Report: NSA Knew of, And Exploited, Heartbleed Bug for Two Years

 Pages 1 2 NEXT
 

Report: NSA Knew of, And Exploited, Heartbleed Bug for Two Years

Bloomberg spoke with two sources close to the issue about the NSA's intelligence gathering methods using the now infamous computer bug.

America's National Security Agency allegedly knew about the "Heartbleed" bug for two years and used it to gather intel, leaving many computers at risk to hacking attacks. This information comes from Bloomberg, which spoke to two sources familiar with the matter. The Heartbleed bug, revealed earlier this month, is reported to have affected almost two-thirds of the world's websites, threatening passwords and account information around the world.

Using Heartbleed, the NSA was able to obtain "passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission," Bloomberg reports. However, in using the bug, the NSA left these millions of users vulnerable to attacks from other hackers.

The article states that open-source software, like OpenSSL, where Heartbleed originated, are primary targets of intelligence gathering operations by the NSA and similar groups. Free codes like OpenSSL are frequently used by many Internet companies, but the unfunded programmers who maintain them don't have the same resources as the expert codecrackers used by the NSA, Bloomberg stated.

Jason Healey, director the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, shared some harsh words with Bloomberg about their findings. "It flies in the face of the agency's comments that defense comes first," he said. "They are going to be completely shredded by the computer security community for this."

While an NSA spokeswoman declined to speak to Bloomberg for the article, the agency did later release a statement denying much of the report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," states an article on USA Today sharing the agency's response. "Reports that say otherwise are wrong," according to the NSA.

Source: Bloomberg, USA Today

Permalink

And once more we are left to ask: Quis custodiet ipsos custodes?

I think it says something that the NSA's denial of involvement only leads me to think that perhaps they used coercion to have the insecurity implemented in the first place. Even at my most charitable, I absolutely don't doubt that they'd much rather exploit a bug to gather more information than report it to have it corrected.

Now this, this is a great example of why the NSA is missing the point. In utilizing Heartbleed instead of allowing it to be patched, they put companies, individuals and governments at risk from cyberterrorists, crackers and their ilk - any damage they may have negated by using the bug to gather information and prevent attacks (mind you, I'm giving them a lot of undeserved credit and positivt doubt here) was most likely completely blown out of the water by the sheer amount of information leaked to unsavory parties.

Look, NSA, if you want to do good, don't let something like this be out in the wild. It's not helping anyone. Information like this makes me wonder what sort of other bugs the NSA are sitting on - I'm kinda scared, to be honest. Not of the NSA this time, but of the numerous crackers that also know about the bug and have free reign wherever the vulnerability is.

Huh? Look, being mad at the NSA for keeping stuff secret and being kinda dicks is like being pissed at a blender for pureeing. That's what they do. That's half their purpose.

While an NSA spokeswoman declined to speak to Bloomberg for the article, the agency did later release a statement denying much of the report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," states an article on USA Today sharing the agency's response. "Reports that say otherwise are wrong," according to the NSA.

Give it a few weeks and we will find out that they did know about it all along. Like how they definitely weren't spying on the American citizens that they were spying on.

But didn't Google also know about it and apparently not think to tell anyone?

Cripes. What a deleterious, clandestine and utterly distasteful organization. It just gets worse and worse with them.

Goddamn it, this just keeps getting better and better. Who needs ethics when there's 'turrists to hunt?

I would like to say I'm surprised by this, but it's the fucking NSA we're talking about. They've proven they don't give a shit about niceties like the Constitution and the legal system long ago.

Doubleplus ungood, NSA. Very doubleplus ungood.

BREAKING NEWS.
NSA gathering intelligence.

(Seriously, isn't their motto something to the extent of "In god we trust, the rest we watch"? This is not new, THEY ARE THE N-S-FREAKING-A, of COURSE they're monitoring you through a variety of unscrupulous means, you can detect the rest)

Let's see here, you've got 'claim ignorance/innocence' and be viewed as incompetent. And on the other hand you can be viewed as an organization willing to sacrifice the security of, supposedly, 2/3 of the web.

Better to appear ignorant and have your enemies underestimate you.

Heck, the funny thing is I'm not even sure their denial is any better.

We've got this bug that in all likelihood somewhere will have exposed passwords and other account information of senators, military, law-enforcement, judges, ambassadors and many others. The NSA's mission is still first and foremost to defend against threats because I can tell you one thing, even if among all those every single one is using a different password for their official accounts there's going to be absolutely no shortage of important people who keep that password in private e-mails secured with passwords potentially exposed by this bug.

