US Government Is Paying To Undermine Internet Security, Not To Fix It
from the bleeding-heart-security dept
The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.
The United States spends more than $50 billion a year on spying and intelligence, while the folks who build important defense software — in this case a program called OpenSSL that ensures that your connection to a website is encrypted — are four core programmers, only one of whom calls it a full-time job.
In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations. The programmers have to rely on consulting gigs to pay for their work. “There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” says Steve Marquess, who raises money for the project.
Is it any wonder that this Heartbleed bug slipped through the cracks?
Dan Kaminsky, a security researcher who saved the Internet from a similarly fundamental flaw back in 2008, says that Heartbleed shows that it’s time to get “serious about figuring out what software has become Critical Infrastructure to the global economy, and dedicating genuine resources to supporting that code.”
The Obama Administration has said it is doing just that with its national cybersecurity initiative, which establishes guidelines for strengthening the defense of our technological infrastructure — but it does not provide funding for the implementation of those guidelines.
Instead, the National Security Agency, which has responsibility to protect U.S. infrastructure, has worked to weaken encryption standards. And so private websites — such as Facebook and Google, which were affected by Heartbleed — often use open-source tools such as OpenSSL, where the code is publicly available and can be verified to be free of NSA backdoors.
The federal government spent at least $65 billion between 2006 and 2012 to secure its own networks, according to a February report from the Senate Homeland Security and Government Affairs Committee. And many critical parts of the private sector — such as nuclear reactors and banking — follow sector-specific cybersecurity regulations.
But private industry has also failed to fund its critical tools. As cryptographer Matthew Green says, “Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job.”
In the meantime, the rest of us are left with the unfortunate job of changing all our passwords, which may have been stolen from websites that were using the broken encryption standard. It’s unclear whether the bug was exploited by criminals or intelligence agencies. (The NSA says it didn’t know about it.)
It’s worth noting, however, that the risk of your passwords being stolen is still lower than the risk of your passwords being hacked from a website that failed to protect them properly. Criminals have so many ways to obtain your information these days — by sending you a fake email from your bank or hacking into a retailer’s unguarded database — that it’s unclear how many would have gone through the trouble of exploiting this encryption flaw.
The problem is that if your passwords were hacked by the Heartbleed bug, the hack would leave no trace. And so, unfortunately, it’s still a good idea to assume that your passwords might have been stolen.
So, you need to change them. If you’re like me, you have way too many passwords. So I suggest starting with the most important ones — your email passwords. Anyone who gains control of your email can click “forgot password” on your other accounts and get a new password emailed to them. As a result, email passwords are the key to the rest of your accounts. After email, I’d suggest changing banking and social media account passwords.
But before you change your passwords, you need to check if the website has patched their site. You can test whether a site has been patched by typing the URL here. (Look for the green highlighted ” Now Safe” result.)
If the site has been patched, then change your password. If the site has not been patched, wait until it has been patched before you change your password.
A reminder about how to make passwords: Forget all the password advice you’ve been given about using symbols and not writing down your passwords. There are only two things that matter: Don’t reuse passwords across websites and the longer the password, the better.
I suggest using password management software, such as 1Password or LastPass, to generate the vast majority of your passwords. And for email, banking and your password to your password manager, I suggest a method of picking random words from the Dictionary called Diceware. If that seems too hard, just make your password super long — at least 30 or 40 characters long, if possible.
Republished from ProPublica
Filed Under: heartbleed, nsa, open source, security, surveillance
Comments on “US Government Is Paying To Undermine Internet Security, Not To Fix It”
Get with the programme.
Blame those who “exploit” the bug. Not those who don’t donate the $2000 (total yearly) for the tech they use. They done nothing wrong.
I believe the gist of this story is not so much blaming someone it’s that both government and industry rely on an Internet which needs funding for critical areas involving security. One of the NSA’s primary roles is ensuring the security of the Internet. That role can be filled by a government agency that provides, at least, funding to create and maintain the underlying code. There will never be trust in code used for confidentiality and authentication unless it is open source. Also, as many people are saying, the NSA can’t play this role when it also has the role of spying on communications.
Re: Re: I was being snarky....just finished reading that Canadian Kid story and was pissed
It’s one of the few articles written by a writer who “gets it”.
If security is the NSA’s job then they are to blame.
The companies that use openssl and didn’t support it are also at fault.
The PR and “viral marketing” say otherwise. That Canadian kid is to blame. It was a bug that they could do nothing about. Remember that Canadian kid? Yeah, that evil kid is to blame. This [insert corp here] did nothing wrong.
