Were Intelligence Agencies Using Heartbleed in November 2013?

I helped write this post. Note that we&#x27;re very interested in anyone who has been keeping raw packet logs from before the Heartbleed vuln. was public. If you find 18 03 (01 | 02 | 03) 00 03 01 in them, please let me know or post pcap files. Contact info: <a href="https://www.eff.org/about/staff/yan-zhu" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;about&#x2F;staff&#x2F;yan-zhu</a>

I must admit to being suspicious about this. I would consider myself very very careful about password and other security issues because of various human rights projects I work on, yet on 16th March at very unusual but clever time for attempting such a thing against me (at the time I would have tried this, if I was targeting me and collected relevant pre-attack information) someone from the UK used my exact and recently changed password to login to my email service - traced back to a very unusual location for attempting such a thing. Luckily the service I use for low-level mail security noticed this strange login and blocked it.<p>It has puzzled me quite a bit as nothing like this has (knowingly occurred to me before) and I take a lot of precautions (which for obviously reasons I&#x27;m not going to go into) against keyloggers, malware, MITM, etc etc. With such target hardening I was very suspicious of how it occurred.<p>Ofcourse maybe I was sleep talking my passwords again :)

This would be so easy for the NSA etc. to do that I think we have to consider it as inevitably having occurred.<p>All they would have had to do is take a close look at any new changes committed to OpenSSL and other critical infrastructure software. Surely they have people doing that -- they would be remiss not to.

What worries me, is that the Snowden leaks didn&#x27;t seem to have a strong emphasis on SSL encryption suggesting to me that they could circumvent it.<p>For reference take a look at this article from September. <a href="http://www.reuters.com/article/2013/09/05/net-us-usa-security-snowden-encryption-idUSBRE98413720130905" rel="nofollow">http:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;2013&#x2F;09&#x2F;05&#x2F;net-us-usa-securit...</a>

Pardon me for being cynical about this, but from what we&#x27;ve heard about NSA hacking and industry collaboration I would say it&#x27;s highly likely that a large number of the Certificate Authorities themselves are compromised by the NSA or GCHQ and so it renders the question moot.4 Certificate Authorities control &gt; 90% of the market 3 of them based in the US and 1 in the UK. With access to the CA&#x27;s keys they can sign any number of certificates they want.

As I&#x27;ve mentioned elsewhere, heartbleed combined with bulk data collection means all your historic communications can be read unless your provider was using Perfect Forward Secrecy.<p>I don&#x27;t think this aspect is getting as much publicity as it should.

GCHQ have been known to attack IRC networks: <a href="https://www.networkworld.com/community/blog/eff-cyber-attack-against-hacktivists-cfaa-you-impunity-nsa-and-gchq" rel="nofollow">https:&#x2F;&#x2F;www.networkworld.com&#x2F;community&#x2F;blog&#x2F;eff-cyber-attack...</a>

It should be illegal for a government to make use of botnets this way.

As I cant access this page from Chrome (doesn&#x27;t let me because &quot;it&#x27;s not secure&quot;) here is the archive.org link<p><a href="https://web.archive.org/web/20140410171401/https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20140410171401&#x2F;https:&#x2F;&#x2F;www.eff.o...</a><p>Could it be that because of heartbleed now i can&#x27;t access eff.org?

Probably not, If they did they would have raised these security flaws to the general public in the interest of security.

This wouldn&#x27;t surprise me one bit. Governments employing hackers to exploit whatever they can get their hands on is not something new.<p>Also, makes one think what other exploits are out that are being used, yet, we&#x27;re not aware of it?

Very shameless plug: we just launched a t-shirt campaign with teespring.com. All proceeds will be donated to the OpenSSL Software Foundation:<p>* Campaign: <a href="http://teespring.com/hbts" rel="nofollow">http:&#x2F;&#x2F;teespring.com&#x2F;hbts</a><p>* HN thread: <a href="https://news.ycombinator.com/item?id=7567461" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7567461</a>

<a href="http://en.wikipedia.org/wiki/Betteridge&#x27;s_law_of_headlines" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Betteridge&#x27;s_law_of_headlines</a><p>I don&#x27;t think so, mostly because to get useful information out of memory after only <i>one</i> heartbeat would be quite lucky.<p>If this were an actual attack, I think we&#x27;d see many more heartbeats in Koeman&#x27;s logs.