The National Security Agency reportedly knew about the Heartbleed bug for at least two years, kept it secret, and exploited it to gather intelligence -- news that is fueling criticism that the agency's spying efforts undermine the safety of the Internet for everyone.
By using Heartbleed, the NSA "was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost," Bloomberg reports, citing two unnamed people familiar with the matter. "Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers."
Though the NSA initially declined Bloomberg's request to comment "on the agency's knowledge or use of" the Heartbleed bug, it issued a denial late Friday: The "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong."
Heartbleed is a security vulnerability in OpenSSL, software that's used by many Web sites to encrypt Web communications. The bug can reveal the contents of a server's memory, where the most sensitive of data is stored, including usernames, passwords, and credit card numbers. The revelation of the flaw this week sent major sites such as Google, Facebook, Yahoo, and Dropbox scrambling to patch their systems and had Internet users hustling to change their passwords.
Critics of the NSA say that its reported efforts to increase surveillance and other capabilities by undermining encryption, weakening network security standards, and influencing the building of backdoors into tech products threaten to destroy the security of the Internet. The agency is charged with both the defensive task of protecting US computer networks from attack and the offensive task of finding and exploiting vulnerabilities. Critics say these goals are at odds with each other: the surveillance wing might want to keep a vulnerability in place, secret, and exploitable, but this same hole that it's using to spy could be discovered and exploited by foes or criminals.
Last December, the NSA review panel handpicked by President Obama said that though it hadn't found evidence to support reports that the US government intentionally introduced backdoors into encryption software, it recommended that the government make it clear that the NSA will not undermine global encryption standards or demand changes to any products and services to make it easier for the agency to collect user data.
In his reform speech the following month, Obama declined to address that recommendation in detail, saying instead that the issue would be studied to determine "how we can continue to promote the free flow of information in ways that are consistent with both privacy and security."
He also said, "we cannot prevent terrorist attacks or cyberthreats without some capability to penetrate digital communications -- whether it's to unravel a terrorist plot; to intercept malware that targets a stock exchange; to make sure air traffic control systems are not compromised; or to ensure that hackers do not empty your bank accounts." It would, of course, be ironic if the agency's "capability to penetrate" communications was pegged to a vulnerability that hackers could also potentially unearth and use to drain bank accounts.
The Bloomberg report quoted a cybersecurity specialist, who discussed the NSA's process when it comes to handling vulnerabilities:
"The fact that the vulnerability existed in the transmission of ordinary data -- even if it's the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.
"They actually have a process when they find this stuff that goes all the way up to the director" of the agency, Lewis said. "They look at how likely it is that other guys have found it and might be using it, and they look at what's the risk to the country."
Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.
The complete Bloomberg report is here.
Update, 2:50 p.m. PT: The Office of the Director of National Intelligence has posted a lengthier denial on its "IC [Intelligence Community] on the Record" site:
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
"When Federal agencies discover a new vulnerability in commercial and open source software - a so-called "Zero day" vulnerability because the developers of the vulnerable software have had zero days to fix it - it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
"In response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
ODNI Public Affairs Office"