I don't know if any such leak has happened, but the fact that the vulnerability was there for two years on millions of website primarily used by the USA and their allies, which is still where the majority of internet traffic comes from, signifies a grand failure of the NSA regardless of whether or not they knew about it.

If they knew they should've fixed it, leaving your own front-door wide open and unwatched while you're off peeking in someone else's window is sheer stupidity.
If they didn't know then they should've known, that's their mission. They're supposed to keep a watch on that front door to ensure it, and other entries, are secure.

Either way, they failed spectacularly in their mission.

One word: Escalation.

It's easy enough for the NSA to say "we're protecting the free world with this hole we found", but, they should be saying "we're protecting the free world by plugging this hole we found", because this isn't just an American Issue. Codemonkeys the world over can exploit this. Sure, you might have found out the secret gmail address some Jihadist uses to avoid those "RE:RE:RE:FWD:RE:FWD:THIS SIMPLE TRICK MADE MIDDLE AGE MUM DENTISTS HATE HER" emails, meanwhile, Moscow and Beijing have just used the same bug to steal everything they need to know about your new Warblimp.

Is that what you want, NSA? A fleet of Chinese Warblimps? Because I don't want a fleet of Chinese Warblimps. And I certainly don't want the Russians knowing about the secret gmail account I use to get away from spam emails! D=

BlameTheWizards:
While an NSA spokeswoman declined to speak to Bloomberg for the article, the agency did later release a statement denying much of the report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," states an article on USA Today sharing the agency's response. "Reports that say otherwise are wrong," according to the NSA.

I believe this xkcd comic is relevant.

Capcha: "bowties are cool" Yes. Yes they are, Capcha.

EDIT: Whoops, used html tags for the link by mistake. Fixed now.

In other words, in trying to protect America from conventional terrorism, they inadvertently left us completely vulnerable to cyberterrorism.

Good job, National SECURITY Agency, for making Americans and other countries less secure not just from you, but from the very people you're trying to protect us from. Sure, you may not have been aware of the vulnerability until recently, but guess what, THAT'S YOUR MOTHER BLOODY JOB TO KNOW ABOUT SUCH THINGS!!!

Do try to keep up in the future.

...Or better yet, don't and go away.

"We're fighting hackers by giving them opportunities to steal account information and break security breaches! More of our tax-payers money so they can have their money stolen because of us!"

I'm so happy I don't live in the country where this is happening; I'm a neurotic person, and even thinking that some guy or woman has access to the Internet, basically my second home, makes me shudder with fear.

Any indication whatsoever that these are reliable sources?

Storm Dragon:

I believe this xkcd comic is relevant.

Fixed the link for you. The current set up in your post has it so that it goes to a 404 page on the Escapist. :P

OT: Man...this just gets funnier and funnier. Honestly at this point if there is a more dangerous threat to the US, it's the NSA seeing as all the news that comes to light about them doesn't paint a pretty picture at all for them. All I know is that every conspiracy person who hears news about this has more self justification and gets more of the ability to gloat about being right.

The irony of all of this NSA spying isn't limited to the fact that if they knew about this and used it for two years that they left systems even more vulnerable to data theft. It's that any actual terrorist with half a brain is going to use communication methods that have absolutely nothing to do with the internet and computers and can't be readily traced and procured by the NSA.

They spy on you while leaving you more vulnerable to attack and failing to actually keep track of the people they probably should be watching. The NSA and organizations in other countries which run programs like they do are a complete joke.

It still boggles my mind that nobody is being punished over the NSA scandal. Is this just the world we live in now? "Your privacy belongs to us, what are you gonna do about it?"

If anyone still does not know how this bug actually works then XKCD provides a good explanation of it at http://xkcd.com/1354/

how can the americans allow this?

Is it sad that none of this stuff surprises me anymore?

I am honestly not sure what to believe about this, on one hand its the NSA, I don't doubt that if they knew about the issue they would exploit it, on the other hand its the NSA, even if they had no idea about the issue they would be blamed for it and/or accused of exploiting it at this point.

Y'know, at this point I really don't care anymore.

Felix the Human:
Y'know, at this point I really don't care anymore.

This. Besides, "two sources" is pretty damn convenient. I think that claiming the NSA knew about the glitch so far in advance of everyone else is being waaaaaaaay too charitable.

NuclearKangaroo:
how can the americans allow this?

How can they... uh... what? Allow glitchy software to exist? Allow their intelligence agency to gather intelligence?

What on Earth do you propose that they do?

Riverwolf:
In other words, in trying to protect America from conventional terrorism, they inadvertently left us completely vulnerable to cyberterrorism.

