Pegasus Research Consortium

embedded links thurout the article




Critical Security Bug 'Heartbleed' Hits Up To 66 Percent Of The Internet


The Huffington Post  | by  Betsy Isaacson Email RSS    Posted: 04/08/2014 5:08 pm EDT Updated: 04/08/2014 5:59 pm EDT

The Heartbleed bug has affected the back end of a full two thirds of the internet. As much as 66 percent of the Web may have been compromised by a newly revealed security flaw called Heartbleed.

So named by the researchers who discovered it, Heartbleed is a bug that affects an important internet security protocol called SSL. Specifically, it affects one particular implementation of SSL called OpenSSL.

For context (and to understand how bad Heartbleed is), here's how SSL and OpenSSL work: Every time you log into a website, your login credentials are sent to that website's server. But in most cases those credentials aren't simply sent to the server in plain text -- they're encrypted using a protocol called Secure Sockets Layer, or SSL.

As with most protocols, different software makers have created different implementations of SSL. One of the most popular is an open-source implementation called OpenSSL, used by an estimated two thirds of currently active websites.

Heartbleed is a bug in OpenSSL. Hackers can exploit Heartbleed to get raw text from emails, instant messages, passwords, even business documents -- anything a user sends to a vulnerable site's server.

And the scariest part? The Heartbleed security flaw existed for nearly two years before it was discovered by legitimate researchers. That's plenty of time for black-hat hackers to have discovered and exploited the bug.

So what can users do? Matthew Prince, CEO of content delivery network Cloudflare, one of the first businesses to be notified of the bug, told The Huffington Post that sadly, there's not much normal netizens can do to protect themselves. "When you finish using a website, make sure to actively log out," Prince advised -- that makes it less likely that a hacker exploiting Heartbleed will be able to take your personal information.

Prince also put in a word of comfort: "Heartbleed is so serious -- it's such a big, bad event -- that almost every major service is scrambling to clean it up as quickly as possible." He estimated that most currently vulnerable websites will be "patched" by the end of the week.

Though a number of major websites have already been patched, others, including OKCupid, Flickr, Imagur and Yahoo.com, reportedly remain vulnerable to Heartbleed.

Users can test if their favorite websites are vulnerable here, though this service is reportedly not 100 percent reliable. Vulnerable sites should not be logged into until they're patched -- check those sites' blogs or Twitter feeds for updates -- and once a website has its patch in place, you should change your password for that site as soon as possible.

More:Heartbleed Openssl,  Heartbleed Open Ssl,  Heartbleed Two Thirds,  Heartbleed Security Flaw,  Heartbleed Bug,  Heartbleed Ssl,  Heartbleed,  Heartbleed Bug,  Heartbleed 66 Percent,   


http://www.huffingtonpost.com/2014/04/08/heartbleed-66-percent_n_5112793.html

Little Internet users can do to thwart 'Heartbleed' bug

15 hr ago |By Jim Finkle of Reuters

BOSTON (Reuters) - Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all Web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.

"The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook Inc, Google and Yahoo Inc told Reuters they have taken steps to mitigate the impact on users.

Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords."

Ty Rogers, a spokesman for Amazon.com Inc, said "Amazon.com is not affected."

In a blogpost dated Tuesday, the company said some of its Web cloud services, which provide the underlying infrastructure for apps such as online movie-streaming service Netflix and social network Pinterest, had been vulnerable. While it said the problems had been fixed, the company urged users of those services, which are popular in particular among the tech startup community, to take extra steps such as updating software.

Kaspersky Lab's Baumgartner noted that devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

CLEANING UP MESS

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet companies to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.

Symantec Corp and GoDaddy, two major providers of SSL technology, said they do not charge for reissuing keys.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

"Due to the complexity and difficulty in upgrading many of the affected systems, this vulnerability will be on the radar for attackers for years to come," he said.

Hypponen of F-Secure said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

(Reporting by Jim Finkle; Additional reporting by Joseph Menn; Editing by Leslie Adler, Dan Grebler and Mohammad Zargham)


http://news.msn.com/science-technology/little-internet-users-can-do-to-thwart-heartbleed-bug

NSA Sets Its Sights on SSL

QuoteAlthough the NSA could use the Heartbleed vulnerability to obtain usernames and passwords (as well as so-called session cookies to access your online accounts), this would only allow them to hijack specific accounts whose data they obtained.
For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain.

Cracking SSL to decrypt internet traffic has long been on the NSA's wish list. Last September, the Guardian reported that the NSA and Britain's GCHQ had "successfully cracked" much of the online encryption we rely on to secure email and other sensitive transactions and data.
http://www.wired.com/2014/04/nsa-heartbleed/

LOL They make it sound like they haven't already known about it.  ;D

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

QuoteThe U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.

QuotePutting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers.

