Página 1 de 2 12 ÚltimoÚltimo
Resultados 1 a 10 de 14
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012

    NSA reportedly knew about Heartbleed for two years and didn't do anything about it

    Bloomberg is reporting that the National Security Agency has known about the Heartbleed Bug for two years. And rather than alerting the OpenSSL team so they could fix the problem, the NSA simply added the Heartbleed attack to its arsenal of tactics used to compromise targeted computers. Update: In a tweet, the NSA has denied that it knew about Heartbleed before it became public this month.

    This won't surprise anyone who has been paying attention to how the National Security Agency operates. The agency has an entire department, known as Tailored Access Operations, devoted to offensive hacking. TAO combs popular software for security vulnerabilities it can use to introduce sophisticated malware into computers it wants to spy on. Once compromised, these computers can be re-programmed to spy on their users and divulge their private files, all without users knowing about it.

    But the Bloomberg's reporting, if true, will further damage the already strained relationship between the nation's top electronic spying agency and the civilian security community. In the past, the private sector has sometimes relied on the NSA's technical expertise to help them better secure their products. Yet it now appears that securing the American Internet against online threats is far from the agency's top priority. When the agency discovers a flaw in popular software, the agency is more interested in preserving its ability to attack others than in alerting Americans to the problem.

    If the NSA were the only intelligence agency in the world, that might not be a bad strategy. The problem is that America's adversaries have intelligence agencies too. If the NSA was able to discover the Heartbleed bug two years ago, there's a good chance that Chinese, Russian, or other intelligence services have too, exposing Americans and American companies to foreign eavesdropping.
    http://www.vox.com/2014/4/11/5605496...idnt-they-warn

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012

    NSA Said to Exploit Heartbleed Bug for Intelligence for Years

    By Michael Riley Apr 11, 2014

    The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

    The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

    Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

    Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

    Controversial Practice

    “It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

    Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

    The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

    The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

    Free Code

    While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

    In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.


    The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

    The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

    Serious Flaws

    Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

    “If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

    When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

    “We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

    Flawed Protocol

    The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

    Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

    If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.

    Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

    Ordinary Data

    The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

    “They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

    Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

    SSL Protocol

    The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

    “I knew hackers who could break it nearly 15 years ago,” Lewis said of the SSL protocol.

    That may not soothe the millions of users who were left vulnerable for so long.

    Following the leaks about NSA’s electronic spying, President Barack Obama convened a panel to review the country’s surveillance activities and suggest reforms. Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.

    Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.

    To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net
    http://www.bloomberg.com/news/2014-0...consumers.html
    Última edição por 5ms; 11-04-2014 às 21:22.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Jul 2011
    Posts
    1,036
    Não acho que isso seja impossível, e tanto é possível que tenho recomendado troca de chave privada etc., mas eu acho exagero esse tipo de afirmação de que a NSA sabia. É muito fácil com a NSA sendo muito citada por ações de espionagem atribuir qualquer coisa a ela, e se ela negar aí que tem gente que vai ter certeza que é verdade... A NSA não é a CTU (24, Jack Bauer etc.).

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012
    É muita ingenuidade achar que as agências de inteligência do mundo todo não sabiam e mais ainda ficar na dúvida se tiraram proveito ou não. A NSA não é a CTU. É muito mais.

    Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012
    April 07, 2006



    Headquarters for the National Security Agency at Fort George G. Meade, Maryland, approximately ten miles northeast of Washington, DC. Despite having been described as the world's largest single employer of Ph.D. mathematicians, the owner of the single largest group of supercomputers, the second largest electricity consumer in the entire state of Maryland. the owner of a chip fabrication plant with production of dedicated semiconductors, and having a budget ($7.5 billion) much larger than that of the CIA, it has had a remarkably low profile until recent years. For a long time its existence was not even acknowledged by the US government. It was often said, half-jokingly, that "NSA" stood for "No Such Agency" or "Never Say Anything" (source: Wikipedia.org)

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Jul 2011
    Posts
    1,036
    Citação Postado originalmente por 5ms Ver Post
    É muita ingenuidade achar que as agências de inteligência do mundo todo não sabiam e mais ainda ficar na dúvida se tiraram proveito ou não. A NSA não é a CTU. É muito mais.

    Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.
    Eu não duvido que a NSA tenha essa coleção de vulnerabilidades na manga, mas a chance de cada vulnerabilidade específica que é descoberta já estar na mão da NSA não é de 100%, e eu não acho nem que seja grande. Há oportunidades quase infinitas para vulnerabilidades.

    Aliás, se alguém tem uma coleção ainda maior que a da NSA é a Inteligência Chinesa... essa é mais conhecida por comprar e pagar bem por esse tipo de informação, então ela me preocupa mais que a NSA, a CIA e a KGB juntas...

  7. #7
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012
    Whistleblower outs NSA's secret spy room at AT&T
    April 08, 2006

    Mark Klein, a retired AT&T communications technician, said the company shunted all Internet traffic--including traffic from peering links connecting to other Internet backbone providers-- to semantic traffic analyzers, installed in a secret room inside the AT&T central office on Folsom Street in San Francisco. Similar rooms were built in Seattle, San Jose, Los Angeles and San Diego.

    "Based on my understanding of the connections and equipment at issue, it appears the NSA (National Security Agency) is capable of conducting what amounts to vacuum-cleaner surveillance of all the data crossing the Internet," Klein said. "This potential spying appears to be applied wholesale to all sorts of Internet communications of countless citizens."

    In 2003, the National Security Agency set up a secret room inside the phone company's San Francisco office building that was not accessible to AT&T technicians, Klein said.

    The former employee's statement, as well as several documents saved by him after he left the company in 2004, shows further evidence of domestic spying initiatives by the federal government.

    Klein's statement is being incorporated into a class action filed in San Francisco federal court, in which lawyers with the Electronic Frontier Foundation (EFF), Lerach Coughlin Stoia Geller Rudman & Robbins, and Traber & Voorhees in Pasadena claim that AT&T illegally allowed the NSA taps.

    "Despite what we are hearing, and considering the public track record of this administration, I simply do not believe their claims that the NSA's spying program is really limited to foreign communications or is otherwise consistent with the NSA's charter or with FISA [the Foreign Intelligence Surveillance Act]," Klein said.

    News that the NSA was working with major telecommunications companies first surfaced shortly before Christmas. The Bush administration has acknowledged the existence of a domestic spying program, but claims the executive order was limited to those individuals with known terrorist ties.

    The Electronic Frontier Foundation filed a class-action lawsuit against AT&T on January 31, 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency in its massive program to wiretap and data-mine Americans' communications.

    "The evidence that we are filing supports our claim that AT&T is diverting Internet traffic into the hands of the NSA wholesale, in violation of federal wiretapping laws and the Fourth Amendment," EFF Staff Attorney Kevin Bankston said in a statement.
    On Wednesday, the EFF asked the court to issue an injunction prohibiting AT&T from continuing the alleged wiretapping, and filed a number of documents under seal, including three AT&T documents that purportedly explain how the wiretapping system works.

    After asking for a preview copy of the documents last week, the government did not object to the EFF filing the paper under seal, although the EFF asked the court Wednesday to make the documents public.

    One of the documents is titled "Study Group 3, LGX/Splitter Wiring, San Francisco," and is dated 2002. The others are allegedly a design document instructing technicians how to wire up the taps, and a document that lists the equipment installed in the secret room.

    The list includes a Narus STA 6400, which is a semantic traffic analyzer. The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets.

    In a letter to the EFF, AT&T objected to the filing of the documents, arguing that they contain sensitive trade secrets, Wired magazine reports.

    According to court rules, AT&T has until Thursday to file a motion to keep the documents sealed. The government could also step in to the case and request that the documents not be made public, or even that the entire lawsuit be barred under the seldom-used State Secrets Privilege, says Wired.

    AT&T Corp. (which was recently acquired by the new AT&T, Inc,. formerly known as SBC Communications) maintains domestic telecommunications facilities over which millions of Americans' telephone and Internet communications pass every day. It also manages some of the largest databases in the world, containing records of most or all communications made through its myriad telecommunications services.

  8. #8
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012
    Statement
    --Mark Klein, April 6, 2006


    My Background:

    For 22 and 1/2 years I worked as an AT&T technician, first in New York and then in California.

    What I Observed First-Hand:

    In 2002, when I was working in an AT&T office in San Francisco, the site manager told me to expect a visit from a National Security Agency agent, who was to interview a management-level technician for a special job. The agent came, and by chance I met him and directed him to the appropriate people.

    In January 2003, I, along with others, toured the AT&T central office on Folsom Street in San Francisco -- actually three floors of an SBC building. There I saw a new room being built adjacent to the 4ESS switch room where the public's phone calls are routed. I learned that the person whom the NSA interviewed for the secret job was the person working to install equipment in this room. The regular technician work force was not allowed in the room.

    In October 2003, the company transferred me to the San Francisco building to oversee the Worldnet Internet room, which included large routers, racks of modems for customers' dial-in services, and other equipment. I was responsible for troubleshooting problems on the fiber optic circuits and installing new circuits.

    While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet circuits by splitting off a portion of the light signal. I saw this in a design document available to me, entitled "Study Group 3, LGX/Splitter Wiring, San Francisco" dated Dec. 10, 2002. I also saw design documents dated Jan. 13, 2004 and Jan. 24, 2003, which instructed technicians on connecting some of the already in-service circuits to the "splitter" cabinet, which diverts some of the light signal to the secret room. The circuits listed were the Peering Links, which connect Worldnet with other networks and hence the whole country, as well as the rest of the world.

    One of the documents listed the equipment installed in the secret room, and this list included a Narus STA 6400, which is a "Semantic Traffic Analyzer". The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets. The company's advertising boasts that its technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) provides complete visibility for all internet applications."

    My job required me to connect new circuits to the "splitter" cabinet and get them up and running. While working on a particularly difficult one with a technician back East, I learned that other such "splitter" cabinets were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego.

    What is the Significance and Why Is It Important to Bring These Facts to Light?

    Based on my understanding of the connections and equipment at issue, it appears the NSA is capable of conducting what amounts to vacuum-cleaner surveillance of all the data crossing the Internet -- whether that be peoples' e-mail, Web surfing or any other data.

    Given the public debate about the constitutionality of the Bush administration's spying on U.S. citizens without obtaining a FISA warrant, I think it is critical that this information be brought out into the open, and that the American people be told the truth about the extent of the administration's warrantless surveillance practices, particularly as it relates to the Internet.

    Despite what we are hearing, and considering the public track record of this administration, I simply do not believe their claims that the NSA's spying program is really limited to foreign communications or is otherwise consistent with the NSA's charter or with FISA. And unlike the controversy over targeted wiretaps of individuals' phone calls, this potential spying appears to be applied wholesale to all sorts of Internet communications of countless citizens.

    Attorney contact information:

    Miles Ehrlich
    Ramsey & Ehrlich LLP

    Source: Legal Pad

  9. #9
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012

    NSA Utah Data Center

    May 20, 2013

    ...

    The NSA has said it will spend up to $1.5 billion on the Utah data center, which is approaching completion of its first phase after nearly four years of construction. The project will have a power capacity of 65 megawatts.

    ...

    The 1 million square-foot Camp Williams facility in Bluffdale, Utah will house a 100,000 square foot data center, while the remaining 900,000 SF will be used for technical support and administrative space.
    http://www.datacenterknowledge.com/a...th-energy-tax/






  10. #10
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,012
    Citação Postado originalmente por rubensk Ver Post
    ... é a Inteligência Chinesa... essa é mais conhecida por comprar e pagar bem por esse tipo de informação, então ela me preocupa mais que a NSA, a CIA e a KGB juntas...
    Eu trabalhei com a "inteligência chinesa". Pode dormir tranquilo.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •