The Conversation

Technology: Discussion of technology events and developments.

On Second Thought, Maybe HealthCare.gov Is at Risk from Heartbleed

Apr 19, 2014 10:21 AM PT

It seems like only yesterday that the federal government assured us that none of its big public websites - and especially not HealthCare.gov, the ObamaCare exchange site - were at risk from the Heartbleed security flaw, which can allow hackers to steal passwords and personal data.  

Actually, those assurances came last Friday, April 11, in the form of a blog post from the Department of Homeland Security.  "The government's core citizen-facing websites are not exposed to risks from this cybersecurity threat," we were assured by DHS National Cybersecurity and Communications Integration Center director Larry Zelvin, as quoted at Nextgov.

Continue reading

Another Heartbleed attack

Apr 18, 2014 11:00 AM PT

Forbes mentions the Canadian incident in which the Heartbleed online security flaw was employed to loot taxpayer data from the Canadian Revenue Agency, which I wrote about earlier this week, but then adds another confirmed attack on UK parenting website Mumsnet... and this one's even more alarming, because it involved the worst-case Heartbleed scenario, in which a hacker stole the passwords needed to gain administrative access to the entire site:

Another victim of Heartbleed also announced to it’s users that it had been attacked, Mumsnet. The e-mail to users stated “On Thursday 10 April we at Mumsnet HQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole… However, it seems that users’ data was accessed prior to our applying this fix”. Mumsnet posted an article outlining how the attacker was able to log in as the founder of Mumsnet, Justine Roberts after using Heartbleed to steal her username and password. This demonstrates practically how Heartbleed could cause damage after many of the debates between experts last week.

Continue reading

Locking Down the Internet

Apr 17, 2014 12:54 PM PT

Klint Finley at Wired has a provocative idea: "It's time to encrypt the entire Internet."  This would begin with more widespread use of the Secure Socket Layer protocol - which, at the moment, is not entirely secure, due to the Heartbleed security flaw.  Updates to resolve that vulnerability are being circulated now, and there are some other problems with SSL waiting to be resolved, but Finley's critique holds that not enough Web sites use any form of encryption at the moment.  The bulk of them are wide open, meaning connections can be spoofed or spied upon.  The widespread use of insecure wi-fi connections makes the situation even worse.

You can get an idea of how under-utilized secure connections are by watching your browser when you surf the Web.  There is generally an obvious visual indication when you connect to a secure website, such as color coding in the address bar.  The Internet addresses of such websites begin with "https" instead of just "http."  Pay attention to these cues after a day of surfing, and you'll see that the vast majority of sites you visit are not secure at all - or they're only partially secure, flipping to an SSL connection just to verify passwords or display highly sensitive financial data.

Continue reading

Heartbleed hacking bust in Canada?

Apr 16, 2014 12:40 PM PT

If this story from the Calgary Herald holds up, it will be among the first documented instance of a hacker exploiting the Heartbleed Internet security flaw - currently festering on hundreds of thousands of websites - to steal sensitive information:

Police have charged a 19-year-old man from London, Ont., in connection with the loss of taxpayer data from the Canada Revenue Agency website.

Stephen Arthuro Solis-Reyes was arrested at his residence Tuesday and is charged with unauthorized use of a computer and mischief in relation to data, the RCMP said Wednesday.

A search of the residence resulted in the seizure of computer equipment.

The agency was forced to shut down its publicly accessible website Friday as the world learned about the Heartbleed computer bug, a previously undiscovered global Internet security vulnerability.

Other government computer sites were also temporarily taken down over the weekend.

On Monday, the agency said 900 social insurance numbers had been compromised.

The loss was detected Friday, but the agency delayed telling Canadians about it at the request of the RCMP.

The police said the delay allowed them to pursue their investigation through the weekend and helped track down a suspect.

Continue reading

Police experiment with real-time universal surveillance

Apr 14, 2014 12:44 PM PT

The Surveillance State goes big in an article from Gizmodo, which describes early testing of a "God's-eye" system that collates information from multiple sources on the ground, giving the authorities what inventor Ross McNutt describes as "a live version of Google Earth, only with TiVo capabilities."

What McNutt's system does grows more amazing, and perhaps more chilling, as you read more about how it works:

It's sort of similar to what your average satellite can do—except, in this case, you can rewind the video, zoom in, and follow specific people and cars as they move around the grid. It's not specific enough to ID people by face, but, when used in unison with stoplight cameras and other on-the-ground video sources, it can identify suspects as they leave the scene of a crime.

The PSS system has been tested in cities including Baltimore and Dayton, and, last year, police officers in Compton used it to track crimes, including a necklace snatching. In one case, they could track a criminal as he approached a woman, grabbed her jewelry, and then ran to a getaway car. They eventually drove out of frame, which meant they weren't caught—but, as the Compton police explain in this video, the system told them that this particular car was involved, at the very least.

