
Were Intelligence Agencies Using Heartbleed in November 2013? - things
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
======
unhush
I helped write this post. Note that we're very interested in anyone who has
been keeping raw packet logs from before the Heartbleed vuln. was public. If
you find 18 03 (01 | 02 | 03) 00 03 01 in them, please let me know or post
pcap files. Contact info: [https://www.eff.org/about/staff/yan-
zhu](https://www.eff.org/about/staff/yan-zhu)

~~~
gojomo
Are heartbeats typically visible in the raw traffic, or (after some point) do
they wind up inside the secured stream?

(If the latter, this could be an unfortunate case where Perfect Forward
Security, when enabled, also helps obscure exploits from later forensic
discovery...)

~~~
anaphor
It appears that you might be right, from the RFC:

"However, a HeartbeatRequest message SHOULD NOT be sent during handshakes. If
a handshake is initiated while a HeartbeatRequest is still in flight, the
sending peer MUST stop the DTLS retransmission timer for it. The receiving
peer SHOULD discard the message silently, if it arrives during the handshake.
In case of DTLS, HeartbeatRequest messages from older epochs SHOULD be
discarded."

But that doesn't make sense to me because the PoC code didn't complete the
handshake did it?

Edit: according to Google the reason is that OpenSSL does not honour the
"SHOULD" part of the spec :/

------
secfirstmd
I must admit to being suspicious about this. I would consider myself very very
careful about password and other security issues because of various human
rights projects I work on, yet on 16th March at very unusual but clever time
for attempting such a thing against me (at the time I would have tried this,
if I was targeting me and collected relevant pre-attack information) someone
from the UK used my exact and recently changed password to login to my email
service - traced back to a very unusual location for attempting such a thing.
Luckily the service I use for low-level mail security noticed this strange
login and blocked it.

It has puzzled me quite a bit as nothing like this has (knowingly occurred to
me before) and I take a lot of precautions (which for obviously reasons I'm
not going to go into) against keyloggers, malware, MITM, etc etc. With such
target hardening I was very suspicious of how it occurred.

Ofcourse maybe I was sleep talking my passwords again :)

~~~
yarou
A similar thing happened to me. Someone was repeatedly trying to access a
gmail account of mine, which is strange because that account had not been
active for over 5 years. They supplied the correct credentials every time, and
the IP originated from some small village in China. I had also recently
changed my password, so I don't think it was merely a coincidence. It is
possible that I have been keylogged for 10 years without knowing it, but the
timing is uncanny.

Edit: Keylogged for the past 10 years without knowing it, across 5 different
machines, with different architectures and operating systems. :-)

~~~
secfirstmd
Interesting...

If you don't mind me asking the question I always ask people when helping with
their security (both cyber and physical) and eliminating an element of
potential paranoia:

Would your work/life make you a worthwhile legitimate target? (don't mean to
sound rude but I guess it differentiates between random attacks and targeted
ones)

~~~
dobbsbob
How do you even know what a legit target is anymore after Snowden dropping
docs they spied on charities and Jr sys admins.

~~~
secfirstmd
Valid point. I guess what I meant by legitimate target was "do something they
want to specifically know about enough to relatively targeted attack" (ie:
analyst wants to know something) as opposed to everyone else who they just
want to scoop us as much data about but is currently of less interest.

~~~
dobbsbob
I would say after watching this almost everybody could be a target of state
interest from VCs to a janitor with a cellphone who works at a network they
want into [http://youtu.be/3jQoAYRKqhg](http://youtu.be/3jQoAYRKqhg)
(FosDem2014 presention) and especially if you have any kind of trust in an
open source community and your patches are accepted blindly.

Personally if I were an evil intel agency I'd be going after GPU developers
and manufacturers at all costs to get at their firmware sources or even
possibly find ways to sabotage it at the source. It's the final frontier of
awesome evilware potential.

\- the execution of GPU code, and transfer of data between device and host do
not require admin privs so it will always run regardless of what the host
system privilege settings are.

\- Malware w/Nvidia GPUs can be statically linked with the CUDA library in a
standalone hidden file that never touches the operating system.

\- GPU memory is not shared with the CPU so encrypted malware can reside there
undetected.

\- Run-time polymorphism: malware GPU code can be re-encrypted with a new
random key thus mutate in completely random ways that would be difficult to
detect even if you dumped the GPU memory on a regular basis.

\- GPU NSA code can easily access the screen framebuffer, and broadcast a live
link of whatever somebody is doing.

\- GPU NSA code present the user with a nothing is wrong desktop pretending
the virus scanner is still running, hiding daemons, presenting false browser
screens hiding the fact SSL certs have been rejected, all sorts of evil.

------
ScottBurson
This would be so easy for the NSA etc. to do that I think we have to consider
it as inevitably having occurred.

All they would have had to do is take a close look at any new changes
committed to OpenSSL and other critical infrastructure software. Surely they
have people doing that -- they would be remiss not to.

