Quotw That whole Heartbleed bug thing just kept running on and on this week, first with accusations that the National Security Agency had defied its brief by knowing about the security breach and doing stuff-all about it.
The Heartbleed flaw, which was revealed last week, allows attackers to access passwords, crypto-keys and other sensitive information from systems using OpenSSL 1.0.1 to 1.0.1f for secure connections. Despite its mandate to defend the security of national communications, the NSA reportedly used the flaw for its own hacking purposes and never warned folks their information was at risk.
Sources whispered of the agency's nefarious doings to Bloomberg, but the NSA tweeted that it did no such thing:
NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
If it does turn out to be true, the cybersecurity world is not going to be very impressed with the agency, former Air Force cyber office Jason Healey said:
It flies in the face of the agency's comments that defense comes first.They are going to be completely shredded by the computer security community for this.
Meanwhile, the man behind the bug, Robin Seggelmann said that the problem might be that there just weren't enough people working on OpenSSL to stop things like this from happening. Segelmann kicked off the security flaw that rocked the IT world with a simple mistake - he forgot to check the size of a received message, allowing hackers to take a picture of attacked software and extract sensitive data.
A possibility arose that granted access to security-relevant data, and a really simple mistake now has serious consequences. Whether the now known and fixed bug has been exploited by intelligence agencies or others is difficult to assess.
But it was a mistake that may have been rectified if there were more than just four volunteers working on the open source project and relying on donations and sponsorship for funds. Segelmann said:
It is important to monitor critical and safety-related software as often as possible. This is the great advantage of open source software: it is freely available to anyone who wishes to participate.
Unfortunately, despite very wide distribution and use by millions of users, OpenSSL does not have adequate support. In spite of its many users, there are very few who actively participate in the project.
Then, security researchers noticed that testing for the bug with websites and other tools may actually be illegal since computer abuse acts in the UK and the US forbid folks from challenging the security of third-party websites without said websites' permission.
Although checking what version of OpenSSL a site is running and whether it supports the vulnerable Heartbeat protocol might be all right, doing anything more active could get people in trouble.
Computer security researcher David Litchfield said:
I would say it would certainly contravene the Computer Misuse Act in the UK. This is no different than say testing to see if a site is vulnerable to SQL injection. It's not legal without permission.
But IT lawyer Dai Davis said the "violation" would be unlikely to be enforced:
Under UK law you could argue running scans is just about criminal. It's not in the spirit of the law but the Computer Misuse Act is badly written.
Legal or not, it's happening, Akamai security researcher Martin McKeay tweeted:
And finally for Heartbleed news, Australia's Commonwealth Bank attempted to reassure customers that it was not at risk and ended up freaking the crap out of them. A bank representative said in a blog post:
I’m happy to report that our customers can rest assured we are patched against the ‘Heartbleed’ bug and you do not need to change your NetBank password.
Which made everyone think that the bank had been vulnerable before it managed to patch it up. Readers commenting on the post pointed out that the information was a bit ambiguous, so the bank replied with this statement:
… you do not need to change your NetBank password. We are patched against the Heart Bleed bug. We are dedicated to ensuring our data and that of our customers is safe and secure. We take matters of security very seriously and our security teams are always up to date with all of the latest security developments so that we can continually strengthen the protections we have in place.
Which didn't answer the question at all. Customers started demanding a straight answer and getting cut-and-pastes of the same stock statement, which made some of them downright irate:
As a bank customer and frequent user of the CBA's websites, the bank's response to this major international security incident leaves me with absolutely no confidence whatsoever in the technical competence of your team.
The parrot-fashion canned responses the bank has apparently authorised to be issued on its behalf would seem to me to be a clear indication that CBA is hiding the truth about the situation, and displays a level of contempt for its customers which is frankly difficult to fathom.
Under the circumstances, I feel my only reasonable recourse is to close my business account with you immediately, and to recommend the same course of action to your other customers.
Eventually, the bank managed to get across in plain English:
NetBank does not (and did not) use OpenSSL. All customer data is safe, so customers do not need to change their NetBank passwords or take any action.
But likely a little late to provide the reassurance it was hoping for.
Meanwhile, file-sharing service Dropbox has been attempting to explain why it reckons a wiretap-supporting, surveillance-happy Bush-era politician like Condoleeza Rice is a good fit for its board.
Dropbox appears to have the same sense of timing as a farter in a lift, announcing the appointment in an atmosphere of NSA paranoia and Hearbleed terror last week.
The internet replied (in the form of comments on the blog post announcing the appointment):
Condoleezza Rice is here to help Dropbox 'navigate privacy concerns'. That's like saying you have appointed Hitler head of your Jew Outreach Program. Has Dropbox really fallen so low?
Good bye. I'm giving you folks a day to reverse this. Otherwise I'm gone. What the hell are you folks thinking? Moving past her role in a dark part of our shared history, she can't possibly have any political capital outside of the US and limited capital in the US.
And on Twitter:
Now that Condoleezza Rice has access to the Dropbox database maybe she can find evidence of the famous weapons of mass destruction.— Laurent Sansonetti (@lrz) April 10, 2014
But Dropbox quickly moved to defend itself, saying:
There’s nothing more important to us than keeping your stuff safe and secure. It’s why we’ve been fighting for transparency and government surveillance reform, and why we’ve been vocal and public with our principles and values. We should have been clearer that none of this is going to change with Dr. Rice’s appointment to our Board. Our commitment to your rights and your privacy is at the heart of every decision we make, and this will continue.
We're honoured to have Dr. Rice join our board - she brings an incredible amount of experience and insight into international markets and the dynamics that define them. As we continue to expand into new countries, we need that type of insight to help us reach new users and defend their rights. Dr. Rice understands our stance on these issues and fully supports our commitments to our users.
And finally, Microsoft's end to Windows XP support has come all too soon for the US Internal Revenue Service, which has missed the deadline to sort its IT out. Speaking at a budget meeting before the House Subcommittee on Financial Services and General Government, IRS Commissioner John Koskinen admitted that the agency was only around halfway done with its XP migration effort, and that it would take another $30m to complete.
He said that the migration was proving to be a Herculean task:
I would refer to it as we're driving a Model T with a lot of things on top of it. We are the classic 'fix the airplane while you're flying it' attempt. ®