QuoteVanee Vines, an NSA spokeswoman, declined to comment on the agency's knowledge or use of the bug. Experts say the search for flaws is central to NSA's mission, though the practice is controversial. A presidential board reviewing the NSA's activities after Edward Snowden's leaks recommended the agency halt the stockpiling of software vulnerabilities.

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html)

The panic to fix it is because someone ELSE found it now.

Quote from: Ellirium113 on April 11, 2014, 11:32:50 PM

The panic to fix it is because someone ELSE found it now.

It is pretty telling, they had a good run and probably
already set to bug the next round.

:D

LOL! ROTFL  ;D

The NASA has compromised every aspect of the Internet for years:

Deal 1 with RSA (The encryption algorithm that signs your SSL certificates).

http://www.crn.com.au/News/368317,nsa-paid-rsa-10m-for-encryption-backdoor.aspx (http://www.crn.com.au/News/368317,nsa-paid-rsa-10m-for-encryption-backdoor.aspx)

http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 (http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220)

Deal 2 with Verisign (they issue all the certificates to Companies).

http://windypundit.com/2013/08/does-the-nsa-have-a-ca/ (http://windypundit.com/2013/08/does-the-nsa-have-a-ca/)

Just like the Email reading scandal, everyone will speculated about it, they swore black and blue about it (and even perjured themselves in a court of law) and then came out and said they were doing it all along. It went to the Senate, they pass a bill saying they can continue doing it. Same thing here. It's all a stonewall to get it into public digestion, for the public to make an outcry, and then for the Senate to pass it all into law. Of course all the Libetarian, Latte Slurping Groupies will love it. It's all for American Freedom!

Quote from: starwarp2000 on April 12, 2014, 01:58:00 PM. It's all for American Freedom!

Well... so far with all the reporting of spook activity we do here... no one has knocked on the door other than that one spook from DIA/AF Intel and that was a very possitive experience :D

So maybe... just maybe... it IS all for American Freedom!

Either that or we have a Guardian Angel ;)


years ago.... 2006  when Pegasus first started...

http://www.youtube.com/watch?v=3knYQaK1yDc

https://www.youtube.com/watch?v=3knYQaK1yDc

.Heartbleed used to uncover data from cyber-criminals
By Mark Ward
Technology correspondent, BBC News
29 April 2014 Last updated at 07:53 ET 


The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data.

Discovered in early April, Heartbleed lets attackers steal data from computers using vulnerable versions of some widely used security programs.

Now it has given anti-malware researchers access to forums that would otherwise be very hard to penetrate.

The news comes as others warn that the bug will be a threat for many years.

French anti-malware researcher Steven K told the BBC: "The potential of this vulnerability affecting black-hat services (where hackers use their skills for criminal ends) is just enormous."

Heartbleed had put many such forums in a "critical" position, he said, leaving them vulnerable to attack using tools that exploit the bug.

The Heartbleed vulnerability was found in software, called Open SSL, which is supposed to make it much harder to steal data. Instead, exploiting the bug makes a server hand over small chunks of the data it has just handled - in many cases login details or other sensitive information.

Mr K said he was using specially written tools to target some closed forums called Darkode and Damagelab.

"Darkode was vulnerable, and this forum is a really hard target," he said. "Not many people have the ability to monitor this forum, but Heartbleed exposed everything."

Charlie Svensson, a computer security researcher at Sentor, which tests company's security systems, said: "This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query."

Individuals who repeat the work of security researchers such as Mr K could leave themselves open to criminal charges for malicious hacking.

Threat 'growing'

The widespread publicity about Heartbleed had led operators of many websites to update vulnerable software and urge users to change passwords.

Paul Mutton, a security researcher at net monitoring firm Netcraft, explained that while that meant there was no "significant risk of further direct exploitation of the bug", it did not mean all danger had passed.

He said the problem had been compounded by the fact that a large number of sites had not cleaned up all their security credentials put at risk by Heartbleed.

In particular, he said, many sites had yet to invalidate or revoke the security certificates used as a guarantee of their identity.

"If a compromised certificate has not been revoked, an attacker can still use it to impersonate that website," said Mr Mutton.

The dangers posed by Heartbleed will persist for years, warn security experts
In addition, he said, web browsers did a poor job of checking whether security certificates had been revoked.

"Consequently, the dangers posed by the Heartbleed bug could persist for a few more years."

His comments were echoed by James Lyne, global head of security research at security software developer Sophos.

"There is a very long tail of sites that are going to be vulnerable for a very long time," said Mr Lyne, who pointed out that the list of devices that Heartbleed put at risk was growing.

Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks, he said.

A survey by tech news site Wired found that smart thermostats, cloud-based data services, printers, firewalls and video-conferencing systems were all vulnerable.

Other reports suggest the makers of some industrial control systems are also now producing patches for their software to limit the potential for attack.

How tempting this was for malicious attackers was difficult to gauge, said Mr Lyne.

"We do not really know how much Heartbleed is being used offensively because it's an attack that is hard to track and log."


More on This Story
http://www.bbc.com/news/technology-27203766