[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Tue Apr 15 16:32:30 EDT 2014 

> Is it simply that CSIS et al are they monitoring the forums that
> sell the stolen info?

Yes. These days, that's a given. Think sex offenders, Vancouver riots
(face detection, cross referenced), or stolen items discovered on kijiji
or eBay. Probably picked up via facial/image/pattern recognition. 
Presumably just extensions of computerized fingerprint identification.

> Or more ominously, are they monitoring the wire of all traffic
> to/from CRA?

I wonder some times if not every bit of data passes through something
where it gets analyzed, if only later. Figuring out purging policies
probably isn't fun.

If they are, then they know the IPs of who did it. Presumably they
could spot the heartbeat request, AND have the data that was returned.
Thus they know '900'. It would also say how they know -which- 900 to
send registered letters to. So they must also know who did it, but,
evidently not releasing the information to know how big the problem is
outside CRA. i.e. Provide more surgical reports to the media.

Whether detectable by the servers or not, the act can be detected, and
soon enough the consequences of the breach will be felt, by some. Maybe.
Like a theft, you know the item is gone, even if you don't know how. And 
for some, they don't (yet?) know the item is gone. (Can't prove a negative.)

Here they know when (6 hours) but they haven't said. One expert on TV I
saw interviewed FINALLY gave some reasonable advice, consistent with the
bug specifics (vs the world has come to an end) - if you weren't on CRA
during the given time periods, don't worry about it, your information
didn't flow through. If you were, maybe worry about it, might want to
change your password. If you receive the registered letter, definitely
worry about it - and the CRA will be offering free credit protection
(for something like 2 years). Finally, some qualified information. If
you were on the site during the period, he suggested calling Equifax and
TransUnion sooner rather than later.

ISPs are now using boxes, packet analyzers, that can keep up with the
pipes, to block encrypted (torrent) traffic. I forget the name, but
they're local to K-W. You can assume governments do too. You should
assume big brother is indeed watching. 'Cross-border' be darned. More
likely everything - figure out which is which after the fact. Let alone
non-citizens while in country, which by definition will be accessing in
country devices, such as the local airport's AP.

(Let alone ISPs injecting TCP session end packets into your stream! Grrr.)

If we can scan for virus patterns, we can scan for potentially 
interesting network patterns. Presumably a heartbeat request is 
reasonably easy to scan for. Specific request stream to/from port 22. 
Presumably noise can be tossed, and the rest stored, even if only as 
'metadata'. As time goes on, more patterns are added, and the noise 
level reduced. But probably not going backwards in time.

On 14-04-15 09:35 AM, CrankyOldBugger wrote:
 > My money is on the NSA being the culprit at the CRA.

That's both funny, and sadly, probably true.

Heartbleed may not be traceable, from the server, but at the least you 
know who has ssl connections. Also doesn't say there aren't breadcrumbs 
or detectable impacts. (Not suggesting you were.)


On 14-04-15 09:50 AM, John Johnson wrote:
> On 2014-04-15 09:20, Khalid Baheyeldin wrote:
>> We are currently going through the painstaking process of
>> analyzing other fragments of data, some that may relate to
>> businesses, that were also removed."
>
> Given the sheer volume of data that is flowing in the tubes, I would
> suggest that this would be much like looking for a particular cup of
> water in the Great Lakes. And that any investigation or analysis
> would have to be executed on an exception basis as opposed to
> continuous.
>
> That said, to be able to look at the 'fragments of data' means that
> a copy of the data would have to be stored somewhere and someway. Or
>  that they have a means to be able to determine what data would been
>  available to the Heartbleed security breach.
>
>> Is it simply that CSIS et al are they monitoring the forums that
>> sell the stolen info?
>
> Yes.
>
>> Or more ominously, are they monitoring the wire of all traffic
>> to/from CRA?
>
> Again, see above re: cup of water but this time, in the Grand River.
>
> BTW: I think I recall seeing a post in this thread that said that an
> attack using the Heartbleed security breach was not traceable, did
> not leave fingerprints and thus could not be detected.
>
> JohnJ
>
>
>
>
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list