Has The US National Security Agency Been Secretly Exploiting The Heartbleed Bug For Years?

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

Bloomberg reported that the bug was kept secret in the interest of national security, while the agency used it to obtain passwords and other data. Since the bug was first committed in 2012, the report suggests the NSA discovered the bug and maintained access for nearly the entire lifespan of Heartbleed.

theverge.com

The Obama administration denied Friday that the National Security Agency or other parts of the federal government had known about the Heartbleed security vulnerability that has created widespread fears that passwords and other sensitive information belonging to millions of Internet users may have been revealed over the past two years.

nytimes.com

The White House was responding to a report by Bloomberg News citing two unidentified sources who said that the N.S.A. had known about the flaw and “regularly used it to gather critical intelligence.” Outside experts expressed strong doubts about the report, noting that the information that could be gleaned from the Heartbleed bug was somewhat random, meaning it probably would be a clumsy intelligence tool.

indiatimes.com

But Caitlin Hayden, the spokeswoman for the National Security Council, said in a statement: “Reports that N.S.A. or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The federal government was not aware of the recently identified vulnerability in OpenSSL” — the freely available encryption methodology — “until it was made public in a private sector cybersecurity report.”

nytimes.com

For days, government officials have said nothing about what they knew, or did not know, about Heartbleed. But as the Bloomberg report began to race around the Internet, the White House, the National Security Agency and the office of the director of national intelligence determined that they could not remain silent.

gawker.com

Since the Heartbleed bug was first publicized on Monday, some security researchers and cryptographers have questioned whether the bug served as the basis for the National Security Agency’s Bullrun program, its decade-long effort to crack or circumvent encryption on the web. But the Heartbleed bug was introduced in some code by a German programmer in March 2012, two years after the agency made a major encryption breakthrough under the Bullrun program, according to classified documents released by the former N.S.A. contractor Edward J. Snowden.

nytimes.com

Security researchers also note that the Heartbleed bug allows hackers to pull out data only in 64 kilobyte increments, making it less feasible that it would be used for wide-scale espionage. Initially, some security experts questioned whether it could be used to extract the private encryption keys to unscramble messages stored on a server in the past, or potentially in the future. But on Friday, a group of security experts at CloudFlare, the Silicon Valley Internet firm, said that in tests this week, they were not able to extract any private key data from a vulnerable server using the Heartbleed bug.

“Note that is not the same as saying it is impossible to use Heartbleed to get private keys,” Nick Sullivan, a security engineer at CloudFlare, wrote in a company report. “However, if it is possible, it is at minimum very hard.” James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said that the claim that the N.S.A. knew about the Heartbleed bug and stockpiled it for its own purposes was not in keeping with the agency’s policy. “In this case, it would be weird for the N.S.A. to let this one go if they thought there was such a widespread risk,” he said.

nytimes.com