The U.S. National Security Agency reportedly knew for at least two years about the Internet security bug ‘Heartbleed’ and kept it a secret from the public and the cybersecurity community, so as to use it for gathering critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”
The White House National Security Council Spokesperson Caitlin Hayden also said that neither the NSA nor any other federal agency knew about the Heartbleed bug.
“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” Hayden said in the statement.
Jason Healey, director the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, shared some harsh words with Bloomberg about their findings. “It flies in the face of the agency’s comments that defense comes first,” he said. “They are going to be completely shredded by the computer security community for this.”
Bloomberg reports that with the help of Heartbleed, the NSA “was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
Experts claim that the search for flaws is central to NSA’s mission, although the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.
When new vulnerabilities of the Heartbleed type are discovered, they are disclosed, the Office of the Director of National Intelligence said in response to the Bloomberg report. A clear process exists among agencies for deciding when to share vulnerabilities, the office said in a statement.
First discovered by Google and Codenomicon, Heartbleed, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. The bug can reveal the contents of a server’s memory, where the most sensitive of data is stored, including usernames, passwords, and credit card numbers.
Yahoo, Amazon and many, many other major websites used the free code, called OpenSSL, since encryption software is notoriously difficult to write. Even though many websites quickly fixed the hole after it was disclosed Monday, Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses.
Despite the outrage, this revelation doesn’t come as a complete surprise for many. Over the past few days, some have already speculated whether the NSA used Heartbleed to breach SSL, since documents leaked by Edward Snowden revealed the spy agency has been trying to breach it for years, writes Mashable.