AnyCalculator.com
Over 100 FREE Online Calculators

Monday, April 14, 2014

NSA Exploited Heartbleed Bug for Intelligence for Years



.........
Millions of Android Devices Vulnerable to Heartbleed Bug
.........

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
.........

NSA Is Hunting Flaws So They Can HACK Your Data
.........
Michael Riley
.........
he NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA protects the computers of the government and critical industry from cyber-attacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

The potential stems from a flawed implementation of protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

The vulnerability existed in the transmission of ordinary data.

The NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

The SSL protocol has a history of security problems and is not the primary form of protection governments and others use to transmit highly sensitive information.
...........
...........
Jordan Robertson
...........
Millions of Android Devices Vulnerable to Heartbleed Bug
..........
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the “limited exception” was one version dubbed 4.1.1, which was released in 2012.

Security researchers said that version of Android is still used in millions of smartphones and tablets, including popular models made by Samsung Electronics Co., HTC Corp. and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software.

The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information.

The Heartbleed bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 percent of all active Internet sites. The bug, which lets hackers silently extract data from computers’ memory, and a fix for it were announced simultaneously on April 7.
...............
Android version history
..............
Version history of the Android mobile operating system
..............
Android is under ongoing development by Google and the Open Handset Alliance (OHA), and has seen a number of updates to its base operating system since its initial release.

Since April 2009, Android versions have been developed under a confectionery-themed code name and released in alphabetical order: Cupcake (1.5), Donut (1.6), Eclair (2.0–2.1), Froyo (2.2–2.2.3), Gingerbread (2.3–2.3.7), Honeycomb (3.0–3.2.6), Ice Cream Sandwich (4.0–4.0.4)

Jelly Bean (4.1–4.3) (Version dubbed 4.1.1, which was released in 2012 is NOT immune to the flaw called the Heartbleed Bug.)

KitKat (4.4). On 3 September 2013
...............
...............
(Ok bubba, (bubba is my name for the average obama voter), that jelly bean version you have in your obama phone is telling the NSA and everyone else everything you do on your obama phone. Better get rid of dat jellybean bubba.) Story Reports

No comments: