Did the NSA know about Heartbleed all along?
Loading...
The National Security Agency may have known about Heartbleed.
It鈥檚 an easy connection to make, as the Edward Snowden revelations remain fresh in people's minds. If the NSA was secretly spying on average citizens and world leaders through extensive cyber powers online, could it have stumbled on the Internet鈥檚 greatest security flaw to date and used it to further surveillance methods?
That is what Bloomberg asserted in a . Citing two unnamed sources, the news organization says the NSA knew about the Heartbleed OpenSSL security flaw and exploited it for stealing passwords and 鈥渃ritical intelligence鈥 for nearly two years. However, the NSA vehemently denied the claim, and cybersecurity experts aren鈥檛 sure that the offensive mission of the government agency would outweigh defending against this game-changing flaw.
When the OpenSSL bug first came to light, the implications quickly proved to be far-reaching. Internet giants including Yahoo, Amazon, and Facebook rushed to provide patches to the security flaw that allowed hackers to brush past encryption keys and access private user information essentially undetected. The Canada Revenue Service had to halt its online service because it realized its website was vulnerable.
It wasn鈥檛 long before the NSA was brought under scrutiny. In the past year, leaks revealed that the government agency has listened in on phone conversations and hacked into e-mail, including the account of German Chancellor Angela Merkel. The situation created more scrutiny of the agency鈥檚 powers and effectiveness than ever before. President Obama recently announced certain NSA programs would be overhauled.
The Heartbleed bug raised suspicions that the NSA likely knew about Heartbleed, and didn鈥檛 do anything about the security threat, in order to add the flaw to its arsenal of spying tools. Bloomberg鈥檚 anonymous sources confirm this.
Cybersecurity experts aren鈥檛 so sure.
鈥淲hilst such agencies have a directive towards collecting intelligence they also have a duty to protect,鈥 , global head of security research for security firm Sophos, in a Forbes column. 鈥淎ny such vulnerability would likely have been through a risk assessment in which the intelligence value versus the potential damage would have been weighed up and I would find it surprising if the choice was made to keep it a secret rather than remediate it.鈥
鈥淚t hasn鈥檛 been demonstrated to work all the time,鈥 , cryptographer and computer security professor at the University of Pennsylvania, to Wired. 鈥淪o even if a site is vulnerable, there鈥檚 no guarantee you鈥檙e going to be able to use [Heartbleed] to actually get keys. Then you鈥檝e got the problem that it鈥檚 an active attack rather than a passive attack, which means they need to be able to do multiple round trips with the server. This is potentially detectable if they get too greedy doing it.鈥澛
In other words: the defensive mission of the agency (a frontline against cyber attackers) likely would have outweighed the potential for information gathered, which the agency and the White House underlined in statements on the matter. Still,聽Mr. Blaze says he wouldn鈥檛 be surprised if the NSA did know about the flaw.
鈥淣SA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,鈥 an NSA spokesperson 鈥淩eports that say otherwise are wrong.鈥
鈥淚f the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,鈥 White House National Security Council spokesperson Caitlin Hayden
That isn鈥檛 to say that the NSA isn鈥檛 interested in cracking encryption on private communication. In fact, with documents revealed by Mr. Snowden, The Guardian revealed that the agency, along with a British spy agency, most of the encryption that protects personal e-mail and other sensitive information.
Though the accusations and security patches are flying fast, there are few simple steps to making sure your information is safe. Here is what to do (and not do) while this matter gets sorted out.