Archive for August, 2016

What Happened with Heartbleed?

Posted in laptop, Tech news  by Carol
August 24th, 2016

heartbleedWith all the talk about the NSA’s access to zero-day exploits, it may be time for a refresher on what happened with the Heartbleed vulnerability back in 2014. After all, this is the first time the public has turned its attention back to VEP’s since the fateful day that a major security flaw was discovered in the OpenSSL encryption software and the NSA allegedly had known about it beforehand.

The OpenSSl flaw created a backdoor through its encryption, a security service used by a majority of websites and a multitude of other pieces of internet infrastructure. While the NSA denied these claims, two anonymous sources came forward to Ars Tecnica and disclosed that the NSA had known about the bug for “at least two years.”
“When Edward Snowden warned that the NSA is ‘setting fire to the future of the internet,’ this is presumably the kind of thing he was talking about,” explained Jamell Jaffer, deputy legal director at the American Civil Liberties Union. “If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function. The NSA has lost sight of its mission, and it has lost sight of the values of the society it’s supposed to be protecting,” he continued.
heartbleed2NSA spokesperson Vanee Vines reputed any claims that the NSA was knowledgeable of the attacks, saying in an official statement that the “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector security report. Reports that say otherwise are wrong.”
In response to the Bloomberg story that published the revelations of the two anonymous sources, the Office of the Director of National Intelligence’s Public Affairs Office issued a direct denial:
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong… The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure an reliable internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
heartbleed3The ODNI went on to explain that it would have been in the Federal government’s best interest to fix any such bug: “It is in the national interest to responsibly disclose the vulnerability rather than hold it for an investigative or intelligence purpose.”
Perhaps in this particular case, the Heartbleed bug really would have been too dangerous for the government to quietly exploit. That said, it’s difficult to understand exactly what the situation was since there’s little to no transparency when it comes to the NSA’s dealings. Perhaps now that it’s possible to hack the NSA, the general public will be able to learn more about what exactly the “No Such Agency” gets up to.

No Comments »

Archive for August, 2016

What Happened with Heartbleed?

Posted in laptop, Tech news  by Carol
August 24th, 2016

Cyber security company Bastille recently reported a vulnerability in inexpensive wireless keyboards that allows for hackers to steal private data. According to the experts, the vulnerability lets nomadic hackers use a new attack that the firm has called “KeySniffer,”

keysnifferKeySniffer makes it possible for hackers to eavesdrop on anything a victim types; cyber criminals can capture every keystroke typed from up to 250 feet away. The stolen data is then rendered in clear text, making it possible for hackers to search through it for credit card information, bank account usernames and passwords, answers to security questions, network access passwords, and basically any data typed into a document or email.

“Almost all access credentials have value to hackers,” explained vice president of marketing at Gurucul Tome Clare. “Hijacked or compromised access credentials to the corporate cloud are the keys to the kingdom.”

Bastille’s Mark Newlin explained the dangerous sophistication of the new hacking method:

KeySniffer demonstrates that as many as two third of the lower-cost wireless keyboards currently on the market implement no encryption whatsoever, leaving them vulnerable to passive keystroke sniffing and injection.”
keysniffThe keyboards in question are made by major companies including HP, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric and EagleTec.

It may seem unlikely for hackers to be able to detect the presence of one of the cheap keyboards, especially if the keyboards have to be within 250 feet of the hacker. However, the vulnerable keyboards are easily located through the detection of the USB dongles that they use; these dongles transmit synchronization packets that make it possible for the keyboard to find them regardless of whether the keyboards are in use. If the dongle is plugged into the computer, the hacker can detect that the keyboard is within range.

Once a hacker has connected to the keyboard, he or she can not only steal data but also inject keystrokes or type remotely onto a vulnerable keyboard, potentially installing malware directly onto the device or stealing data.

keyWhile there has been a recent rise in these incidents, this method of hacking is by no means new. Wireless keyboard sniffing has been around since 2009, when researchers at Remote Exploit developed KeyKeriki and open sourced the project that allowed for users to decode Microsoft wireless keyboards.

Just two years ago, hacker Samy Kamkar developed KeySweeper, a proof-of concept hardware/software keystroke logger disguised as a USB wall charger that could attack any nearby Microsoft wireless keyboard.

Since keyboard sniffing has become a thing, the FBI has issued a warning about the devices that no one paid any attention to.

According to Newlin, high-end keyboards aren’t vulnerable to these hacking techniques because they “frequently use transceivers from Nordic Semiconductor which have built-in support for 128-bit AES encryption,” he explained. “Whether or not the encryption is used is up to each vendor, but in general [it is].”

Bluetooth keyboards aren’t susceptible either, as Bluetooth encrypts all data trnasmitted over the air.

“If security is a concern, make sure the keyboard you buy uses an encrypted connection,” explained Michael Jude, program manager at Stratecast.

No Comments »