Heartbleed: Many Android Phones at Risk, NSA Exploited the Bug - Technologist
Technologist - The FindLaw Legal Technology Blog

Heartbleed: Many Android Phones at Risk, NSA Exploited the Bug

We apologize in advance if you're suffering from Heartbleed fatigue. It's the biggest issue in tech right now, because it might just be the biggest security failure ever. Remember those annoying email worms? This is worse. This is unlocked doors to secure data, with the majority of the Internet using the broken locks. It effects everything, from online dating, to millions of Android smartphones.

And, of course, where there's a opening, the National Security Agency will work its way in. Two unidentified sources told Bloomberg that the NSA has exploited the bug for years. The Office of the Director of National Intelligence denied the allegations, stating, "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong."

Heartbleed in a Comic

If you missed our small firm Strategist or In House posts on Heartbleed, here is the short version: Party A asks for a small bit of data. Server B pings back with a few bits too many, leaking supposedly secure data. Party A repeats until it gets what it needs.

Or, if you like pictures, here is a comic that explains the bug better than words ever could.

The bug affects as much as two-thirds of all websites. To check site-by-site, LastPass has a checker that checks whether a site is currently vulnerable, as well as whether it was in the past (and has since been patched).

We'd recommend a marathon password changing session, using our tips for secure passwords, once all of your favorite sites have been patched.

Android Affected

This might be the worst part of the entire security nightmare. The Heartbleed bug affects millions of devices running Android 4.1.1, one of the most recent variants of the popular mobile OS, reports Mashable. And it won't be as simple as applying a patch.

When smartphones are updated, the updates don't come from Google themselves (unless you have a developer device, like a Nexus phone or tablet). Instead, Google sends the latest version to the phone manufacturers, who work with the cell phone carriers to produce a carrier and device-specific update. This is why phones take forever to actually receive updates, and is why it'll be awhile before the Heartbleed patch is sent to all of the millions of affected devices.

NSA Knew?

We'd hate to call an agency a liar, but if it comes down to trusting two anonymous "familiar" sources that spoke to Bloomberg, or the NSA itself, we'd go with the two anonymous sources. Heck, after the last nine months of revelations, we'd go with two crack addicts over the NSA.

The allegation is that the NSA knew about Heartbleed, and said nothing to the public, instead choosing to exploit the bug in order to gain usernames, passwords, and other critical intelligence. If the allegations are true, the agency prioritized snooping over Internet-wide cyber-security, something the agency allegedly does often. The NSA reportedly has knowledge of thousands of vulnerabilities that it uses to access sensitive data.

They call it national security. We have a few other choice descriptors that aren't appropriate for polite conversation.

Enjoy the latest legal news from our blogs? Keep up with the latest legal docs on Scribd.

Related Resources: