Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Allegedly Exploited Heartbleed

Posted by Soulskill on from the according-to-somebody-who-may-or-may-not-be-a-person dept.

squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

27 of 149 comments (clear)

  1. Conflict of interest by benjfowler · · Score: 5, Insightful

    Why even have the same agency responsible for foreign electronic intelligence and put them in charge of "cyberdefence" (how I hate that term..).

    It's a massive conflict of interest. You're virtually begging them to find and then sit on dangerous exploits.

  2. Obligatory xk..... by Anonymous Coward · · Score: 5, Funny

    YOU SON OF A BITCH

  3. This seems plausable by capedgirardeau · · Score: 3, Insightful

    I can understand this happening. It would make sense that the NSA would have someone or multiple people review every patch and check-in for a package as important as OpenSSH, just looking for exploitable mistakes.

    I would not be surprised if they review a great deal of FOSS software they deem important to national security.

    --
    Wax on, wax off baby!
    1. Re:This seems plausable by JDG1980 · · Score: 3, Interesting

      Then it is analyzed by genius hackers who are paid top dollar for the job.

      "Top dollar"? This is a government agency. They pay based on the GS scale. Even if the NSA's security hackers were classified at GS-15 (the highest rate), that's about $120K a year to begin – if they really are "geniuses" then they could do better in Silicon Valley, and probably feel better about their jobs as well.

      In general, the GS scale pays somewhat more than typical private-sector rate for low-end jobs, but considerably less for high-end jobs.

      Government contractors rake in the dough, but that money goes to politically-connected businessmen, not rank-and-file employees.

    2. Re:This seems plausable by Smallpond · · Score: 3, Interesting

      This patch was submitted at 7pm on Dec 31st, 2011, so the only people looking at it were the ones expecting it. I guess they were not disappointed.

      http://git.openssl.org/gitweb/...

  4. This sounds likely by gurps_npc · · Score: 4, Insightful

    The basic fact is, if they did not exploit it, then someone working for them is thinking "DAMN, I wish I thought of using that!"

    --
    excitingthingstodo.blogspot.com
  5. Re:It's not a bug by NoKaOi · · Score: 5, Insightful

    it's a (NSA) feature...

    Even if it's not an NSA feature...of course the knew about it! They would have to be even more incompetent than we think not to. They are HUGE, with something like 40,000 employees. At least of few of those employees must be dedicated to code review of OSS looking for vulnerabilities, and more in general looking for vulnerabilities in any widely used software. And if that's the case, then you'd think OpenSSL would be one of the first things they'd look at. The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.

  6. Re:NSA put the bug there, of course they exploited by 93+Escort+Wagon · · Score: 4, Informative

    The author of this bug and the reviewer of the commit have both been very forthcoming about the mistake. There's little reason to suspect malicious intent in this particular instance.

    That doesn't mean the NSA didn't know about it or exploit it, though.

    --
    #DeleteChrome
  7. You don't understand, yep! by rjh · · Score: 5, Informative

    One cannot simply sue a branch of the government without asking permission from the government to allow it to be sued - guess how often THAT happens?

    Glad you asked: it happens all the time, ever since the Tort Claims Act of 1948 substantially waived the sovereign immunity doctrine. You can read more about it at Wikipedia.

    People sue the government all the time. It's literally an everyday occurrence.

    1. Re:You don't understand, yep! by rjh · · Score: 3

      I'm not weighing in on that one. I'm only correcting the original poster, who said the U.S. rarely waives sovereign immunity. In fact, the opposite is true: it rarely invokes it. Tens of thousands of tort claims against the U.S. government are underway even as we speak, all of them with waived sovereign immunity.

  8. It's time we own up to this one by Bruce+Perens · · Score: 4, Insightful

    OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

    This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

    But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

    --
    Bruce Perens.
    1. Re:It's time we own up to this one by Anonymous Coward · · Score: 5, Insightful

      The problem with open source when it comes to things like this is that there are so few people who are even qualified to implement protocols like this, and even fewer of them who are willing to work for nothing. The community needs to pony up some cash to have important projects audited like what they are trying to do with TrueCrypt right now.

