Why such muted US media reports on the massive escalation of US information/communications/surveillance war?
4/9/14/ NYT Experts Find a Door Ajar in an Internet Security Method Thought Safe ...dubbed the Heartbeat bug....
Encryption 'heartbleed' bug leaves two thirds of web traffic exposed
The vulnerability was found by Google researchers in the OpenSSL cryptographic library believed to be used by roughly two-thirds of all websites on the Internet and is part of the most common server software in use...The flaw was introduced in OpenSSL in December 2011, and was been 'in the wild' until yesterday, when a new version fixing the flaw was released....
The problem was uncovered by a team of researchers from Google Security and ***Codenomicon. Research by analytics firm Netcraft says almost 500,000 websites could be affected.
'The serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers,' it says.Its research found Twitter, GitHub, Yahoo, Tumblr, Steam, Flickr, HypoVereinsbank, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the anonymous search engine DuckDuckGo are all affected....
The vulnerability was dubbed the Heartbleed Bug because it was discovered 'in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520),' the team said.'This bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.'
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Daniel Foster of hosting firm 34SP.com.. '... potentially all web users affected by the ‘heartbleed’ security bug that hit OpenSSL software, the software that protects credit card transactions...'
Codenomicon Chairman of the Board Behind Heartbleed, Howard A. Schmidt, Former Chief Security Officer for Microsoft
Codenomicon, member of Microsoft Security Development
... originally created by Microsoft in 2004 since then...Codenomicon used to achieve measurable security improvements in their flagship products.
Codenomicon DEFENSICS - SEI Digital Library
Co-founder Codenomicon key customer services specialist in USA ... From: http://www.google.com/googlebooks/chrome/.
www.codenomicon.com/company/contact.shtml - Saratoga, CA 95070 US
Codenomicon DEFENSICS. Defend. Then deploy
Codenomicon DEFENSICS preemptive security and robustness testing solutions to mitigate unknown and published threats in products ...
2014 National Laboratories Information Technology (NLIT) Summit. http://www. fbcinc.com/e/nlit/default.aspx; June 30 - July 1, San Francisco, CA, USA .
Howard A. Schmidt https://en.wikipedia.org/wiki/Howard_Schmidt
Howard A. Schmidt ...December 22, 2009 Schmidt named US Cyber Security Advisor to President Barack Obama...authored "DRAFT National Strategy for Trusted Identities in Cyberspace" 25 June 2010, retired 2012... cyber-adviser to G W Bush and chief security strategist for US CERT, Partners Program for the National Cyber Security Division through Carnegie Mellon University in support of Department of Homeland Security... vice president and chief information security officer and chief security strategist for eBay, partner with Tom Ridge in Ridge Schmidt Cyber LLC...Board member Codenomicon...director Computer Exploitation Team at Drug Intelligence Center...1997,Schmidt Microsoft director of information security, chief information security officer (CISO), and chief security officer (CSO)... co-founder of Trustworthy Computing... on Executive Committee of the Information Technology Sector Coordination Council....memberships include High Technology Crime Investigation Association, Security Strategies Group, American Academy of Forensic Sciences and the International Association of Chiefs of Police
'Cool' Infowar partners
The Heartbleed Bug, explained
Updated by Timothy B. Lee April 8, 2014, 3:00 p.m. ET
It was discovered independently by researchers at Codenomicon and Google Security.. the researchers worked with the OpenSSL team and other key insiders to prepare fixes before the problem was announced publicly....likely to be most valuable to intelligence agencies with the infrastructure to intercept user traffic on a mass scale: “We know NSA has secret agreements with U.S. telecommunications providers to tap into the Internet backbone. Users might have thought the SSL encryption on websites such as Gmail and Facebook protected them from this kind of snooping. But the Heartbleed bug could allow the NSA to obtain the private keys needed to unscramble these private communications. We don't know for sure, but it wouldn't be surprising if the NSA discovered the Heartbleed vulnerability before the general public did. OpenSSL is among the most widely used encryption software in the world, so it's a safe bet that NSA security experts have gone through its source code with a fine-toothed comb.”...
VOX Lee links to:
* Schneier on Security https://www.schneier.com/blog/archives/2013/09/senator_feinste.html
"So we knew it already, but now we know it even more. So why won't President Obama admit it ?"...I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books , articles , and academic papers .Currently, I'm Chief Technology Officer of Co3 Systems ,a fellow at Harvard's Berkman Center , and a board member of EFF .
* Schneier lays out earlier revelations then characteristically asks a politically loaded innocent' question that reduces US fascist geopolitical strategy & tactics to 'fixable' electoral politics:...He's an influential snake-in-the-grass neolib demoocrat intel-communications 'specialist' with US/Soros (press freedom) Harvard Berkman Center
... Connections to Google are not vulnerable, researchers say...
SSL is the most common technology used to secure websites. Web servers that use it securely send an encryption key to the visitor; that is then used to protect all other information coming to and from the server.It is crucial in protecting services like online shopping or banking from eavesdropping, as it renders users immune to so-called man in the middle attacks, where a third party intercepts both streams of traffic and uses them to discover confidential information.
The Heartbleed bug... not only lets attackers read the confidential encrypted data; it also allows them to take the encryption keys used to secure the data. That means that even servers which fix the bug, using a patch supplied by OpenSSL, must also update all their keys...the bug can cause servers to leak other information stored on the server which wouldn't normally be available
That data leakage means servers vulnerable to Heartbleed are less secure than they would be if they had no encryption at all. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users," explained security group Codenomicon, which discovered the flaw.
The vulnerability was introduced in 2011, apparently by accident when the opensource code was updated, but was only spotted recently. That has raised fears some attackers may already have been exploiting it.... "Unfortunately it is not clear at the moment there is any way to know whether this has already happened, since the vulnerability has been around for two years," explains Matthew Bloch, managing director of hosting company Bytemark...."We count at least a few hundred thousand servers using affected library versions so it poses a significant threat," says Mark Schloesser, security researcher at penetration testing firm Rapid7. "As the same problem affects other protocols/services such as mail servers and databases, we assume overall we're looking at millions of vulnerable systems connected to the public internet."...
*Open Source Center - https://en.wikipedia.org/wiki/Open_Source_Center -
Director of National Intelligence Open Source Center (OSC) is U.S. Central Intelligence Agency (CIA) intelligence center in Reston, Virginia, ...
*CIA.vc www.cia.vc - the open source "version control informant" source code commit notification service...collaborate more efficiently on open source ...
*CIA Open Source Center Follows Foreign Twitter, Facebook Accounts
McLEAN, Va. — CIA analyst... "ninja librarians" are mining
*Google, CIA, Homeland Security ... Julian Assange 3/23/13
*CIA-backed Cloud Security Co Buys Encryption Co
Google Teams Up with CIA to Fund “Recorded Future” Startup Monitoring ... Google teaming up with National Security Agency (NSA)...
*CIA inspired Approach to Medical Device Cybersecurity | Qmed
Dec 3, 2013 ...global director, medical security at Codenomicon at BIOMEDevice ...illustrated risks by using CIA triad of confidentiality, ...
*Wurldtech and Codenomicon Extend SCADA Security Partnership ... 9/26/12
Wurldtech and Codenomicon...extending their .. [VentureBeat] · CIA Invests In Geodata Expert OpenGeo ...
*Canonical Breaks With Amazon Over CIA Connections | Techrights
Codenomicon is headed by Microsoft's Howard A. Schmidt ..