Cybersecurity

NSA Allegedly Knew for Years About Major Just-Discovered Internet Glitch

Heartbleed bug may have contributed to untold amounts of computer fraud

|

Updated at the bottom with a response from the National Security Agency.

It's possibly the biggest security vulnerability ever discovered on the Internet. It's known as "Heartbleed," a glitch in the very software used to provide basic encryption at hundreds of thousands of Internet sites allowed hackers to access the data the encryption was supposed to protect. The bug was disclosed earlier this week, and Internet users are encouraged to change all their passwords.

Today, Bloomberg reports that the National Security Agency has known about this glitch for at least two years and used it to gather intelligence, while keeping knowledge of the bug to itself.

What is Heartbleed?

CNet offers a primer and FAQ on what Heartbleed is and how it works, though it can get a little technical. The glitch allows a hacker to use a protocol used to keep communication open between an Internet connection and a server to collect additional data that is supposed to be kept secure through this very encryption process. This means data that users thought was being kept secure, symbolized by the little padlock symbol on their web browsers, was not secure at all.

Probably the best illustration of how the glitch works comes from nerdy online comic xkcd:

 

Sites have been scrambling to fix the glitch. You can visit a Heartbleed checker here to see if sites you use are still affected. (For those of you registered to comment on Reason, it says we are now safe, but recommends changing your password if you haven't done so recently).

The NSA Knew and Said Nothing?

According to Bloomberg today, the NSA has known about the flaw and said nothing, even though it may have contributed to untold amounts of consumer fraud. And if other nations' intelligence services knew, nations that perhaps want to infiltrate activists and political opponents, there's no telling what they might have gotten:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts. …

"It flies in the face of the agency's comments that defense comes first," said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. "They are going to be completely shredded by the computer security community for this."

Update: The NSA, in a tweet, responded to the Bloomberg story that it was unaware of the Heartbleed flaw until it was made public this week.

Here's a longer response from the Office of the Director of National Intelligence:

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

NEXT: Nevada County Commissioner Implies a Death Threat Against Out-of-Staters Who Might Come to Support Cattle Rancher in His Fight with the Feds: [UPDATED: BLM Backs Down!]

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Yep, NSA said they didn’t know, and they have never been anything but honest with the American people and the rest of the world. Please disperse. There is nothing to see here.

    Oh, and if you like your encryption, you can keep it.

  2. The NSA could change overnight to the most open honest good-natured organization in the world, and it would be decades before anyone believed them.

    1. And rightfully so, given their track record.

  3. Hey, who you gonna believe? Me or your lying eyes?

  4. But they invented PKE years before Diffie-Hellman and actively exploit weaknesses in all sorts of other software. They just happened to overlook a critical (and common vector) memory flaw in a widely used protocol.

    Oh, and BarryCare am winning!

  5. “takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet” because without it how would we get so many people to voluntarily disclose so much information?

  6. “The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.”

    Am I the only who thinks this is a frightening statement?

    The security of people where it matters most – consumer fraud, identity theft – that can instantaneously ruin their lives; so much so it can be equal to being dead, is secondary to national security where the likelihood of being killed by terrorists is less than dying in a plane crash?

    What am I missing?

    1. Irrational fear and the childish impulse to legislate it away…that’s what you’re missing.

  7. Given the mendaciousness of the Administration and the NSA in the past, why would anyone believe what they say here? When previous trust has proven seriously unfounded, you’d have to be very naive to take their words – “This Administration takes seriously its responsibility to help maintain a… secure… Internet” – at face value.

Please to post comments

Comments are closed.