There are way too many idiots who fall for “viral marketing” spin and PR. They can’t blame the coders though. They won’t. It exposes how awful they were by not funding the coders. ($2000 per year) what?
These type of stories come up, time to time.(A voice using facts against a PR campaign) I regret that the writer is pissing in the wind. It literally is sad. All the blame will go to everyone except those who should be blamed. PR will make it happen and idiots will lap it up.
There is “at fault” here. PR is misdirecting it.
Re: Response to: Anonymous Coward on Apr 18th, 2014 @ 10:06am
When a company profits billions of dollars a year without giving a dime back, that’s wrong in my book.
Shelling out multiples of $1,000,000,000 for buying 12 person startups, and then not being able to toss OpenSSL a bone? Priorities have gone askew!
Nice obligatory xkcd! http://xkcd.com/1354/
I used that xkcd to explain to my mom what heartbleed was. She was calling it “the heartbleed virus”.
Re: Re: Re:
That’s because the news was calling it a virus. It boiled my blood when I heard that.
It is good advice to suggest longer passwords. Unfortunately, many websites have a length limit which is too short. My credit union, a Silicon Valley financial institution no less, had an upper limit of 12 characters for passwords used for online banking. I discussed the problem with them about such a limit 3 months ago. As it happened they were in the midst of making changes directed towards making the site more secure. As a result, they increased the limit to 20 characters which is tolerable but not ideal.
A randomly generated password of 12 characters, using a good sized character set significantly larger than the set of alphanumeric characters, is fairly safe. This works well if you use a password manager and don’t have to type, much less memorize, such a password. Passwords that don’t require a lot of effort to memorize contain less entropy, so they need to be longer to be secure. I suggest 20 characters as a minimum. I used to use book titles along with a random 4 digit number. No longer is that safe. Now, for my 94 passwords, I use random sentence fragments from books along with numbers (I won’t disclose any more, security through obscurity does have limited value). I keep all my passwords in an encrypted file. I find I can remember passwords that I use at least once a week. I don’t need mobile access so I have not utilized a password manager. My solution is not the only good one and I do test it with a password cracker.
Re: password length
What’s worse is when a bank (like mine) has no upper limit, but they only use the first 8 characters of input.
Do NOT use any real words in a password. Period. Very few attacks use a true brute force method, they almost always start with a dictionary.
I agree that a single word, either untouched or mangled, is not secure. This is true regardless of what language is used. Back in the 90’s I used to use Hungarian words thinking that language was fairly obscure, only 11 million speak it. Wrong, it is now one of the standard languages used for dictionary attacks.
The current state of password cracking allows secure use of passphrases though. A coarse attack against a passphrase using a dictionary of 20,000 words requires an effort of 20,000 ^ N, where N is the number of words. If N is 2 that effort is 400,000,000 (actually 200 million on average) This is still not secure. 3 words requires an average effort of 4 trillion guesses. This is still not secure particularly if the words are not random but a sentence fragment. The security can be increased with mangling but it is better to choose a basic length without considering mangling. 5 random words requires and average effort of 1.6 x 10 ^ 21. This is very roughly equivalent to a binary key of length 70 (70 bits of entropy) and with mangling can approach a password that, depending on the hashing algorithm employed, even the NSA will, currently, have a hard time cracking in a reasonable time. If one uses a larger dictionary, say 1 million words including all sorts of technical words, a random 3 word passphrase requires an effort of, roughly, 10 ^ 18 guesses.
Finally, if a, nonrandom, grammatical phrase is used, it should not be well known (e.g. book title, song title, lyric, famous quote, or a spelled out TLA)
Re: Re: 59 character "WPA2 password" master race reporting in.
Brute force OR Dictionary style attacks is what you are generally defending against. If you have to physically remember a pass. Make it lot’s of words in a unique custom sentence. Replacing some letters with symbols, Capitals and numbers will massively secure it further.
-Do NOT use any real words in a password. Period
That is dumb advice, there are more words than characters so words have more entropy.
Using twelve words for your password is just as safe, if not safer, than using twelve characters in your password.
Twelve words also has the benefit of being easier to remember.
Which password is easier to brute force crack?
Which one is easier to remember?
B: “my dog ate my homework and the teacher did not believe me.”
Re: Re: Re:
Its a sentence which is a silly thing to use
Actually, the market determines how much security is needed. Target failed to keep their customers data secured, they lost business, you better believe they will have tighter security in the future than most other retailers. Same exact freaking thing will happen with the internet and SSL.
Heartbleed = overblown. Your article = nonsense.
