About Me

My photo
This site is the inspiration of a former reporter/photographer for one of New England's largest daily newspapers and for various magazines. The intent is to direct readers to interesting political articles, and we urge you to visit the source sites. Any comments may be noted on site or directed to KarisChaf at gmail.

Friday, April 11, 2014

Has the NSA Been Using the Heartbleed Bug as an Internet Peephole? -- By Kim Zetter, Wired, Threat Level

Photo: Getty ImagesWhen ex-government contractor Edward Snowden exposed the NSA’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said last June. “Properly implemented strong crypto systems are one of the few things that you can rely on.”

But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”

This week, that caveat hit home — in a big way — when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to ten, cryptographer Bruce Schneier ranks the flaw an eleven.

Though security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data. “It really is the worst and most widespread vulnerability in SSL that has come out,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania. But the bug is also unusually worrisome because it could possibly be used by hackers to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — and by spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them.

A Google employee was among those who discovered the hole, and the company said it had already patched any of its vulnerable systems prior to the announcement. But other services may still be vulnerable, and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale.

“It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Blaze says. “It’s certainly something that the NSA would find extremely useful in their arsenal.”

 (Click link below to read more)
READ MORE Sphere: Related Content

No comments:

Post a Comment