NSA Reportedly Exploited Heartbleed for 2 Years, but NSA Denies

| Analysis

When system administrators scrambled earlier this week to patch a serious security flaw in the SSL protocol, they assumed it was to protect against hackers and criminals from gathering user names, passwords, and other pieces of sensitive data on the Interent. News surfaced on Friday afternoon, however, that said the NSA knew about the flaw almost as soon as it was introduced into OpenSSL, and had been exploiting it ever since -- a point the NSA flat-out denies.

NSA denies accusation that it knew about and exploited heartbleedNSA denies accusation that it knew about and exploited heartbleed

Heartbleed is a code flaw in the protocol that more than half of the servers on the Interent use to encrypt communications with users on the Internet. The flaw allowed attackers to gather information from server's memory -- including the secret keys used to encrypt traffic so it can't be read if intercepted -- without being detected.

The flaw was introduced two years ago and came to light this week, although the NSA knew about issue right away and kept quite while it became a key component in the agency's surveillance toolbox, according to Bloomberg's sources. By keeping quiet, the NSA had the tool it needed to monitor communications from anyone connecting to servers affected by the bug without being detected.

It also means anyone else, including other governments were capable of doing the same if they knew about the security flaw. By failing to alert system administrators to the issue, the NSA effectively ended online data encryption around the world for two full years.

Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, said,

It flies in the face of the agency's comments that defense comes first. They are going to be completely shredded by the computer security community for this.

From the NSA's perspective, heartbleed was a godsend because it let the agency collect potentially massive amounts of what everyone assumed was encrypted data without detection.

The NSA denied the report later Friday afternoon saying on Twitter, "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."

Unless someone comes forward with internal documentation showing the NSA actually did exploit heartbleed, there won't be any proof to back up -- or dispute -- what the agency is saying since there isn't any trackable data on Internet servers to show they were compromised.

New of the NSA's reported activity came on the same day the Department of Homeland Security issued a statement warning of the security risks heartbleed poses.

"While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems," National Cybersecurity and Communications Integration Center Directory Larry Zelvin said.

Reported attacks are unlikely considering there isn't any way of detecting that they ever happened, although it is possible data breaches could potentially be linked to heartbleed based on suspicious activity.

Updates to patch the security flaw were available earlier this week, and system administrators around the world began installing the new software right away. Once the new version of OpenSSL was installed, they could begin the process of revoking their current security certificates and issuing new ones. After that, it's up to end users to change their account passwords since there isn't anyway of knowing whether or not they were compromised.

If you aren't what you can do to help protect yourself from the heartbleed flaw, check out The Mac Observer's coverage from earlier this week.

Despite the fact that the NSA is denying knowledge of the heartbleed flaw, the threat was there for two years before it was officially detected and patched. During that time, anyone, or any government, could've discovered it and started collecting and decrypting data without anyone knowing, making this one of the most serious Internet security flaws to date.

Mr. Zelvin said, "Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others."

Considering the NSA's habit of collecting security flaws to exploit -- regardless of whether or not heartbleed was part of that inventory -- it's hard to accept that the NSA considers a safe Interent a serious priority.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

geoduck

Of course they deny it. They are pathological lying bastards, the biggest threat to freedom in the world today.

ibuck

Our government has broken its promises to uphold the Constitution by allowing the NSA to spy on Americans without warrants. The President and Congress should eliminate the NSA and imprison those who violated the law they swore to uphold.

John Dingler, artist

Hello Geoduck and Ibuck,
Indeed; The NSA is constructed, configured, designed to lie. It’s what it does, which means I believe the other guy, thus the truth comes out from that other guy.

And I know why Clapper and Alexander get to commit a felony before the US Congress by lying and not get apprehended and jailed which would be done to the lowest street criminal. It’s because, like Hoover, their respective spy clubs hold so, so much incriminating and blackmail evidence against our legislators, ready to be used against them should they not comply to feed their beasts more and more, so much more that the people do not even know how much money and American raw wealth they consume.

Of course, the Congress give life to the two beasts and now it whines that it lives and behaves mostly according to the laws Congress passed.

The NSA, CIA, NRO, Army Intelligence, and countless other spy agencies, both gov. and private, are “indigestible lumps” in the body politic nurtued by a Congress that represents the corporation, the security state, not the people.

Lee Dronick

Spying is one thing, stealing money via captured login and password is another. Not that spying is okay.

John Dingler, artist

But Lee, it’s not simply spying; It’s just-in-case, ubiquitous spying, all the time, and as deeply as they want. Congess authorized this via the US Patriot Act which, for all intents and purposes, replaces the US Constitution and which Rightwinger Feinstein embraces like a flotation device or her most loved child.

iJack

The NSA allowed the exploit to continue for our own safety.

Whadya wanna bet that ‘our’ government has other spy (and worse) agencies that we don’t even know about?

Lee Dronick

John I was just saying that the NSA wouldn’t, or probably wouldn’t, clean out my bank account.

John Dingler, artist

Hi IJack.
“for our own safety?” Oh my. No. Not for my safety, and certainly not for the safety of the US Constitution, the backbone of our rights and guarantees. Rather, it’s for the safety of the NSA and its sustainability and its justification as a growing bureaucracy, a gov. dept. that can’t be killed, a vampire.

John Dingler, artist

Hello Lee,
Yes, agree that super rich and growing richer NSA would not be compelled to go into your or mine or anyone’s bank accounts, not as long as it’s fed morsels of taxpayer money in such a Socialistic way.

iJack

@John Dingler ~ My comment was pure sarcasm. The 2nd para should have tipped you off.

Log-in to comment