When it bleeds, it pours.
The National Security Agency reportedly knew of and exploited the massive Internet bug revealed to the public this week and known now as “Heartbleed” in order to gather intelligence information on targets.
This new revelation packs an extra twist that other recent NSA leaks have lacked: Regardless of its purpose for intelligence gathering, the NSA may have known for years about a historic security flaw that may have affected up to two-thirds of the Internet. Instead of trying to repair that flaw—which has potentially impacted countless people—the NSA reportedly manipulated it in secret.
“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” Bloombergfirst reported Friday, citing two people “familiar” with the matter. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
In a statement late Friday afternoon, the NSA denied the Bloomberg report. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” said agency spokeswoman Vanee Vines. “Reports that say otherwise are wrong.”
In a follow-up statement, NSC Spokesperson Caitlin Hayden said that the Obama administration “takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
Unlike previous statements about alleged NSA activities, the statements made by the NSA and White House today are definitive, with little room for differing interpretations.
The Heartbleed bug was revealed publicly for the first time earlier this week, and has been described by numerous cybersecurity experts as one of the worst security glitches the web has ever encountered. Heartbleed is caused by a minor two-year-old flaw in software coding of a program known as OpenSSL that is meant to provide extra protection to websites.
Considerable attention has been paid to Heartbleed’s potential use by criminal hackers to collect war chests filled with online passwords, personal information and banking data, but it remains unclear whether any such bad actors knew of or exploited it prior to its disclosure. A fix was rolled out five days ago, but concerns persist that much of the Internet’s security has been compromised.
Some Internet freedom and privacy groups began speculating that intelligence agencies may have exploited Heartbleed for surveillance purposes shortly after news of the bug broke earlier this week. The Electronic Frontier Foundation suggested earlier exploitations of the bug detected in November of last year “makes a little more sense for intelligence agencies than for commercial or lifestyle malware.”
Earlier Friday, the Department of Homeland Security issued guidance on Heartbleed, saying that “everyone has a role to play to ensuring [sic] our nation’s cybersecurity.”