The National Security Agency may have known about Heartbleed.
It’s an easy connection to make, as the Edward Snowden revelations remain fresh in people's minds. If the NSA was secretly spying on average citizens and world leaders through extensive cyber powers online, could it have stumbled on the Internet’s greatest security flaw to date and used it to further surveillance methods?
That is what Bloomberg asserted in a report Friday. Citing two unnamed sources, the news organization says the NSA knew about the Heartbleed OpenSSL security flaw and exploited it for stealing passwords and “critical intelligence” for nearly two years. However, the NSA vehemently denied the claim, and cybersecurity experts aren’t sure that the offensive mission of the government agency would outweigh defending against this game-changing flaw.
When the OpenSSL bug first came to light, the implications quickly proved to be far-reaching. Internet giants including Yahoo, Amazon, and Facebook rushed to provide patches to the security flaw that allowed hackers to brush past encryption keys and access private user information essentially undetected. The Canada Revenue Service had to halt its online service because it realized its website was vulnerable.
It wasn’t long before the NSA was brought under scrutiny. In the past year, leaks revealed that the government agency has listened in on phone conversations and hacked into e-mail, including the account of German Chancellor Angela Merkel. The situation created more scrutiny of the agency’s powers and effectiveness than ever before. President Obama recently announced certain NSA programs would be overhauled.
The Heartbleed bug raised suspicions that the NSA likely knew about Heartbleed, and didn’t do anything about the security threat, in order to add the flaw to its arsenal of spying tools. Bloomberg’s anonymous sources confirm this.
Cybersecurity experts aren’t so sure.
“Whilst such agencies have a directive towards collecting intelligence they also have a duty to protect,” writes James Lyne, global head of security research for security firm Sophos, in a Forbes column. “Any such vulnerability would likely have been through a risk assessment in which the intelligence value versus the potential damage would have been weighed up and I would find it surprising if the choice was made to keep it a secret rather than remediate it.”
“It hasn’t been demonstrated to work all the time,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania, to Wired. “So even if a site is vulnerable, there’s no guarantee you’re going to be able to use [Heartbleed] to actually get keys. Then you’ve got the problem that it’s an active attack rather than a passive attack, which means they need to be able to do multiple round trips with the server. This is potentially detectable if they get too greedy doing it.”
In other words: the defensive mission of the agency (a frontline against cyber attackers) likely would have outweighed the potential for information gathered, which the agency and the White House underlined in statements on the matter. Still, Mr. Blaze says he wouldn’t be surprised if the NSA did know about the flaw.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”
“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” White House National Security Council spokesperson Caitlin Hayden says in a statement.
That isn’t to say that the NSA isn’t interested in cracking encryption on private communication. In fact, with documents revealed by Mr. Snowden, The Guardian revealed that the agency, along with a British spy agency, had cracked most of the encryption that protects personal e-mail and other sensitive information.
Though the accusations and security patches are flying fast, there are few simple steps to making sure your information is safe. Here is what to do (and not do) while this matter gets sorted out.