Did the NSA exploit the Heartbleed bug for years?

usa freedom act passes in senate with 67 32 vote nsa computers heartbleed bug
Image Credit: Wikimedia

The Office of the Director of National Intelligence (ODNI) flat-out denied reports that the National Security Agency had been quietly exploiting a widespread flaw in Internet security called the Heartbleed bug for years, as reported by Bloomberg news on Friday — accusations that sent shock waves of concern and frustration through Internet users.

“The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report,” reads an official statement posted Friday to a blog maintained by the government agency. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

The alarming Bloomberg report claimed that the country’s top spy agency had discovered the security vulnerability shortly after it emerged, and has routinely used it to collect data and spy (likely on Americans, intentionally or otherwise). Data sucked up by the NSA using the Heartbleed bug could have included email addresses, passwords and other data that would have let the agency carry on its cyber-espionage operations.

MORE: Here’s a list of websites allegedly affected by the Heartbleed bug

The longer a flaw like Heartbleed existed on the Internet, the more opportunity there was for criminals and enemy states to exploit it to steal information, spy on others and cause incalculable harm to individuals, businesses and government agencies, explained noted security analyst Graham Cluley.

“If it’s true … then they’ve let down everyone who uses the Internet.”

“If it’s true that the NSA knew about the Heartbleed bug, but didn’t tell anyone about it, then they’ve let down everyone who uses the Internet — both around the globe, as well as the law-abiding citizens they are supposed to protect in the United States,” Cluley told Digital Trends.

One of the NSA’s main missions is national security. That includes seeking out software flaws and vulnerabilities that could be exploited by hackers and other governments. The agency’s actions with respect to how it used the Heartbleed bug, and its refusal to inform the public of its existence, would have run contrary to those missions, some say.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the Atlantic Council’s cyber statecraft initiative, and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

The NSA first addressed the Bloomberg report in a statement issued via Twitter:

The ODNI statement stressed the same point, noting that “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.” Yet many still questioned the agency. The Electronic Freedom Foundation (EFF), a non-profit dedicated to protecting Americans’ civil liberties, wrote the following tweet in response:

A handful of programmers runs the OpenSSL security protocol in which the Heartbleed bug lies; the NSA tasks thousands with discovering such vulnerabilities. Once the flaw was uncovered, the Bloomberg report claimed, the NSA essentially put it in its back pocket, instead of warning those who could have patched the problem and kept the nation’s data safe — a part of the agency’s stated mission.

MORE: How to check if your favorite websites are vulnerable to the Heartbleed bug

“The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information,” the agency’s mission statement reads.

James Lewis, a senior fellow at the Center for Strategic and International Studies specializing in cybersecurity, says that the NSA considers multiple options when it discovers vulnerabilities like Heartbleed. They include temporary exploitation combined with collaboration with software developers to plug the flaw.

MORE: What is the Heartbleed bug?

“They actually have a process when they find this stuff that goes all the way up to the director” of the NSA, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

NSA operations-center
National Security Operations Center (credit: Wikipedia) Wikipedia

The Heartbleed bug is a serious vulnerability in the OpenSSL Internet encryption protocol known that has potentially left the information of most Internet users vulnerable to hackers. The Heartbleed bug reportedly affects as much as 66 percent of the world’s active websites, and has existed for roughly two years. That’s according to a team of Codenomicon researchers, as well as Google Security researcher Neel Mehta.

“We’ve never seen any quite like this,” Michael Sutton, vice president of security research at Zscaler, a security firm, says. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

MORE: The Heartbleed bug affects “almost everyone”

The NSA has been embroiled in controversy and scandal since it was revealed that the agency actively collects data and spies on a vast array of Internet users, including unaware Americans.

Mobile

Think iPhones can’t get viruses? Our expert explains why it could happen

If your iPhone has been acting strangely, then you may be concerned about the possibility it is infected with a virus or some malware. We take a look at just how likely that is and explain why iOS is considered relatively safe.
Gaming

These are the must-have games that every Xbox One owner needs

More than four years into its life span, Microsoft's latest console is finally coming into its own. From Cuphead to Halo 5, the best Xbox One games offer something for players of every type.
Movies & TV

The best shows on Netflix right now (March 2019)

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Movies & TV

The best movies on Netflix in March, from Buster Scruggs to Roma

Save yourself from hours wasted scrolling through Netflix's massive library by checking out our picks for the streamer's best movies available right now, whether you're into explosive action, witty humor, or anything else.
Computing

USB4 will be the fastest and most uniform USB standard yet

USB4 is on the horizon and alongside a massive boost in speed it's also unifying with the Thunderbolt 3 standard to help finally create a singular wired connection protocol that all devices can enjoy.
Computing

The U.S. government plans to drop $500M on a ridiculously powerful supercomputer

The U.S. Department of Energy has announced plans to build a $500 million exascale supercomputer by 2021. The project, known as the Aurora supercomputer, is expected to boost research efforts in fields such as public health.
Product Review

4K and 144Hz? Yup, the Acer Predator XB3 will max out your gaming PC

The Predator XB3 isn’t for the faint of heart. But if you have a system that can push over 100 frames per second in 4K screen resolution, this monster of a monitor might be the perfect match for your overpowered gaming rig.
Buying Guides

Apple has powered up its iMac lineup, but which one should you opt for?

With new processors and graphics cards for both the 4K and 5K models, the iMac feels like a good option for creatives again. But which should you buy? Here's our guide to choosing the right Apple all-in-one for your needs.
Computing

HP spring sale: Save up to 58 percent on laptops, desktops, printers, and more

From now until March 23, the HP spring sale lets you take as much as 58 percent off of a huge range of laptops, desktop PCs, printers, and more, potentially saving you more than $1,000. We’ve rounded up a dozen of the best deals right…
Computing

Yes, Apple’s new iMacs look great, but they do have one glaring problem

With processors ranging up to the eight-core Core i9, the 2019 iMac update looks like a pretty solid upgrade to Apple's classic all-in-one. But hidden in the details of the product page, there's one outdated component Apple is holding onto.
Computing

Grab 1 terabyte of SSD storage for just $100 with this sale on Amazon

If you're looking for an excellent opportunity to pick up a 1TB SSD at a low price, Amazon has you covered with Samsung's 860 QVO 1TB 2.5-inch SATA III Internal SSD. It is an excellent offering for both multimedia enthusiasts and gamers.
Computing

The iMac finally got updated, but how does it compare to the Mac mini?

Apple announced a long-awaited update to the Mac mini. Thanks to the updated specs and increase in price, it's begun to creep up to the base model iMac. In this guide, we now put up the specs on the newest refreshed Mac mini against the…
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Pinning websites to your taskbar is as easy as following these quick steps

Would you like to know how to pin a website to the taskbar in Windows 10 in order to use browser links like apps? Whichever browser you're using, it's easier than you might think. Here's how to get it done.