Report: NSA Knew of, And Exploited, Heartbleed Bug for Two Years

[BlameTheWizards]

Report: NSA Knew of, And Exploited, Heartbleed Bug for Two Years

Bloomberg spoke with two sources close to the issue about the NSA's intelligence gathering methods using the now infamous computer bug.

America's National Security Agency allegedly knew about the "Heartbleed" bug for two years and used it to gather intel, leaving many computers at risk to hacking attacks. This information comes from Bloomberg, which spoke to two sources familiar with the matter. The Heartbleed bug, revealed earlier this month, is reported to have affected almost two-thirds of the world's websites, threatening passwords and account information around the world.

Using Heartbleed, the NSA was able to obtain "passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission," Bloomberg reports. However, in using the bug, the NSA left these millions of users vulnerable to attacks from other hackers.

The article states that open-source software, like OpenSSL, where Heartbleed originated, are primary targets of intelligence gathering operations by the NSA and similar groups. Free codes like OpenSSL are frequently used by many Internet companies, but the unfunded programmers who maintain them don't have the same resources as the expert codecrackers used by the NSA, Bloomberg stated.

Jason Healey, director the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, shared some harsh words with Bloomberg about their findings. "It flies in the face of the agency's comments that defense comes first," he said. "They are going to be completely shredded by the computer security community for this."

While an NSA spokeswoman declined to speak to Bloomberg for the article, the agency did later release a statement denying much of the report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," states an article on USA Today sharing the agency's response. "Reports that say otherwise are wrong," according to the NSA.

Source: USA Today

Permalink

 

[The Rogue Wolf]

And once more we are left to ask: Quis custodiet ipsos custodes?

I think it says something that the NSA's denial of involvement only leads me to think that perhaps they used coercion to have the insecurity implemented in the first place. Even at my most charitable, I absolutely don't doubt that they'd much rather exploit a bug to gather more information than report it to have it corrected.

 

[Jarl Gullberg]

Now this, this is a great example of why the NSA is missing the point. In utilizing Heartbleed instead of allowing it to be patched, they put companies, individuals and governments at risk from cyberterrorists, crackers and their ilk - any damage they may have negated by using the bug to gather information and prevent attacks (mind you, I'm giving them a lot of undeserved credit and positivt doubt here) was most likely completely blown out of the water by the sheer amount of information leaked to unsavory parties.

Look, NSA, if you want to do good, don't let something like this be out in the wild. It's not helping anyone. Information like this makes me wonder what sort of other bugs the NSA are sitting on - I'm kinda scared, to be honest. Not of the NSA this time, but of the numerous crackers that also know about the bug and have free reign wherever the vulnerability is.

 

[PrinceOfShapeir]

Huh? Look, being mad at the NSA for keeping stuff secret and being kinda dicks is like being pissed at a blender for pureeing. That's what they do. That's half their purpose.

 

[CriticalMiss]

While an NSA spokeswoman declined to speak to Bloomberg for the article, the agency did later release a statement denying much of the report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," states an article on USA Today sharing the agency's response. "Reports that say otherwise are wrong," according to the NSA.

Give it a few weeks and we will find out that they did know about it all along. Like how they definitely weren't spying on the American citizens that they were spying on.

But didn't Google also know about it and apparently not think to tell anyone?

 

[Barbas]

Cripes. What a deleterious, clandestine and utterly distasteful organization. It just gets worse and worse with them.

 

[Neverhoodian]

Goddamn it, this just keeps getting better and better. Who needs ethics when there's 'turrists to hunt?

I would like to say I'm surprised by this, but it's the fucking NSA we're talking about. They've proven they don't give a shit about niceties like the Constitution and the legal system long ago.

Doubleplus ungood, NSA. Very doubleplus ungood.

 

[LunaticPanda]

BREAKING NEWS.
NSA gathering intelligence.


(Seriously, isn't their motto something to the extent of "In god we trust, the rest we watch"? This is not new, THEY ARE THE N-S-FREAKING-A, of COURSE they're monitoring you through a variety of unscrupulous means, you can detect the rest)

 

[Frezzato]

Let's see here, you've got 'claim ignorance/innocence' and be viewed as incompetent. And on the other hand you can be viewed as an organization willing to sacrifice the security of, supposedly, 2/3 of the web.

Better to appear ignorant and have your enemies underestimate you.

 

[Hagi]

Heck, the funny thing is I'm not even sure their denial is any better.

