A group hacked the NSA website to demonstrate a widespread bug!

on . Posted in Patriot News Network

WASHINGTON (PNN) - March 3, 2015 - A group of researchers only needed $104 and 8 hours of Amazon’s cloud computing power to hack the Amerikan Gestapo National Security Agency division’s website. Their feat was made possible by a bug that, ironically, was practically created by the NSA itself and its anti-encryption policies from 20 years ago.

The NSA’s site was just the guinea pig to demonstrate a newly disclosed Internet flaw called FREAK.

The bug, first disclosed on Monday by Akamai, allows an attacker to intercept a supposedly secure connection between people using Android or Apple devices and thousands, if not millions, of websites. This gives the hackers the chance to impersonate said website and steal confidential data like passwords and logins.

Now, as crypto expert Matthew Green correctly pointed out, this wasn’t really a “hack.” Mounting a man-in-the-middle attack against NSA.gov is not the same as hacking the NSA.

The researchers were actually just trying to make a point, and to show how dangerous this new bug is. But the choice of the target wasn’t random.

“In the current climate, it felt like the appropriate website to mount a man-in-the-middle attack on,” said Karthikeyan Bhargavan, one of the lead researchers who discovered the bug.

Bhargavan was obviously referring to the Edward Snowden revelations, the current debate over encryption, but also to the so-called Crypto Wars of the 1990s. Back then, the NSA and the Fascist Police States of Amerika government, afraid that the popularization of encryption software would harm national security, pushed for export controls that forced security firms to ship weaker encryption protocols outside of the FPSA.

In other words, they pushed for encryption backdoors, and roughly two decades later, that policy decision has left the door open for this bug.

That’s the lesson here. Encryption backdoors “never quite work out the way you want them to,” Green, the cryptography professor at Johns Hopkins University, wrote in a blog post about the bug.

FREAK is a “good example of what can go wrong when government asks to build weaknesses into security systems,” wrote Ed Felten, another respected professor of computer science at Princeton University.

In this particular case, the culprits are the RSA-EXPORT Keys or Suites.

These were weaker 512-bit keys used only outside the FPSA, where the law allowed for stronger crypto. Many sites abandoned those keys once the export controls restrictions were dropped. But surprisingly, a large amount of websites were still using them, and were thus vulnerable to FREAK, according to another group of researchers at University of Michigan who performed a scan of the Internet to do a census.

As of Tuesday, according to their scan, more than 36% of websites that support web encryption (TLS or SSL) were vulnerable, including 12.2% of the top 1 millions websites in the world, including bloomberg.com, americanexpress.com, as well as the NSA website and the Amerikan Gestapo Federal Bureau of Investigation division’s site for anonymous tips.

“We didn’t think there’d be sites supporting these really ancient export cipher suites,” said Karthikeyan, who works for a French research group called Prosecco, which is part of Paris-based INRIA.

The bug also affected a Facebook website (connect.facebook.net) which hosts the script for Facebook’s “Like” and login button that are included in innumerable websites on the Internet.

“That’s a big chunk of the Internet,” Karthikeyan said.

The good news is that this is not a trivial attack. A hacker trying to exploit this needs to be on an insecure network, such as a coffee shop WiFi, and exploit a vulnerable site. The hacker also needs to target a victim who is on the same network, and using a vulnerable device.

The hacker also needs “a certain amount of technical finesse,” according to Karthikeyan, and access to “cutting-edge” tools to factor the keys. But once they break the keys, that’s game over.

For now the list of potential victims includes Macs (though Apple has already announced that it will roll out a fix next week), and some Android smart phones. While tech companies and website owners rush to issue a patch, you can test if you’re vulnerable at freakattack.com.

As for the NSA, the site is still unpatched. Vanee Vines, a spokesperson for the agency, did not respond to a request for comment.

Karthikeyan said that perhaps the NSA didn’t bother patching yet because “they didn’t care enough about it” since the site doesn’t contain or host sensitive information. But Karthikeyan also noted that the NSA has a careers website, and with this bug, someone could potentially steal the username and passwords of would-be NSAers, and access their job applications.

So perhaps, Karthikeyan added, the NSA should be more careful.

Eulogies

Eulogy for an Angel
1992-Dec. 20, 2005

Freedom
2003-2018

Freedom sm

My Father
1918-2010

brents dad

Dr. Stan Dale
1929-2007

stan dale

MICHAEL BADNARIK
1954-2022

L Neil Smith

A. Solzhenitsyn
1918-2008

solzhenitsyn

Patrick McGoohan
1928-2009

mcgoohan

Joseph A. Stack
1956-2010

Bill Walsh
1931-2007

Walter Cronkite
1916-2009

Eustace Mullins
1923-2010

Paul Harvey
1918-2009

Don Harkins
1963-2009

Joan Veon
1949-2010

David Nolan
1943-2010

Derry Brownfield
1932-2011

Leroy Schweitzer
1938-2011

Vaclav Havel
1936-2011

Andrew Breitbart
1969-2012

Dick Clark
1929-2012

Bob Chapman
1935-2012

Ray Bradbury
1920-2012

Tommy Cryer
1949-2012

Andy Griffith
1926-2012

Phyllis Diller
1917-2012

Larry Dever
1926-2012

Brian J. Chapman
1975-2012

Annette Funnicello
1942-2012

Margaret Thatcher
1925-2012

Richie Havens
1941-2013

Jack McLamb
1944-2014

James Traficant
1941-2014

jim traficant

Dr. Stan Monteith
1929-2014

stan montieth

Leonard Nimoy
1931-2015

Leonard Nimoy

Stan Solomon
1944-2015

Stan Solomon

B. B. King
1926-2015

BB King

Irwin Schiff
1928-2015

Irwin Schiff

DAVID BOWIE
1947-2016

David Bowie

Muhammad Ali
1942-2016

Muhammed Ali

GENE WILDER
1933-2016

gene wilder

phyllis schlafly
1924-2016

phylis schafly

John Glenn
1921-2016

John Glenn

Charles Weisman
1954-2016

Charles Weisman

Carrie Fisher
1956-2016

Carrie Fisher

Debbie Reynolds
1932-2016

Debbie Reynolds

Roger Moore
1917-2017

Roger Moore

Adam West
1928-2017

Adam West

JERRY LEWIS
1926-2017

jerry lewis

HUGH HEFNER
1926-2017

Hugh Hefner

PROF. STEPHEN HAWKING
1942-2018

Hugh Hefner 

ART BELL
1945-2018

Art Bell

DWIGHT CLARK
1947-2018

dwight clark

CARL MILLER
1952-2017

Carl Miller

HARLAN ELLISON
1934-2018

Harlan Ellison

STAN LEE
1922-2018

stan lee

CARL REINER
1922-2020

Carl Reiner

SEAN CONNERY
1930-2020

dwight clark

L. NEIL SMITH
1946-2021

L Neil Smith

JOHN STADTMILLER
1946-2021

L Neil Smith