1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Report: The NSA Exploited 'Heartbleed' to Siphon Passwords for Two Years

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Apr 12, 2014.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Apr 2, 2008
    Likes Received:
    Chair moistener.
    boy, what a... "shock" this news is. :rolleyes:

    The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.

    Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important
    encryption protocol.

    That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.

    The flaw "became a basic part of the agency's toolkit for stealing account passwords and other common tasks," the publication reports. [See NSA response below]

    OpenSSL is used by many websites and systems to encrypt traffic. The vulnerability doesn't lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to 10, cryptographer Bruce Schneier ranks the flaw an 11.

    The flaw is critical because it's at the core of SSL, the encryption protocol so many have trusted to protect their data, and can be used by hackers to steal usernames and passwords -- for sensitive services like banking, ecommerce, and web-based email.

    There are also concerns that the flaw can be used to steal the private keys that vulnerable web sites use to encrypt traffic to them, which would make it possible for the NSA or other spy agencies to decipher encrypted data in some cases and to impersonate legitimate web sites in order to conduct a man-in-the-middle attack and trick users into revealing passwords and other sensitive data to fake web sites they control.

    Heartbleed allows an attacker to craft a query to vulnerable web sites that tricks the web server into leaking up to 64kb of data from the system's memory. The data that's returned is random -- whatever is in the memory at the time -- and requires an attacker to query multiple times to collect a lot of data.

    But this means that any passwords, spreadsheets, email, credit card numbers or other data that's in the memory at the time of the query could be siphoned. Although the amount of data that can be siphoned in one query is small, there's no limit to the number of queries an attacker can make, allowing them to collect a lot of data over time.

    Although some researchers have reported on Twitter and in online forums that they were able to siphon the private keys in some cases from servers that were vulnerable to the flaw, the security firm CloudFlare announced today in a blog post that it was unable to siphon a private
    key after multiple days of testing the flaw.

    Cracking SSL to decrypt internet traffic has long been on the NSA's wish list. Last September, the Guardian reported that the NSA and Britain's GCHQ had been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt the data in near-real time, and there were suggestions that they might have succeeded.

    According to documents that Edward Snowden provided the paper, the spy agencies have used a number of methods under a program codenamed "Project BULLRUN" to undermine encryption or do end-runs around it -- including efforts to compromise encryption standards and work with companies to install backdoors in their products.

    But at least one part of the program focused on undermining SSL. Under BULLRUN, the Guardian noted, the NSA "has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."

    Bloomberg does not say if the NSA or its counterparts succeeded in siphoning private keys using the Heartbleed vulnerability. The paper only mentions using it to steal passwords and "critical intelligence."

    Update: The NSA has issued a statement denying any knowledge of Heartbleed prior to its public disclosure this week. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector
    cybersecurity report," an NSA spokesperson wrote in a statement. "Reports that say otherwise are wrong."

    The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. "If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Caitlin Hayden said in a statement.

    • Thanks Thanks x 1
  2. MafiaBoss

    MafiaBoss Elite Member

    May 5, 2012
    Likes Received:
    Currently Un-Occupied
    In granny's Basement
    Home Page:
    Every thing is exploited by NSA.
  3. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Jan 27, 2009
    Likes Received:
    Pusillanimous Knitter
    Buenos Aires
    • Thanks Thanks x 1
  4. davids355

    davids355 Jr. VIP Jr. VIP

    Apr 25, 2011
    Likes Received:
  5. Porphyrogenitus

    Porphyrogenitus Junior Member

    Oct 12, 2011
    Likes Received:
    The funny thing is it's exploited with impunity. Whenever I see them questioned about some underhanded tactic, they respond with entitled pride as though the privacy of innocents is their property. Amazing that they actually think this helps their country... a nation whose economy depends on TRUST and INFORMATION, both of which they undermine.