Friday, April 11, 2014

NSA knew and kept secret about Heartbleed bug for years and exploited it

  • Why am I not surprised? Why am I not shocked?  This is just business-as-usual by our government. Oh, did you really believe we are a government "of the people, by the people, for the people"?  So sorry if truth is intruding on that belief...BUT would you rather be kept in the dark?

NSA Knew About And 'Exploited' Heartbleed For Years: Bloomberg

 | by  Dino Grandon

The Heartbleed bug just went from bad to worse to truly, utterly terrifying.

The National Security Agency knew of the existence of the catastrophic bug for at least two years and kept it a secret from the public and the cybersecurity community in order to exploit it, according to a bombshell report from Bloomberg News.

First discovered by Google and Codenomicon, a security firm, the Heartbleed bug is a flaw in the encryption used to protect vast number of websites from hackers. The fear is that the bug may expose credit card numbers, passwords and more.

Yahoo, Amazon and many, many other major websites used the free code, called OpenSSL, since encryption software is notoriously difficult to write.

Immediately after news of Heartbleed broke, some suspected that the NSA was exploiting the security lapse to access people's private data. Now, the two sources who spoke to Bloomberg are confirming those fears.

Now that we know that the NSA knew about the bug and said nothing, the question is how exactly they exploited it. Before this news broke, Wired reported that the bug might not be all as handy for the NSA. Heartbleed lets an attacker scoop up data from a website, wrote the magazine's Kim Zetter, but "the data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data."

Most importantly, the piece of the data that had security experts the most worried -- the private SSL keys -- may be safe from the NSA's clutches. With a website's private key, a bad actor could steal information from a website months or years after the Heartbleed bug has been patched in its system. After several tests, the online security company CloudFlare said it was unable to use Heartbleed to extract those keys.

This story is developing.