storage? How about layers of congressional and judicial oversight that doesn’t exist at Sprint or T-Mobile. Sure, much of NSA’s work takes place in secret, but likewise try getting your hands on corporate secrets from Verizon or AT&T beyond what’s posted on their privacy pages. Good luck with that.
And there’s another huge problem with this idea: one of the main reasons the US wants to store this metadata is that it lets them access and search it quickly in case of an emergency.
But if the government doesn’t already control the data, the only way to achieve the same kind of emergency response capability would be for the NSA to have even more access to the telecom companies’ databases. Not less.
Ironically, if this proposal is adopted it may end up making it easier for the government to access your telephone metadata, not more difficult.