    2. Re:It's time we own up to this one by Bruce+Perens · · Score: 3, Informative

      I'd say more than just the "community". We have a great many companies that incorporate this software and generate billions from the sales of applications or services incorporating it, without returning anything to its maintenance.I think it's a sensible thing to ask Intuit, for example: "What did you pay to help maintain OpenSSL?". And then go down the list of companies.

      --
      Bruce Perens.
    3. Re:It's time we own up to this one by Bruce+Perens · · Score: 4, Interesting

      I have to say I'm even less confident in the plan to couple it to DNSSEC.

      --
      Bruce Perens.
    4. Re:It's time we own up to this one by bill_mcgonigle · · Score: 4, Insightful

      This was a failure in the Open Source process.

      Indeed. People have been saying for years that the OpenSSL code leaves much to be desired but nobody dares fix it because it might break something (needed: comprehensive unit tests).

      There's been a bug filed for years saying that the code won't build with the system malloc, which in turn prevents code analysis tools from finding use-after-free conditions. The need here is less clear - leadership of the project has not made such a thing a priority. It's not clear that funding was the sole gating factor - commit by commit the code stopped working with the system malloc and nobody knew or cared.

      Sure, a pile of money would help pick up the pieces, but lack of testing, continuous integration, blame culture, etc. might well have prevented it in the first place.

      We still have sites like Sourceforge that are solving 1997 problems, like offering download space and mailing lists when what we need today is to be able to have continuous integration systems, the ability to deploy a vm with a complex project already configured and running for somebody to hack on, etc.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:It's time we own up to this one by hawguy · · Score: 3, Interesting

      It was discovered and fixed so quickly *because* it's open source

      For crikessakes, the heartbleed vulnerability existed for over 2 years before being discovered and fixed!

      Sorry my bad, that sentence was confusing -- I meant the fix was fast, not finding the bug.

      An exact timeline for Hearthbleed is hard to find, but it looks like there was some responsible disclosure of the bug to some large parties about a week before public disclosure and release of the fixed SSL library.

      In contract, Apple learned of its SSL vulnerability over a month before they released an IOS patch and even after public disclosure of the bug, it was about a week before they released the OSX patch. And just like the OpenSSL bug, Apple's vulnerability was believed to have been in the wild for about 2 years before detection. (of course, since the library code was opensourced by Apple, several unofficial patches were released before Apple's official patch).

    6. Re:It's time we own up to this one by AHuxley · · Score: 3, Informative

      Re even qualified to implement protocols like this. Thats a very interesting point. How many have their tools of the trade via a top university settings and a security clearance option and dependant funding.
      Once you start down the math path the classes get smaller and fewer stay for needed years vs lure of private sector telco or unrelated software work.
      Most nations really do produce very few with the skills and keep them very happy.
      Trips, low level staff to help, good funding, guidance, friendships all just seem to fall into place.
      Bringing work home and helping open source could be seen as been an issue later vs students or team members who did open source games or made apps.

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:It's time we own up to this one by l0n3s0m3phr34k · · Score: 4, Insightful

      Exactly! Everyone can get to the source, the whole point of OSS is that the companies themselves can (and should, from a risk-analysis point) be reviewing all the code too before implementation...it's along the lines "you get what you pay for" yet at least here everyone is given the chance to see exactly what's being run (as opposed to pre-compiled apps). IMHO, this really isn't an OpenSSL issue as much as a failing of due diligence by all the companies using it. The admin's excuse of "well, we don't actually know what the code says" fails here, and anyone over the past two years could have reviewed it themselves and fixed this! Maybe this will spur corps to actually review code of critical infrastructure when it's avalible as part of corp policy from now on, perhaps the insurance companies who do "Errors and Omissions" policies will start forcing corps to do that; kinda surprised that this isn't already a standard policy, as code review of OSS is one of it's main strengths and if your company doesn't do it then their missing out on one of the biggest assets of using OSS.

    8. Re:It's time we own up to this one by mpe · · Score: 3, Insightful

      SSL is a much worse problem in itself. Relying on some "trustworthy" certificate authority sounds like a good idea, huh?

      This might be more an issue of how it is being used. Not everything using SSL also uses "certificate authorities". Theres also no reason why software which odes can't give a warning if the CA were to unexpectedly change.