Continue reading

Report: NSA Sitting on Stockpile of Software Security Flaws

Apr 14, 2014 11:09 AM PT

The part of the evolving Heartbleed story that initially left me guardedly skeptical was the assertion, made by Bloomberg News, that the National Security Agency knew about this enormous Internet security flaw back in early 2012, but kept it secret because they wanted the option of exploiting it for their own purposes.  Given that millions of sensitive passwords, and servers full of Americans' confidential data, might be at risk, this could become a huge scandal if true.  The NSA has denied the story ever since Bloomberg ran it at the end of last week.

I'm skeptical because Bloomberg dropped its allegations in a very matter-of-fact way, without revealing its source.  They didn't say the NSA might have kept Heartbleed on a leash, using it to harvest passwords from (presumably? maybe? hopefully?) foreign websites while leaving the rest of us vulnerable.  The Bloomberg article asserted without reservation that the NSA had done this.  The agency says they did not.  Given what we've learned about the Surveillance State, we must sadly conclude it's plausible that Heartbleed would be deliberately kept secret from Americans by their own government - let's just say it's not exactly out of character.  But I haven't seen any convincing evidence or sourced testimony that the agency's denials are false in this case.  This is a gun we definitely need to see smoking.

Continue reading

Confirmed: the NSA doesn't have to tell us when it finds security flaws like Heartbleed

Apr 13, 2014 11:36 AM PT

The most controversial aspect of the rapidly developing story of Heartbleed - possibly the greatest security vulnerability in the history of the Internet - is the assertion made in a Bloomberg News report that the National Security Agency learned about the problem soon after it was introduced... but kept the knowledge to itself, leaving the American people exposed to a glitch that could compromise passwords and personal information on hundreds of thousands of websites, because the NSA wanted to exploit Heartbleed for its own cyber-warfare purposes.

Bloomberg News stated that the NSA did do this, but the agency strongly denies it.  Now we learn, courtesy of the New York Times, that it's certainly possible for the NSA to keep a security threat like Heartbleed secret... because President Obama specifically gave them permission to do so.

Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

Continue reading

Heartbleed: Biggest Security Flaw in Internet History?

Apr 11, 2014 11:30 PM PT

The online community is still reeling from the discovery of what might just be the biggest security flaw in the history of the Internet.  It's been around for years, thousands of websites may have been compromised, it's very difficult to tell if an attacker has exploited the bug... and, according to one news outlet, the National Security Agency learned of its existence at least two years ago, but they didn't tell anyone, leaving American citizens vulnerable to identity and data theft while the NSA exploited flaw for its own purposes.

The NSA flatly denies the latter accusation, which was made in a Bloomberg News report on Friday.  The security flaw itself, now known as "Heartbleed," was by all accounts introduced by accident through the work of a single programmer at the end of 2011... literally one minute before midnight on New Year's Eve, to be precise.  He was one of many programmers contributing to an "open source" project - a popular method for developing free or inexpensive software through volunteer collaboration, although open-sourcing might grow considerably less popular because of the current crisis. 

Continue reading

Drone Smashes Into Triathlete During Race Causing Head Injury

Apr 6, 2014 8:16 PM PT

During Sunday's Endure Batavia Triathlon held in Western Australia, a female competitor was taken to the hospital after a being struck in the head by an Unmanned Aerial Vehichle (UAV). The injured athlete, Raija Ogden from Perth, was struck by the drone as she began her second lap and subsequently fell to the ground.

The drone is owned and operated by local videographers New Era Photography and Film, who were covering the event. But according to one report, owner Warren Abrams, suggested Ogden was never actually struck by the drone and simply fell to the ground because she was "frightened" by the proximity of the machine. Citing footage taken just moments before the incident, Abrams said, "She looks over her shoulder and gets frightened, falling to the ground and bumping her head, but the drone didn't actually strike her." 

Continue reading

Republicans worry about Internet freedom; Democrats put total faith in non-existent international bureaucracy

Apr 3, 2014 7:31 AM PT

Admittedly I used a bit of a loaded headline there, but I'm only returning the favor, since National Journal chose to headline their article on the debate over surrendering American oversight of web domains "Republicans Fear Obama Will Let Russia Seize Internet Power."  

That's not actually what Republicans said during a House Energy and Commerce subcommittee hearing on Wednesday, although while we're on the subject, I have yet to hear any convincing argument from preventing some degree of authoritarian mischief from the Administration, other than "trust us, we'll never let that happen."  If you like your free Internet, you can keep your free Internet.  No one will take it away from you, period.

Continue reading

advertisement

Breitbart Video Picks

advertisement

advertisement

Fox News National

advertisement

Send A Tip