You clearly have failed to understand even the merest rudiments of security. I suggest extensive remedial education, starting with “everything ever written by Schneier, Bellovin, Cheswick, Spafford, Ranum, Felten, Edelmen, Ferguson, Halderman, Forno, Appelbaum, Kaminsky, Vixie, Soghoian, Zalewski, Marlinspike, Honeyman, and anybody that’s part of Team Cymru”.
Love it. One libertarian tries to school another.
Let’s assume that you’re correct: that the market will fix the problem. How long after the first major, publicly sensational breach, do you think the market should take to respond?
Cuz, I’m thinking, it your assertion is correct, the market would have responded by now. There has been breach after breach, as long as there has been a www. Somehow, the market hasn’t fixed the problem.
Your libertarian utopia would require perfect information for the market to function perfectly. Consumers would have to know exactly what kind of security each vendor offered, and UNDERSTAND that technology, and understand the risk profile it presents. Consumers would have to have that information each time they buy something like bedsheets from either Target.com or Walmart.com. Sound reasonable to you?
“the market determines how much security is needed.”
The market determines the minimum amount of security that people will put up with. This is substantially less than how much security is needed.
Re: Re: Re:
Libertarianism is a misnomer, and assumes a golden state of affairs where there is equal opportunity to enter “the market” and enough information available to make informed decisions.
That whole “Private enterprise can do no wrong” idea is overblown.
That’s not the most annoying thing about them, though. It’s the way they mendaciously reframe common concepts to create a false impression of the issues that grinds my gears.
The demand side of the market will not force the supply side to sort out security because the vast majority of us don’t understand the complexities of encryption and security online. Okay, I don’t understand the complexities of encryption and security online. I just know that the one time I fell for a phishing scam I had to change my passwords, no biggie. I’ve been more careful about following links that ask me to log in, i.e. provide my username and password, since then. Am I really the only one?
John Fenderson is right, per my personal experience.
Again, “the market” won’t solve the problem because “the market” is not a single entity. It’s not even a gestalt of supply and demand. It’s a hell of a lot more complex than that because it’s made up of individuals and is therefore incapable of solving problems in and of itself. Can we please stop pretending that it can?
What a coincidence, the US govt. seems to be working counter to the interests of its citizens. I’M SURE IT’S JUST A FLUKE.
Great advice Mike! I personally prefer KeyPass for Windows and KeyPassX for Linux. The reason I prefer KeePass over LastPass, is due to KeePass being a offline password manager. This means the FISC court can’t compel a company to push a backdoor update to a specific user, through the use of National Security Letters.
Plus, KeyPass is free and open source software. 🙂
Re: Spelled KeePass wrong
I meant to say KeePass. I also meant to say Julia, not Mike. Oops!
“The problem is that if your passwords were hacked by the Heartbleed bug, the hack would leave no trace.”
Not *necessarily* true. Such a hack leaves no trace in standard web server (or other application) logs.
However, either compiling with debug logging enabled, or recording IP traffic with a sniffer or logging firewall and decrypting with the web site’s certificates shows the exploit attempt.
The security community has rapidly responded to Heartbleed and most of the major intrusion detection products now pick up Heartbleed.
Google “snort heartbleed” for one example.
It’s true that a lot of media folk and Internet startups don’t run an IDS.. Any financial institution and most publicly traded companies will have one though.
Re: "No trace"
It is not always possible to decrypt logged SSL traffic even if you have the sites private keys. So no, it is not as simple as you stated.
Modern browsers implement forward secrecy, now we just need to get all websites to support it too.
Let’s go one step further here with the blame:
There’s an editorial from Tim Berners-Lee emphasizing heavily that OpenSSL is mostly maintained by 4 EUROPEAN programmers, but used extensively by AMERICAN corporation, and that it is a disgrace that the product is not supported more by those who benefit from it.
Now I’m not sure why Tim would emphasize the EUROPEAN part, without pointing out why that is the case: Because most open source product dealing with cryptography are maintained and developed by non Americans and have to put restrictions on the participation of Americans because …. of US government policy reaching back decades….
Am I misreading this whole thing, or doesn’t the virus in question leak data? If it leaks data and your brand spanking new 32 character Password is data, then what’s to stop your new password from being leaked into the same hands that have been milking this cow for 2 years???
I can’t help but get this feeling that the “instruction” to create a new password, is nothing more than an attempt to make the public “feel” secure in a totally insecure situation and make those responsible for the situation appear to be “on top of the problem”.
Tell me my new password is somehow safe from the HeartBleed Virus.
CYBER CRIME => a Global Nightmare!
YOUR Current Anti-Virus Protection Software CANNOT Stop these Cyber Crimes because they operate in REAL TIME unless you have been educated and presented with the BEST CYBER PROTECTION in the World.