NSA alleged to have known & used Heartbleed for 2 years
Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing Consumers": http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
gf -- Gregory Foster || gfoster@entersection.org @gregoryfoster <> http://entersection.com/
On 4/11/14, 2:33 PM, Gregory Foster wrote:
Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing Consumers": http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
Denials: https://twitter.com/NSA_PAO/status/454720059156754434 https://twitter.com/csoghoian/status/454725375332192256 I couldn't find the primary source for the White House NSC statement Christopher posted. The "Vulnerabilities Equities Process" used to ascertain whether or not to report 0-days sounds FOIA-worthy. gf -- Gregory Foster || gfoster@entersection.org @gregoryfoster <> http://entersection.com/
On Fri, Apr 11, 2014 at 5:26 PM, Gregory Foster
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
The U.S. National Security Agency knew for at least two years
Denials: https://twitter.com/NSA_PAO/status/454720059156754434 https://twitter.com/csoghoian/status/454725375332192256
Uncharacteristically little weasel room in the pao link.
I couldn't find the primary source for the White House NSC statement Christopher posted. The "Vulnerabilities Equities Process" used to ascertain whether or not to report 0-days sounds FOIA-worthy.
They mention first knowledge in April but... Note the create date (at MITRE, ahem) in the second link. And packets (whether attributable to, or perhaps reasonably thought to be capable of detection, classification, and later use by a large and capable monitoring net) in the third link. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-...
On Fri, Apr 11, 2014 at 06:13:04PM -0400, grarpamp wrote:
Denials: https://twitter.com/NSA_PAO/status/454720059156754434 https://twitter.com/csoghoian/status/454725375332192256
Uncharacteristically little weasel room in the pao link.
The only weasel room I can see is if the exploitation capabilities are in DoD Cyber Command, rather than NSA. -andy
On 4/11/14, 4:26 PM, Gregory Foster wrote:
Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing Consumers": http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
On 4/11/14, 2:33 PM, Gregory Foster wrote: Denials: https://twitter.com/NSA_PAO/status/454720059156754434 https://twitter.com/csoghoian/status/454725375332192256
I couldn't find the primary source for the White House NSC statement Christopher posted. The "Vulnerabilities Equities Process" used to ascertain whether or not to report 0-days sounds FOIA-worthy.
NYT (Apr 12) - "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say" by David @SangerNYT: http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-dec...
Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations [by a presidential advisory committee] was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.
“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
gf -- Gregory Foster || gfoster@entersection.org @gregoryfoster <> http://entersection.com/
participants (3)
-
Andy Isaacson -
grarpamp -
Gregory Foster