Did the NSA know about Heartbleed all along?

The National Security Agency hasn't exactly been in the Internet's good graces following revelations about its extensive surveillance efforts, and a new report says the agency knew about the Heartbleed bug before everyone else, but kept it secret for its own use. How likely is the claim?

Patrick Semansky/AP/File
The National Security Agency (NSA) campus is in Fort Meade, Md. A new report says the NSA knew about the Heartbleed bug before anyone else.

The National Security Agency may have known about Heartbleed.

It’s an easy connection to make, as the Edward Snowden revelations remain fresh in people's minds. If the NSA was secretly spying on average citizens and world leaders through extensive cyber powers online, could it have stumbled on the Internet’s greatest security flaw to date and used it to further surveillance methods?

That is what Bloomberg asserted in a report Friday. Citing two unnamed sources, the news organization says the NSA knew about the Heartbleed OpenSSL security flaw and exploited it for stealing passwords and “critical intelligence” for nearly two years. However, the NSA vehemently denied the claim, and cybersecurity experts aren’t sure that the offensive mission of the government agency would outweigh defending against this game-changing flaw.

When the OpenSSL bug first came to light, the implications quickly proved to be far-reaching. Internet giants including Yahoo, Amazon, and Facebook rushed to provide patches to the security flaw that allowed hackers to brush past encryption keys and access private user information essentially undetected. The Canada Revenue Service had to halt its online service because it realized its website was vulnerable.

It wasn’t long before the NSA was brought under scrutiny. In the past year, leaks revealed that the government agency has listened in on phone conversations and hacked into e-mail, including the account of German Chancellor Angela Merkel. The situation created more scrutiny of the agency’s powers and effectiveness than ever before. President Obama recently announced certain NSA programs would be overhauled.

The Heartbleed bug raised suspicions that the NSA likely knew about Heartbleed, and didn’t do anything about the security threat, in order to add the flaw to its arsenal of spying tools. Bloomberg’s anonymous sources confirm this.

Cybersecurity experts aren’t so sure.

“Whilst such agencies have a directive towards collecting intelligence they also have a duty to protect,” writes James Lyne, global head of security research for security firm Sophos, in a Forbes column. “Any such vulnerability would likely have been through a risk assessment in which the intelligence value versus the potential damage would have been weighed up and I would find it surprising if the choice was made to keep it a secret rather than remediate it.”

“It hasn’t been demonstrated to work all the time,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania, to Wired. “So even if a site is vulnerable, there’s no guarantee you’re going to be able to use [Heartbleed] to actually get keys. Then you’ve got the problem that it’s an active attack rather than a passive attack, which means they need to be able to do multiple round trips with the server. This is potentially detectable if they get too greedy doing it.” 

In other words: the defensive mission of the agency (a frontline against cyber attackers) likely would have outweighed the potential for information gathered, which the agency and the White House underlined in statements on the matter. Still, Mr. Blaze says he wouldn’t be surprised if the NSA did know about the flaw.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” White House National Security Council spokesperson Caitlin Hayden says in a statement.

That isn’t to say that the NSA isn’t interested in cracking encryption on private communication. In fact, with documents revealed by Mr. Snowden, The Guardian revealed that the agency, along with a British spy agency, had cracked most of the encryption that protects personal e-mail and other sensitive information.

Though the accusations and security patches are flying fast, there are few simple steps to making sure your information is safe. Here is what to do (and not do) while this matter gets sorted out.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.