Saturday, April 12, 2014

I would wager that the NSA would have loved knowing about this hole for a few years before anyone else. Let's see if anyone is fired for “bogus reporting.”
Michael Riley reports:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
Read more on Bloomberg News, who really really need to be more specific about the two sources “familiar with the matter.”
NSA has denied the Bloomberg report in a tweet this afternoon:
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
NSA/CSS (@NSA_PAO) April 11, 2014
Now will Bloomberg be forthcoming about their sources for their reporting?
Update 2: The ODNI has posted this statement on their website:
Statement on Bloomberg News story that NSA knew about the “Heartbleed bug” flaw and regularly used it to gather critical intelligence
April 11, 2014
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
ODNI Public Affairs Office


Interesting legal opinion. (Would anyone else agree?) That's quite different from having any use for that data – or even a budget large enough to search through it in any meaningful way.
Mike Masnick writes:
During a recent House Judiciary Committee hearing concerning oversight, Rep. Zoe Lofgren decided to quiz Attorney General Eric Holder about the federal government’s surveillance efforts, starting off with a rather simple question. She notes that the bulk phone record collection program is considered to be legal by its supporters, based on Section 215 of the Patriot Act, which allows for the collection of “business records.” So, she wonders, is there any legal distinction between phone records and, say, internet searches or emails? In other words, does the DOJ believe that it would be perfectly legal for the US government to scoop up all your search records and emails without a warrant? Holder clearly does not want to answer the question, and first tries to answer a different question, concerning the bulk phone records program, and how the administration is supposedly committed to ending it. But eventually he’s forced to admit that there’s no legal distinction:
Read more on TechDirt.

(Related)
As we covered in yesterday’s Early Edition, Sir Anthony May, the UK’s Interception of Communications Commissioner (the UK’s surveillance watchdog), has concluded in his 2013 Annual Report (full text) to the Prime Minister that the UK’s spy agencies do not carry out “random mass intrusion into the private affairs of law abiding UK citizens.” In the 87-page annual report released yesterday, Sir Anthony states that the UK government “does not misuse [its] powers under the Regulation of Investigatory Powers Act (RIPA).” This is undoubtedly an important and compelling report, and in this post, we aim to outline some of its highlights, analyze a few of its important findings, and discuss shortcomings in the report.


Interesting idea for getting a larger Security budget?
When Your Insurer Says "Um, No" to Cyber Protection
Maybe it’s my actuarial background, but I’ve always seen IT security as an activity that should work hand-in-glove with insurance. After all, both domains are about planning for, and if possible preventing, disaster. Both have trouble showing they are “working” until something really bad happens. Both therefore have to go to special efforts to make the case to a CFO for the expenses involved. And of course, insurance has a few centuries of experience that can teach us IT secfolks plenty.
You can’t just walk in off the street and buy a cyber insurance policy; wisely, the insurers want to review your security practices first, to see if your defensive strategy amounts to anything more than hope or a tin foil hat.
Don’t forget – the insurance companies want to take your money if they possibly can. For them to decide you’re just not insurable means you represent an existential threat to them.
So in effect, if you go to Lloyd’s of London, and they look you up and down and send you on your way, you have to take that as a serious message – you’re just not doing what needs to be done to pass a basic inspection. Indeed, the good folks who make up the Lloyd’s exchange are very smart at what they do, but nobody takes them to be world experts on APT and the like – they don’t even work in IT security, and they can tell that our defenses aren’t good. It’s a sobering thought.


Interesting cheap or free I-phone Apps... (Android is another day)
Remote Mouse ($1.99, now free)
Ever wanted to use your iPhone, iPad or iPod Touch as a wireless trackpad for your Mac or PC? That’s exactly what Remote Mouse does, though users need to install the free server before everything will work. Once installed the app provides full use of multi-touch gestures, media remote, an application launcher and slideshow presentation functionality.


Something for my Excel students?
Do Visionary Web Research Studies Using Deep Web Data & Excel Web Queries
What would you say if I told you that you have the tools at your disposal to do ground-breaking, Earth-shattering research? Well, you do, and I’ll show you how.
Governments, academic institutions and non-profit research organizations publish tables full of data to the public domain. Without anyone using this information, its true value will never be known. Unfortunately, few people have the insight, the skills or the tools to take the data and make interesting correlations between seemingly unconnected information.
A lot of the research that I do for my own blog involves digging through what’s known as the invisible web, to uncover data that has been released to the public, but hidden from search engines inside an online database. This is the deep web, and it’s rife with valuable data. Very often, I come across webpages just chock-filled with some of the most valuable data on topics that run the gamut from census data to epidemiological studies on rare diseases. I constantly have new ideas on how to try and correlate those disparate data sources using various tools – and one of the most valuable tools that I’ve found is the Web Query inside of Microsoft Excel.

No comments: