Reports breaking on Friday afternoon suggest that the OpenSSL vulnerability called Heartbleed was used by the National Security Agency to gather information as part of its massive spying program. Speculation that the agency knew about the dangerous flaw before it became public knowledge has been mounting since the first revelations of the nature of the bug.
The news was reported by Bloomberg’s Michael Riley this afternoon. According to the report, which cited an anonymous source, the NSA knew about Heartbleed, a security flaw that left as much as two thirds of websites at risk, for at least two years, and actively exploited the bug in order to gain access to restricted information. The security agency decided to keep the bug secret in order to further national security interests.
NSA actively used Heartbleed
According to the Bloomberg report, the NSA used the Heartbleed glitch to collect usernames, passwords and other basic pieces of data. It was able to use this information to supplement its own interception of data and its access to data through the providers of internet services.
The NSA was actively involved in the identification of security flaws as part of its various national security programs in the last decade. The agency has been stockpiling these flaws and, assuming the Bloomberg story is accurate, was actively using these flaws to gather information of its own.
Heartbleed leaves a huge number of internet users exposed to the whims of hackers, and the NSA has allowed that situation to continue for at least two years.
NSA debate reignited
The National Security Agency knew about the biggest flaw in the internet’s security systems but chose to hide that information for years in order to protect Americans from national security threats. The tradeoff, which is clearer in this example than that of the NSA collecting metadata, is that hackers who knew about the Heartbleed flaw were also able to access data belonging to millions of the world’s internet users.
In its defense of its own spying program the NSA argued that nobody was looking through personal information bar computer programs looking for patterns. In this case the institution allowed anyone to manipulate servers into spitting out reams of information about users.
The debate about the spying program carried out by the NSA over the last decade never really ended, though it did drift from the mind of the public for some time. Information about the agencies complicity in attacks on normal internet users, despite its classification as collateral damage, may form the center of a renewed public attack on the NSA, despite whimpering of a change in processes at the agency.
Update: NSA deny the Bloomberg report on Heartbleed Bug, and tweets: ‘NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.’
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014