~~~
hackinthebochs
Even easier, I would bet a lot of money that they have at least some
rudimentary static analysis tools to detect potential targets, and this sort
of memory error is pretty low hanging fruit for such a tool. To me it seems
almost certain that they knew about it and they certainly exploited it if they
knew.

The bigger question to me is how many of these bugs have they rooted out that
have not been made public yet?

~~~
stcredzero
Why don't we have groups doing that sort of analysis on our behalf?
Programmers are at a fundamental disadvantage when it comes to testing and
verifying their own code. You can't trust a shop to verify itself when it
comes to infrastructure this critical.

~~~
hackinthebochs
Yeah--it should be a no-brainer. Running such critical code through as many
static analysis tools you can get your hands on should be standard practice. I
wonder why Coverity and the rest havent taken it upon themselves. I remember a
story about Coverity running their tool on random open source projects and
emailing them about issues they found. Maybe OpenSSL is too far in the hole to
start that now.

------
gregwtmtno
What worries me, is that the Snowden leaks didn't seem to have a strong
emphasis on SSL encryption suggesting to me that they could circumvent it.

For reference take a look at this article from September.
[http://www.reuters.com/article/2013/09/05/net-us-usa-
securit...](http://www.reuters.com/article/2013/09/05/net-us-usa-security-
snowden-encryption-idUSBRE98413720130905)

~~~
Zigurd
Snowden's files predate the existence of this vulnerability.

~~~
scott_karana
No, Snowden's files predate the _public knowledge_ of the vulnerability.

As far as I know, we presently have no way of determining whether or not the
NSA had knowledge of the bug.

From the CVE[1], we see that OpenSSL versions from the very start in 2012[2]
were vulnerable.

1
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-01...](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160)

2 [http://www.openssl.org/source/](http://www.openssl.org/source/) (Jan 3
14:41:35 2012 openssl-1.0.1-beta1.tar.gz)

~~~
Zigurd
Snowden's files predate the _existence_ of the vulnerability. Many of his
files were years old when he exfiltrated them. This vulnerability was created
by a specific check-in that has been identified. That does not, of course,
mean the NSA didn't use it, or even create it. Both are possible.

~~~
scott_karana
Oh, I see what you mean. Fair point.

(It's a wide time range of files he's released so far though, right?)

~~~
saraid216
You'd think that, if any of his files actually covered such a possibility, he
would have released that file by now.

------
reillyse
Pardon me for being cynical about this, but from what we've heard about NSA
hacking and industry collaboration I would say it's highly likely that a large
number of the Certificate Authorities themselves are compromised by the NSA or
GCHQ and so it renders the question moot.4 Certificate Authorities control >
90% of the market 3 of them based in the US and 1 in the UK. With access to
the CA's keys they can sign any number of certificates they want.

~~~
lern_too_spel
Pardon me for being realistic, but I would say exactly the opposite. If the
CAs were compromised, that would be the biggest story by far in Snowden's
documents, and it would have appeared in the newspapers by now.

~~~
dobbsbob
I would say they are compromised just by watching Moxie Marlinspike's
presentation about the shitty state of CAs and how he was able to find signing
certs just laying around in unprotected directories
[https://www.youtube.com/watch?v=Z7Wl2FW2TcA](https://www.youtube.com/watch?v=Z7Wl2FW2TcA)

------
nl
As I've mentioned elsewhere, heartbleed combined with bulk data collection
means all your historic communications can be read unless your provider was
using Perfect Forward Secrecy.

I don't think this aspect is getting as much publicity as it should.

~~~
arh68
> _bulk data collection_

Including whatever the McDonald's free wi-fi might store? I'm not insinuating
they were an actor, but is that how simple it could've been? Anything
communicated over unsecure/not-secure-enough wi-fi could've been captured &
apparently now decrypted using newly-acquired information?

I'm halfway sure that's what it means. But that would just be _crazy_ , right?

~~~
nl
_Anything communicated over unsecure /not-secure-enough wi-fi could've been
captured & apparently now decrypted using newly-acquired information?_

Yes. An attacker would have to collect that information, AND have grabbed the
private keys from a vulnerable site. But there is nothing technically stopping
that from happening. (And of course I expect there may be a market for those
keys now)

 _But that would just be crazy, right?_

Yes. Crazy but possible.

------
infinity0
GCHQ have been known to attack IRC networks:
[https://www.networkworld.com/community/blog/eff-cyber-
attack...](https://www.networkworld.com/community/blog/eff-cyber-attack-
against-hacktivists-cfaa-you-impunity-nsa-and-gchq)

------
higherpurpose
It should be illegal for a government to make use of botnets this way.

~~~
lawnchair_larry
It is. They don't care.

~~~
jessaustin
All is legal for the sovereign. After all, the Law is _his_ tool: why would he
consent to its use _against_ him?

~~~
nhaehnle
I don't know if you're trolling or genuinely don't know how this works. If you
don't, please read up on the constitution of whatever country you live in.

The respect for those constitutions has eroded significantly since the
beginning of the century, but they still exist and we must still insist on
them. Don't give up the achievements of the past that easily.

~~~
jessaustin
While we're handing out reading assignments, I'd encourage you to read
something that _wasn 't_ assigned in junior-high civics class; perhaps
Machiavelli? Political power has been exercised for millennia, and its nature
is far closer to the caricature I offered than anything written in any
newfangled constitution.

The point is that a constitution is not an _achievement_ , the "unlocking" of
which would transform a society in any lasting way. It _might_ be more
accurate to say that a constitution or similar document is an aspiration, but
since few such have been fulfilled it's foolish to be surprised when we fall
short. The fault is not in our constitutions, but in ourselves, that we are
underlings. We knew when we built this monstrous war and imprisonment machine
that it would be turned against us, yet we built it anyway.

~~~
nhaehnle
The problem is that your statement "all is legal for the sovereign" is just
plain false according to the most widely accepted definition of legality.

By propagating it as if it were true, you are in fact playing into the hands
of those who want society to bow to a different notion of legality - one where
the rule of law has been eliminated. That is, by writing what you write, you
are needlessly conceding ground to the bad guys.

I know it's tempting to play (or be?) the jaded cynic. But it seems to me that
if we want to keep politicians and government officials accountable to the
laws, then a necessary (though of course not sufficient) condition for that is
that we insist on calling their actions illegal when they are illegal.

------
singold
As I cant access this page from Chrome (doesn't let me because "it's not
secure") here is the archive.org link

[https://web.archive.org/web/20140410171401/https://www.eff.o...](https://web.archive.org/web/20140410171401/https://www.eff.org/deeplinks/2014/04/wild-
heart-were-intelligence-agencies-using-heartbleed-november-2013)

Could it be that because of heartbleed now i can't access eff.org?

~~~
unhush
Are you joking? If not please report what error you're getting in Chrome.

~~~
singold
No joking, where can I report that?

~~~
unhush
For anyone following along at home, we looked into this and it seems to be
caused by the fact that you're using an older operating system that doesn't
ship with the StartCom CA cert that eff.org uses. So probably not an attack.
:)

~~~
nodata
EFF uses StartCom?!

------
shard972
Probably not, If they did they would have raised these security flaws to the
general public in the interest of security.

------
rdudek
This wouldn't surprise me one bit. Governments employing hackers to exploit
whatever they can get their hands on is not something new.

Also, makes one think what other exploits are out that are being used, yet,
we're not aware of it?

~~~
TaylorAlexander
My theory is that basically all of our traffic is compromised, we just don't
know it yet. It seems clear that the NSA has been actively working to find and
exploit every vulnerability they can, and they have the power of a well-funded
concerted effort, secret physical access, and gag orders all on their side. I
bet they can do a whole lot more than what we know.

------
teoruiz
Very shameless plug: we just launched a t-shirt campaign with teespring.com.
All proceeds will be donated to the OpenSSL Software Foundation:

* Campaign: [http://teespring.com/hbts](http://teespring.com/hbts)

* HN thread: [https://news.ycombinator.com/item?id=7567461](https://news.ycombinator.com/item?id=7567461)

~~~
danbruc
I don't get the number 1396891800 - what does it mean?

~~~
fjarlq
Number of seconds between Jan 1 1970 and the discovery of Heartbleed, I
suppose. The time_t time stamp.

~~~
danbruc
That makes me feel less dumb - I thought I was missing something obvious. Thx!

------
diminoten
[http://en.wikipedia.org/wiki/Betteridge's_law_of_headlines](http://en.wikipedia.org/wiki/Betteridge's_law_of_headlines)

I don't think so, mostly because to get useful information out of memory after
only _one_ heartbeat would be quite lucky.

If this were an actual attack, I think we'd see many more heartbeats in
Koeman's logs.