We've got this bug that in all likelihood somewhere will have exposed passwords and other account information of senators, military, law-enforcement, judges, ambassadors and many others. The NSA's mission is still first and foremost to defend against threats because I can tell you one thing, even if among all those every single one is using a different password for their official accounts there's going to be absolutely no shortage of important people who keep that password in private e-mails secured with passwords potentially exposed by this bug.

I don't know if any such leak has happened, but the fact that the vulnerability was there for two years on millions of website primarily used by the USA and their allies, which is still where the majority of internet traffic comes from, signifies a grand failure of the NSA regardless of whether or not they knew about it.

If they knew they should've fixed it, leaving your own front-door wide open and unwatched while you're off peeking in someone else's window is sheer stupidity.
If they didn't know then they should've known, that's their mission. They're supposed to keep a watch on that front door to ensure it, and other entries, are secure.

Either way, they failed spectacularly in their mission.

 

[Daverson]

One word: Escalation.

It's easy enough for the NSA to say "we're protecting the free world with this hole we found", but, they should be saying "we're protecting the free world by plugging this hole we found", because this isn't just an American Issue. Codemonkeys the world over can exploit this. Sure, you might have found out the secret gmail address some Jihadist uses to avoid those "RE:RE:RE:FWD:RE:FWD:THIS SIMPLE TRICK MADE MIDDLE AGE MUM DENTISTS HATE HER" emails, meanwhile, Moscow and Beijing have just used the same bug to steal everything they need to know about your new Warblimp.

Is that what you want, NSA? A fleet of Chinese Warblimps? Because I don't want a fleet of Chinese Warblimps. And I certainly don't want the Russians knowing about the secret gmail account I use to get away from spam emails! D=

 

[Storm Dragon]

While an NSA spokeswoman declined to speak to Bloomberg for the article, the agency did later release a statement denying much of the report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," states an article on USA Today sharing the agency's response. "Reports that say otherwise are wrong," according to the NSA.

I believe this xkcd comic is relevant.

Capcha: "bowties are cool" Yes. Yes they are, Capcha.

EDIT: Whoops, used html tags for the link by mistake. Fixed now.

 

[Riverwolf]

In other words, in trying to protect America from conventional terrorism, they inadvertently left us completely vulnerable to cyberterrorism.

Good job, National SECURITY Agency, for making Americans and other countries less secure not just from you, but from the very people you're trying to protect us from. Sure, you may not have been aware of the vulnerability until recently, but guess what, THAT'S YOUR MOTHER BLOODY JOB TO KNOW ABOUT SUCH THINGS!!!

Do try to keep up in the future.

...Or better yet, don't and go away.

 

[Someone Depressing]

"We're fighting hackers by giving them opportunities to steal account information and break security breaches! More of our tax-payers money so they can have their money stolen because of us!"

I'm so happy I don't live in the country where this is happening; I'm a neurotic person, and even thinking that some guy or woman has access to the Internet, basically my second home, makes me shudder with fear.

 

[truckspond]

I believe this xkcd comic is relevant. [https://xkcd.com/1288/]

URL tags don't work that way...

 

[Nimcha]

Any indication whatsoever that these are reliable sources?

 

[Roxas1359]

I believe this xkcd comic is relevant.

Fixed the link for you. The current set up in your post has it so that it goes to a 404 page on the Escapist.

OT: Man...this just gets funnier and funnier. Honestly at this point if there is a more dangerous threat to the US, it's the NSA seeing as all the news that comes to light about them doesn't paint a pretty picture at all for them. All I know is that every conspiracy person who hears news about this has more self justification and gets more of the ability to gloat about being right.

 

[Vivi22]

The irony of all of this NSA spying isn't limited to the fact that if they knew about this and used it for two years that they left systems even more vulnerable to data theft. It's that any actual terrorist with half a brain is going to use communication methods that have absolutely nothing to do with the internet and computers and can't be readily traced and procured by the NSA.

They spy on you while leaving you more vulnerable to attack and failing to actually keep track of the people they probably should be watching. The NSA and organizations in other countries which run programs like they do are a complete joke.

 

[Shuu]

It still boggles my mind that nobody is being punished over the NSA scandal. Is this just the world we live in now? "Your privacy belongs to us, what are you gonna do about it?"

 

[truckspond]

If anyone still does not know how this bug actually works then XKCD provides a good explanation of it at http://xkcd.com/1354/