Bloomberg News reports the NSA knew about the Heartbleed bug for two years, using it as one of its essential spying tools to snoop on private communications and to steal passwords and other sensitive information around the web. The Heartbleed bug in the OpenSSL encryption library is estimated to have affected as much as two thirds of websites on the internet.
The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.
While this is certainly shitty, it isn’t exactly surprising if the NSA not only knew about this bug and exploited it but also steadfastly refused to help patch it — even though it left tens of millions of Americans vulnerable to similar hacking, be it from criminals or other states. This is a kamikaze pilot’s approach to “national security.” (Never mind the harm it may have done to people around the world, including friendly countries like Canada.)
If there’s one silver lining here, though, it’s that Bloomberg’s sources for this incredible report are “two people familiar with the matter,” which suggests a people within the U.S. intelligence community. Hopefully Edward Snowden’s decision to leak information about surveillance practices has encouraged more whistleblowers to come forward.
Ever since the Heartbleed bug was exposed, security experts have been wondering nervously who might have known about the exploit and for how long. If the NSA knew, did Chinese, Russian and Iranian spies know as well? Did Canada’s spy agency CSEC, which works closely with the NSA, also know and keep this information from us?
UPDATE: The NSA denies the Bloomberg report. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have disclosed to the community responsible for OpenSSL,” the agency said in a statement.
Following recommendations by a task force created by President Barack Obama to investigate intelligence methods, the NSA says it discloses vulnerabilities “unless there is a clear national security or law enforcement need.”
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
This is a somewhat rare, straightforward denial from the agency. Usually they issue a “Glomar Response” in which they neither confirm nor deny media reports. Of course, officials could have easily issued this denial earlier, but they refused to talk to Bloomberg for some reason.
UPDATE II: A CSEC spokesperson told the Albatross that Canada’s spies did not have prior knowledge of the Heartbleed exploit.
“Since learning of this particular vulnerability earlier this week, CSE’s IT Security team has been actively working … on mitigation and protection measures to address the Heartbleed bug,” Ryan Foreman said in an emailed statement.
[Bloomberg]