The NSA Might Have Known About Heartbleed All Along
Guess who might have known about Heartbleed all along? According to a report in Bloomberg, everyone's favorite super-sophisticated intelligence agency: the NSA.
And it likely used it to make its job of spying easier.
The Heartbleed bug recently revealed to have been lurking in the OpenSSL encryption protocol (which is used by as much as two-thirds of the Internet) was a gaping hole in Internet security, perhaps the most devastating glitch in computing history. Using Heartbleed, which any amateur can use to trick a server into spitting out more information than it should from its memory, usernames and passcodes for any server which had the faulty encryption software installed could easily be retrieved by third parties.
In a statement, the NSA said Bloomberg's report was simply "wrong." The U.S., the NSA said, would reveal this kind of vulnerability to developers if it ever came upon it. They say:
"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."When Federal agencies discover a new vulnerability in commercial and open source software – a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."In response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."
Bloomberg reports that it's likely the NSA discovered and utilized the bug to make gathering information easier, while simultaneously ignoring the gaping hole which could potentially reveal millions of users' private data to foreign powers and criminals. One of the agency's 1,000+ experts devoted to discovering security flaws in widely-used software apparently discovered it shortly after it was introduced to the OpenSSL code in March 2012. Instead of discreetly alerting someone in a position to quietly fix the error, the NSA subsequently added it to its toolkit.
If true, it would mean that the NSA willingly and knowingly made the Internet less secure in its pursuit of easy access to large amounts of data.
"It flies in the face of the agency's comments that defense comes first," Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, told the news agency. "They are going to be completely shredded by the computer security community for this."
Though the sheer scale of Heartbleed is disheartening, it's also a good time to look back and see how predictable the whole mess was. As we wrote back in November:
And some experts warn that mass NSA infiltration of other networks comes with a price. The Electronic Frontier Foundation writes that by secretly introducing vulnerabilities into the world's Internet infrastructure, the NSA risks allowing anyone who discovers those vulnerabilities to obtain immense power to bypass the security restrictions which keep the Internet safe and reliable.
It's also especially disturbing because while the NSA is a U.S. spy agency subject to the kind of controls on intelligence and classified information as any other, all it would take is one current or former NSA tech to leak info about the bug for the entire internet's security to be compromised. And if the NSA has any clear-cut vulnerabilities, it's their human liabilities. Does this sound familiar to anyone?
As it stands, the Internet is very lucky Heartbleed was came to public attention via a white-hat hacker working for Google instead of Russian criminals looking for exploits or a foreign power like the PLA's Unit 61398, which is widely suspected of orchestrating cyber-attacks and data theft from U.S. corporations. And yet again we can see that the NSA's official mission of protecting sensitive U.S. assets from foreign attack is rapidly being replaced by one that prioritizes offensive information-collecting operations and surveillance capabilities above all else.