When system administrators scrambled earlier this week to patch a serious security flaw in the SSL protocol, they assumed it was to protect against hackers and criminals from gathering user names, passwords, and other pieces of sensitive data on the Interent. News surfaced on Friday afternoon, however, that said the NSA knew about the flaw almost as soon as it was introduced into OpenSSL, and had been exploiting it ever since -- a point the NSA flat-out denies.
NSA denies accusation that it knew about and exploited heartbleed
Heartbleed is a code flaw in the protocol that more than half of the servers on the Interent use to encrypt communications with users on the Internet. The flaw allowed attackers to gather information from server's memory -- including the secret keys used to encrypt traffic so it can't be read if intercepted -- without being detected.
The flaw was introduced two years ago and came to light this week, although the NSA knew about issue right away and kept quite while it became a key component in the agency's surveillance toolbox, according to Bloomberg's sources. By keeping quiet, the NSA had the tool it needed to monitor communications from anyone connecting to servers affected by the bug without being detected.
It also means anyone else, including other governments were capable of doing the same if they knew about the security flaw. By failing to alert system administrators to the issue, the NSA effectively ended online data encryption around the world for two full years.
Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, said,
It flies in the face of the agency's comments that defense comes first. They are going to be completely shredded by the computer security community for this.
From the NSA's perspective, heartbleed was a godsend because it let the agency collect potentially massive amounts of what everyone assumed was encrypted data without detection.
The NSA denied the report later Friday afternoon saying on Twitter, "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."
Unless someone comes forward with internal documentation showing the NSA actually did exploit heartbleed, there won't be any proof to back up -- or dispute -- what the agency is saying since there isn't any trackable data on Internet servers to show they were compromised.
New of the NSA's reported activity came on the same day the Department of Homeland Security issued a statement warning of the security risks heartbleed poses.
"While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems," National Cybersecurity and Communications Integration Center Directory Larry Zelvin said.
Reported attacks are unlikely considering there isn't any way of detecting that they ever happened, although it is possible data breaches could potentially be linked to heartbleed based on suspicious activity.
Updates to patch the security flaw were available earlier this week, and system administrators around the world began installing the new software right away. Once the new version of OpenSSL was installed, they could begin the process of revoking their current security certificates and issuing new ones. After that, it's up to end users to change their account passwords since there isn't anyway of knowing whether or not they were compromised.
If you aren't what you can do to help protect yourself from the heartbleed flaw, check out The Mac Observer's coverage from earlier this week.
Despite the fact that the NSA is denying knowledge of the heartbleed flaw, the threat was there for two years before it was officially detected and patched. During that time, anyone, or any government, could've discovered it and started collecting and decrypting data without anyone knowing, making this one of the most serious Internet security flaws to date.
Mr. Zelvin said, "Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others."
Considering the NSA's habit of collecting security flaws to exploit -- regardless of whether or not heartbleed was part of that inventory -- it's hard to accept that the NSA considers a safe Interent a serious priority.