OpenSSL Heartbleed: Expert On Criminal and Government Theories
News of the OpenSSL Heartbleed bug, which has emerged over the last 48 hours, is arguably one of the most significant developments in the history of the website security industry. The likes of Target, Sony and TK Maxx have all made waves over the past few years, but whereas these were all incidents of a single company being breached, OpenSSL Heartbleed has potentially affected millions of websites.
OpenSSL is the technology behind the TLS/SSL protocol (or padlock icon) that many of us take as a sign of trustworthiness and reputability when browsing the internet. The OpenSSL Heartbleed bug allows unauthorised users to extract data from the server’s memory, 64,000 characters of it to be precise. This could contain usernames, passwords, encryption keys or even credit card information.
What is perhaps most shocking about this development is the fact there has been a flaw for at least two years and the flaw has only been found “recently”. If the TLS/SSL protocol were to hinder or prevent government surveillance, then this seemingly accidental loophole could have provided a very useful workaround. Which poses the question, could government agencies like the NSA have known about OpenSSL Heartbleed for the past two years?
As the name suggests, OpenSSL is an open source technology. This means that the source code is freely available to download and modify, with no permission required. Open source software is generally considered to be more private, since it is usually developed for non-profit reasons without any government licensing (which has backdoor theories).
It is alleged that RSA was bribed by the NSA to reduce their encryption strength, details of which can be read at http://www.techweekeurope.co.uk/news/rsa-nsa-bribe-cryptography-backdoor-134610. There have also been rumours of similar attempted persuasion at an American giant and a small English outfit, although neither story has hit the press. But regardless, is it possible that a government agency could have encouraged the implementation of the bug – either financially or otherwise?
Black market trades
The dark web is a non-indexed section of the internet, only available through certain secure browsers and home to many criminals. Fraudsters, hackers, drug dealers and even hit men will advertise their services for a hefty fee. Exploit kits and other viruses are available to purchase for the right price, somewhat ironically with free technical support.
Zero day exploits, which are unknown flaws, are available – but only to the highest bidder. Is it possible that an organised criminal gang or a government agency purchased this bug to exploit a specific target or the wider world?
Did the government know about this?
News of the OpenSSL Heartbleed bug spread like wildfire on April 7th. This means that hundreds of people have most likely tried to exploit the flaw already. But again, we must ask, who knew about the bug before?
Both Google and Finnish security outfit Codenomicon are taking credit for discovering the bug, but were they the first? Our world is home to many security research groups, both ethical and black hat, not to mention well-funded government research labs.
With the news of Edward Snowden fresh in our minds, the question remains – if the NSA or GCHQ knew about the OpenSSL Heartbleed bug, would they have actually told us?
For press information, please contact:
Name: Graeme Batsman | Security Director
T: 0203 371 0495
M: 07909 474 479
Notes to editor:
You are most welcome to publish the above article, extract sections, re-write or contact us for comments.
EncSec is a unique and independent IT security, investigation and digital forensics company based in Central London. We strive to offer our private clients and their businesses reassurance and privacy from unwanted intrusion.