      It's a completely broken idea, especially in this age when the worst enemy is the own government.

      Has there been a time, at least within modern history, where this has not really been the case?

  9. Fork it. by grub · · Score: 4, Funny


    Theo de Raadt should fork OpenSSL. He could call it OpenOpenSSL.

    .

    --
    Trolling is a art,
  10. According to who? by radarskiy · · Score: 3, Insightful

    Bloomberg is the reporting organization, so they can't bee the source. They name no sources, just "two people familiar with the matter", which could mean they asked me twice.

  11. Re:It's not a bug by Arker · · Score: 3, Interesting

    Maybe, of course we cannot just believe them after seeing them repeatedly lying to Congress, but it strikes me likely in this particular case they are telling the truth. This bug, unless I am misunderstanding, essentially lets you read from a small contiguous pseudo-random block of memory. That's obviously not acceptable from a defender point of view - it could potentially expose any and all information so it's a severe flaw - but from an attackers point of view it seems less impressive.

    You could probably try this thousands of times without actually obtaining any information of value. Sure, you might luck out and get the keys to the kingdom, but it seems like a crapshoot. From an attackers point of view, this might be better than nothing, but unless they have pretty near nothing to start from, it does not seem exciting.

    And we know they have a lot more than nothing to start from. With Total Surveillance in effect on the net, with rootkits and zero-day exploits to deliver them, it's just really hard to see how this would add anything substantial to their toolkit.

    No, I suspect this is exactly what it appears to be - a critical bug resulting from too much emphasis on fast and not enough on good. That's hardly unique to OpenSSL, it's a chronic problem across the industry as a whole.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  12. Highly likely that NSA knew early on by JKAbrams · · Score: 3, Interesting

    Actually I wrote this yesterday but was unable to publish it:
    ...
    I have not yet grasped the full scope of the implications of this bug, but if you take the stance that things that could have been done also has been done (imho the only safe assumption), is this a good characterization? Or are there any limiting factors that makes this impossible? Like for example the amount of memory that could be leaked while the application is running (as servers aren't restarted often) is certain information that is stored statically in memory potentially not reachable?

    During the last two years:
    1. Any/all certificates used by servers running openssl 1.0.1 might have been compromized and should be revoked (the big cert-reset of 2014?)
    2. Because of 1, any/all data sent over a connection to such servers might now be know by a bad MITM (i.e. for large scale: the various security services/hostile ISPs, local scale/targeted attacks: depends on who else happened to know, and this person/organization happened to be your adversary, looks unlikely, but who knows...)
    3. Any/all data stored in SSL-based client applications might have been compromised.

    From a users perspective - change all passwords/keys that has been used on applications based on openSSL-1.0.1? How to know what services? To be safe, change them all? Consider private data potentially sent over SSL to be open and readable by the security services?

    Thinking about the large-scale:
    For how long has the NSA been picking up information leaked by Heartbleed (assuming that they have at least since late evening the 7:th or early morning the 8:th seems a given)?
    -Not in the Snowden documents that has been revealed so far (absence of proof != proof of absence, but language might give a hint)
    -No report of unusual heartbeat streams being spotted in the wild (was anyone looking?)

    Let's assume for the sake of argument the NSA does not have people actually writing the OpenSSL code in the first place.
    When did they know about it's existence?

    time_to_find_bug = budget * complexity_of_bug / size_of_sourcecode * complexity_of_sourcecode * intention_to_find_bugs

    Where
    budget = manpower * skillset
    and
    time_to_find_bug < inf.
    when
    skillset >= complexity_of_bug

    Heartbeat bug:
    complexity_of_bug = low

    OpenSSL:
    size_of_sourcecode = 376409 lines of code (1.0.1 beta1)
    complexity_of_sourcecode = high

    NSA:
    intention_to_find_bugs = 1
    budget = $20 * 10^9 ?
        => manpower = 30k ?
           skillset = high

    Guesstimate: one to a few months -> early 2012 to go through the changes made to 1.0.1 building on earlier work already done on the 0.8.9 branch...
    ...
    Or to say it another way, I think it is safe to assume that, given the simplicity of the bug, NSA knew about Heartbleed in early on. The anonymous comments to Bloomberg gives nice confirmation of this.

  13. Heartbleed Challenge Over by xvx · · Score: 5, Interesting

    Welp, that didn't take long. Looks like someone solved CloudFlare's Heartbleed Challenge and got their private server key...

  14. Failure of risk analysis by more than OpenSSL devs by Goonie · · Score: 4, Informative

    Just a minor correction - my piece does indeed suggest that the OpenSSL developers have some strange priorities. However, it lays the larger blame at the companies that used OpenSSL, when all the information necessary to suggest that this kind of thing could happen was already available, and the potential consequences for larger companies of a breach are easily enough to justify throwing a little money at the problem (which could have been used any number of ways to help prevent this).

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
  15. Obfuscated Variable Names by Sanians · · Score: 3, Informative

    I challenge anybody to review it and find (or notice) the bug.

    It's actually kind of easy to see. I just use the same trick I use when trying to read almost anyone's code: I assume that some jackass obfuscated all of his variable names and so I rename them as I figure out what they actually represent so that the new names actually describe the variable. Once that's complete, I'm left with "memcpy(pointer_to_the_response_packet_we_are_constructing, pointer_to_some_bytes_in_the_packet_we_received, some_number_we_read_out_of_the_packet_we_received)" and it immediately raises a red flag.

    ...but more seriously, the code in that check-in is why I hate to let anyone work on any programming projects with me. Worthless variable names create code that's as worthless as English text that refers to everything as "that stuff" and "those things." It's just a step away from choosing purposefully obfuscated variable names. If the variable is named "payload" then not only should it be the actual payload data, rather than just its size, but it should also be the only payload in existence such that no distinction needs to be made between "received_payload" and "payload_to_be_sent." ...and then there's the single-letter variables, some of which are incremented at times so that they don't even consistently refer to the same thing over time, creating a variable that not only doesn't indicate what it refers to, but one which actually might refer to anything.

    I've read that the reason there's a packet length sent from the remote host is because this data is sent with random padding bytes added to each packet and so the packets need to indicate how much of the data is actually valid. So why isn't the packet size figured out closer to when the data first enters the program? First thing I would do when receiving a packet is read out this packet size, verify that the actual size of received packet is large enough to contain it, and toss the packet if it wasn't large enough since it was obviously corrupted (or malicious). Then I'd write the size into a structure for the packet's meta-data, along with any other data we find in every packet (like a packet type number), and every other part of the entire program would read the data from that structure. That's how you do these things. Everything received is "tainted" and, once you verify it isn't poisonous, you move it out into a data structure that the rest of your program trusts. Otherwise you have every piece of code that needs that data having to verify it every time it accesses it which just creates enormous opportunity for error.

    So when you come across code like this which pulls data out of the packet and just uses it, it isn't just wrong, but it doesn't even resemble anything that might be correct. Thus, the poor variable naming just might be why this wasn't noticed. Since the data pulled out of the packet is stored into a variable named "payload" it's easy to imagine it's simply payload data, which doesn't have to be checked as it won't ever be used for anything other than being returned to the remote host, and so the absence of code that checks the validity of that data might be expected. If it were named even something as ambiguous as "payload_size" then you have to immediately wonder if it's a size that needs to be checked against anything when you see it being pulled out of a buffer of untrusted data. ...but then, you don't see that either, since the pointer is named "p" which doesn't scream "this is untrusted data" and, even if you look above to see that "p" was assigned from "&s->s3->rrec.data[0]" you're still left wondering what the fuck that might be. Maybe "rrec" refers to some sort of received record? Fuck, who knows.

    I mean, right after the memcpy I see "RAND_pseudo_bytes(p, padding)." Is this even putting the padding bytes in the correct place? Well, "p" could be a pointer to anything so it's pretty easy to assume it could be correct. Hel

  16. Private key compromise is indeed possible by pop+ebp · · Score: 4, Informative

    CloudFlare has retracted their statement that private key compromise is very hard. They started a challenge and at least 2 people successfully got private keys from their Heartbleed-enabled server with as few as 100K requests. (I am sure that with some optimization, the number could be even lower.)