NSA 'knew about Heartbleed'

The US National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug.

The NSA used the knowledge regularly to gather critical intelligence, according to two people familiar with the matter.

The agency's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the US government's top computer experts.

The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong," said an e-mailed statement from the Office of the Director of National Intelligence.

Heartbleed appears to be one of the biggest flaws in the internet's history, affecting the basic security of as many as two-thirds of the world's websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco to Juniper Networks to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost.

Millions of ordinary users were left vulnerable to attack from other countries' intelligence arms and criminal hackers.

"It flies in the face of the agency’s comments that defence comes first," said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer.

"They are going to be completely shredded by the computer security community for this."

Experts say the search for flaws is central to the NSA's mission, though the practice is controversial. A presidential board reviewing the NSA's activities after Edward Snowden’s leaks recommended that the agency halt the stockpiling of software vulnerabilities.

When new vulnerabilities of the Heartbleed type are discovered, they are disclosed, the Office of the Director of National Intelligence said in response to the Bloomberg report.

A clear process exists among agencies for deciding when to share vulnerabilities, the office said in a statement.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," Shawn Turner, director of public affairs for the office, said in the statement.

"Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified.

The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

"We’ve never seen any quite like this," said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. "Not only is a huge portion of the internet impacted, but the damage that can be done, and with relative ease, is immense."

Questions remain about whether anyone other than the US government might have exploited the flaw before the public disclosure.  Intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for bank accounts, e-commerce sites and e-mail accounts worldwide.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

Share your thoughts

Back to top

More From Bangkokpost.com