Has the United States’ National Security Agency (NSA) really known about the Heartbleed bug (and presumably exploiting it for surveillance purposes) for two years? That’s the claim being made by a Bloomberg report, which claims to have had the revelation confirmed to them by “two people familiar with the matter”.
If the allegation is true then serious questions will be asked regarding the danger raised by a government agency choosing to keep the critical OpenSSL flaw secret so it could be exploited for national security purposes.
Because, imagine if this *is* what the NSA had done.
If the NSA knew about the Heartbleed bug, but had deliberately not told anybody about it in fear that the flaw would be fixed, then they have put *everyone* on the internet at risk.
Because a security hole in OpenSSL like the Heartbleed bug doesn’t just open the door for criminals, terrorists and enemy states to be spied upon – but could be abused by criminals to expose private information of everybody who uses the internet around the globe, whether law-abiding in the eyes of America or not.
The longer a flaw like Heartbleed was in existence, the greater opportunity there was for fraudsters, hackers and spies to exploit it to steal information and passwords, spy on others and cause incalculable harm to individuals, businesses and government agencies.
For its part, the NSA has denied that it had any knowledge of the flaw before private sector security experts published details earlier this week.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
The Bloomberg report doesn’t provide concrete evidence to dispute the NSA’s denial, only offering anonymous sources.
But perhaps the most tragic thing of all is that the news of possible NSA knowledge of the Heartbleed bug doesn’t actually leave me surprised. After all, it follows months of jaw-dropping revelations about state-sponsored spying by the US authorities that have been tumbling out ever since whistleblower Edward Snowden started leaking NSA documents.
What worries me is not so much what we have discovered was being done by the NSA, but what we haven’t been told yet, and might still be waiting to be revealed.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024