April 14, 2014

Heartbleed and heartbreak that NSA didn't warn us about but exploited for itself

The biggest flaw in Internet history affecting as many as two-thirds of the world's websites.

The Heartbleed bug lets hackers eavesdrop on supposedly secure communications.

German developer Dr Robin Seggelmann admitted he wrote the code. It was then reviewed by other members and added to OpenSSL software. This addition led to the Heartbleed flaw in the open-source program
Code was added in December, 2011, and no-one picked up the error.

As if the fact that we all have to change our passwords yet again were not bad enought, Bloomberg reports NSA Said to Exploit Heartbleed Bug for Intelligence for Years

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first, said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

The potential stems from a flawed implementation of protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

Ace comments  What the hell. What the unholy hell.

This is scary. I'm not even so much bothered by the NSA itself preserving a backdoor into my private stuff. I always figured they could do that anyway, if they wanted.

But they've also exposed everyone to criminal hacking and even compromise by foreign intelligence services.

What the hell. What the unholy hell.

Biz Insider Here's How To Protect Yourself From The Massive Security Flaw That's Taken Over The Internet

Security firms are urging users to only change passwords on sites that have confirmed they are safe

'Changing your password on a vulnerable site makes little difference because the site is still open to attack….'This means your old password would have been at risk, but you're also giving hackers access to your new password - a double whammy.


Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox.  All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren't issuing the advice.

Business Insider  Find Out Instantly If A Site Has Been Infected By 'Heartbleed'

Posted by Jill Fallon at April 14, 2014 11:21 AM | Permalink