NSA May Have Exploited Heartbleed Bug For Years

rated by 0 users
This post has 5 Replies | 0 Followers

Top 10 Contributor
Posts 26,182
Points 1,185,925
Joined: Sep 2007
ForumsAdministrator
News Posted: Sat, Apr 12 2014 11:08 AM
The news of two truly horrible security breaches broke this year; one was the NSA’s shadowy data grabbing and surveillance program, and the other was the Heartbleed bug that left about two-thirds of the Internet utterly exposed to any bad actor. According to a Bloomberg report, these two stories have merged, as “two people familiar with the matter” have told the outlet that the NSA has known about the Heartbleed bug for at least two years and has regularly exploited it to gather intelligence.

In an emailed statement to Bloomberg, the Office of the Director of National Intelligence said, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”

NSA HQ
NSA headquarters

Frankly, it’s unlikely anyone believes that statement to be true. The NSA domestic spying scandal, which we’ve covered extensively, has proven that the U.S. government’s security apparatus will do whatever it wants to gather data on whomever it wants. Speed bumps like the FISA court made some of these activities legal, at least technically, but if it’s true that the NSA used Heartbleed to gain access to private data on web servers around the world, it amounts to outright thievery.

Worse, as we’ve said before, if the NSA is using backdoors and exploits then anyone can do the same, including your worst-nightmare cast of bad characters. That’s (possibly) what has happened with Heartbleed.

Heartbleed bug
Credit: Mark Loman

The Heartbleed bug is especially pernicious because it doesn’t require a hack per se; there’s just a coding flaw in OpenSSL that allows someone with a little know-how to access everything on a web server, and thus it’s impossible to tell if a site has been compromised. The world found out about it this week, there’s a fix available, and most websites have certainly reset their security certificates so that the bug is patched, but if that backdoor has been open for the two years that the NSA is alleged to have been walking through it, who else has been using it and to what end?

If the NSA is indeed guilty of exploiting the Heartbleed bug, it’s possibly the agency’s most egregious violation to date. The agency says it has a policy of reporting vulnerabilities like Heartbleed when they’re found, but that doesn’t mean the heads of the NSA wouldn’t decide that the offensive worth of some exploits is greater than the defensive value of helping to patch it and thus protect U.S. citizens.
  • | Post Points: 80
Not Ranked
Posts 3
Points 15
Joined: Mar 2013

May have?

  • | Post Points: 5
Not Ranked
Posts 10
Points 65
Joined: Dec 2011
JLeBoeuf replied on Sat, Apr 12 2014 11:55 AM

This just in - the NSA did their job. *gasp*

  • | Post Points: 5
Top 500 Contributor
Posts 187
Points 2,015
Joined: Apr 2013
Location: Fenton, Michigan
Johnny3D replied on Sat, Apr 12 2014 12:28 PM

Scaremongering?

No thanks. I prefer facts to wild speculation.

  • | Post Points: 5
Not Ranked
Posts 5
Points 40
Joined: Jan 2014

yeah yeah we knew that much

  • | Post Points: 5
Not Ranked
Posts 56
Points 400
Joined: May 2013
Location: SoCal

Although there seems to be no hard facts or substantiation for this claim, it wouldn't totally surprise me.

  • | Post Points: 5
Page 1 of 1 (6 items) | RSS