Skip to main content
  1. Home
  2. Computing
  3. Reviews

Did the NSA exploit the Heartbleed bug for years?

Konrad Krawczyk
By
usa freedom act passes in senate with 67 32 vote nsa computers heartbleed bug
Image Credit: Wikimedia

The Office of the Director of National Intelligence (ODNI) flat-out denied reports that the National Security Agency had been quietly exploiting a widespread flaw in Internet security called the Heartbleed bug for years, as reported by Bloomberg news on Friday — accusations that sent shock waves of concern and frustration through Internet users.

“The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report,” reads an official statement posted Friday to a blog maintained by the government agency. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

Recommended Videos

The alarming Bloomberg report claimed that the country’s top spy agency had discovered the security vulnerability shortly after it emerged, and has routinely used it to collect data and spy (likely on Americans, intentionally or otherwise). Data sucked up by the NSA using the Heartbleed bug could have included email addresses, passwords and other data that would have let the agency carry on its cyber-espionage operations.

MORE: Here’s a list of websites allegedly affected by the Heartbleed bug

The longer a flaw like Heartbleed existed on the Internet, the more opportunity there was for criminals and enemy states to exploit it to steal information, spy on others and cause incalculable harm to individuals, businesses and government agencies, explained noted security analyst Graham Cluley.

“If it’s true … then they’ve let down everyone who uses the Internet.”

“If it’s true that the NSA knew about the Heartbleed bug, but didn’t tell anyone about it, then they’ve let down everyone who uses the Internet — both around the globe, as well as the law-abiding citizens they are supposed to protect in the United States,” Cluley told Digital Trends.

One of the NSA’s main missions is national security. That includes seeking out software flaws and vulnerabilities that could be exploited by hackers and other governments. The agency’s actions with respect to how it used the Heartbleed bug, and its refusal to inform the public of its existence, would have run contrary to those missions, some say.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the Atlantic Council’s cyber statecraft initiative, and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

The NSA first addressed the Bloomberg report in a statement issued via Twitter:

The ODNI statement stressed the same point, noting that “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.” Yet many still questioned the agency. The Electronic Freedom Foundation (EFF), a non-profit dedicated to protecting Americans’ civil liberties, wrote the following tweet in response:

A handful of programmers runs the OpenSSL security protocol in which the Heartbleed bug lies; the NSA tasks thousands with discovering such vulnerabilities. Once the flaw was uncovered, the Bloomberg report claimed, the NSA essentially put it in its back pocket, instead of warning those who could have patched the problem and kept the nation’s data safe — a part of the agency’s stated mission.

MORE: How to check if your favorite websites are vulnerable to the Heartbleed bug

“The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information,” the agency’s mission statement reads.

James Lewis, a senior fellow at the Center for Strategic and International Studies specializing in cybersecurity, says that the NSA considers multiple options when it discovers vulnerabilities like Heartbleed. They include temporary exploitation combined with collaboration with software developers to plug the flaw.

MORE: What is the Heartbleed bug?

“They actually have a process when they find this stuff that goes all the way up to the director” of the NSA, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

NSA operations-center
National Security Operations Center (credit: Wikipedia) Wikipedia

The Heartbleed bug is a serious vulnerability in the OpenSSL Internet encryption protocol known that has potentially left the information of most Internet users vulnerable to hackers. The Heartbleed bug reportedly affects as much as 66 percent of the world’s active websites, and has existed for roughly two years. That’s according to a team of Codenomicon researchers, as well as Google Security researcher Neel Mehta.

“We’ve never seen any quite like this,” Michael Sutton, vice president of security research at Zscaler, a security firm, says. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

MORE: The Heartbleed bug affects “almost everyone”

The NSA has been embroiled in controversy and scandal since it was revealed that the agency actively collects data and spies on a vast array of Internet users, including unaware Americans.

Topics
Konrad Krawczyk
Konrad Krawczyk
Former Digital Trends Contributor
Konrad covers desktops, laptops, tablets, sports tech and subjects in between for Digital Trends. Prior to joining DT, he…
Best Squarespace deals: Save on domains, web builder, and more
A laptop with Squarespace displayed on the screen.

Nowadays, everybody has a website, whether it's for personal stuff, to show off their online portfolio, or even to sell something. Of course, building a website isn't always easy, especially for those who aren't tech-savvy, but you'll be surprised at how easy it is to build a website with Squarespace, even for beginners. Luckily, there is currently a great sale going on at Squarespace to give you an extra nudge to grab yourself a subscription, with annual plans giving you up to 36% off, as well as a short-term 20% off sitewide with the code W4D20.

Besides just website building, there are a ton of perks of subscription, from hosting to email campaigns and even Squarespace Courses, which is pretty unique for a website-building website. So, if that sounds like something you'd like to be a part of, we've listed all the ways you can save on Squarespace subscriptions below.
Today’s best Squarespace deals

Read more
Microsoft Word free trial: Get a month of service for free
A person using MS Word.

It may not feel like it, but Microsoft Word is probably one of the most popular word processors out there, along with Google Docs, and pretty much everybody has likely used it at some point, regardless if you prefer Microsoft Office to Google Docs. Of course, if you want to get your hands on it these days, you're going to have to buy it as part of Microsoft Office, as opposed to getting it as a standalone product like you used to. While you do have to pay for the subscription, you can get Microsoft Word for a month using the free trial before it reverts to a paid subscription. Also, be sure to check out some of these useful Microsoft Words tricks and even how to run Microsoft Office on the Quest 3.
Is there a Microsoft Word free trial?

Microsoft Word is actually part of the company's wider Office app suite. Now known simply as Microsoft 365 (formerly Microsoft Office), Microsoft's enterprise software is available in a number of different packages that are now subscription-based; the company has retired the older bundles that were available for a one-time payment. That means if you want a Microsoft Word free trial, you'll need to sign up for the Microsoft 365 trial.

Read more
The best web browsers for 2024
Lenovo IdeaPad 530S

All web browsers have the same basic function, and yet, the choice between them has always been one of the most contentious in tech history. You have more options these days than ever before, whether you're looking for the best web browser for privacy, the best for speed, or perhaps something a bit more adventurous.

To help you decide on the best web browser, we grabbed the latest browsers and put them through their paces. Even if some could use a complete overhaul, these options are your best chance for a great online experience.
The best web browser: Google Chrome
Google Chrome version 116 Mark Coppock / Digital Trends
Chrome is ubiquitous -- and for good reason. With a robust feature set, full Google Account integration, a thriving extension ecosystem (available through the Chrome Web Store), and a reliable suite of mobile apps, it’s easy to see why Chrome is the most popular and the best web browser.
Chrome boasts some of the most extensive mobile integration available. Served up on every major platform, keeping data in sync is easy, making browsing between multiple devices a breeze. Sign in to your Google account on one device, and all Chrome bookmarks, saved data, and preferences come right along. Even active extensions stay synchronized across devices.
Chrome's Password Manager can automatically generate and recommend strong passwords when a user creates a new account on a webpage. Managing saved passwords and adding notes to passwords is even easier. The search bar, or Omnibox, provides "rich results" comprised of useful answers, and it now supports generative AI capabilities. Favorites are more accessible as well, and they're manageable on the New Tab page. And it's now easier to mute tabs to avoid unwanted sounds.

Read more