Good job, National SECURITY Agency, for making Americans and other countries less secure not just from you, but from the very people you're trying to protect us from. Sure, you may not have been aware of the vulnerability until recently, but guess what, THAT'S YOUR MOTHER BLOODY JOB TO KNOW ABOUT SUCH THINGS!!!

Do try to keep up in the future.

...Or better yet, don't and go away.

Actually, it's not their job to find and fix glitches in security protocol. That's the DEV'S job.

Also, the article states in its opening paragraph that they've known about the glitch for two years, which is a whole different kettle of fish (and I also doubt it, but whatever).

So not only did you completely get their job description wrong, but you attacked them for the wrong thing.

...please be more careful about saying "do try to keep up".

lacktheknack:

NuclearKangaroo:
how can the americans allow this?

How can they... uh... what? Allow glitchy software to exist? Allow their intelligence agency to gather intelligence?

What on Earth do you propose that they do?

stop compromising the security and privacy of the citizens of united states and the world maybe?

NuclearKangaroo:

lacktheknack:

NuclearKangaroo:
how can the americans allow this?

How can they... uh... what? Allow glitchy software to exist? Allow their intelligence agency to gather intelligence?

What on Earth do you propose that they do?

stop compromising the security and privacy of the citizens of united states and the world maybe?

You're asking that Americans stop compromising their... own... security and privacy?

Uh... you realize the only way they can do that is to exit the internet, right? Your privacy is compromised the instant your data his the first router if anyone is reading.

Unless you're saying that the NSA should be doing that, but then I question why you brought "Americans" into this in the first place.

Neronium:

Storm Dragon:

I believe this xkcd comic is relevant.

Fixed the link for you. The current set up in your post has it so that it goes to a 404 page on the Escapist. :P

OT: Man...this just gets funnier and funnier. Honestly at this point if there is a more dangerous threat to the US, it's the NSA seeing as all the news that comes to light about them doesn't paint a pretty picture at all for them. All I know is that every conspiracy person who hears news about this has more self justification and gets more of the ability to gloat about being right.

Thanks for the fix, man.

lacktheknack:

NuclearKangaroo:

lacktheknack:

How can they... uh... what? Allow glitchy software to exist? Allow their intelligence agency to gather intelligence?

What on Earth do you propose that they do?

stop compromising the security and privacy of the citizens of united states and the world maybe?

You're asking that Americans stop compromising their... own... security and privacy?

Uh... you realize the only way they can do that is to exit the internet, right? Your privacy is compromised the instant your data his the first router if anyone is reading.

Unless you're saying that the NSA should be doing that, but then I question why you brought "Americans" into this in the first place.

boy do i really need to spell it out?

why do the american PEOPLE, the CITIZENS, allow the NSA, to invade their privacy without consent, and abuse system bugs to gain information, again, without consent, compromising the security of the data of these people, as well as their privacy, like i said

and since USA isnt the only country that uses the internet and most internet traffic goes through USA, NSA activities also compromise the security and privacy of the people around the world

NuclearKangaroo:

lacktheknack:

NuclearKangaroo:

stop compromising the security and privacy of the citizens of united states and the world maybe?

You're asking that Americans stop compromising their... own... security and privacy?

Uh... you realize the only way they can do that is to exit the internet, right? Your privacy is compromised the instant your data his the first router if anyone is reading.

Unless you're saying that the NSA should be doing that, but then I question why you brought "Americans" into this in the first place.

boy do i really need to spell it out?

why do the american PEOPLE, the CITIZENS, allow the NSA, to invade their privacy without consent, and abuse system bugs to gain information, again, without consent, compromising the security of the data of these people, as well as their privacy, like i said

and since USA isnt the only country that uses the internet and most internet traffic goes through USA, NSA activities also compromise the security and privacy of the people around the world

Yes, please spell out what you want them to do. Everyone knows the problem, no one has a solution.

Shoot the NSA wholesale?

LunaticPanda:
BREAKING NEWS.
NSA gathering intelligence.

(Seriously, isn't their motto something to the extent of "In god we trust, the rest we watch"? This is not new, THEY ARE THE N-S-FREAKING-A, of COURSE they're monitoring you through a variety of unscrupulous means, you can detect the rest)

Except the 'S' in "NSA" is supposed to stand for Security. In this case, for every piece of questionable content they could monitor by exploiting the bug, there could be a few hundred more pieces of private information going out.

This doesn't seem so much like "gathering intelligence" as much as rummaging through people's drawers (figuratively speaking, of course) and leaving the back door wide open when they leave. They might match a few fingerprints on the silverware, but any thief with two working eyes can walk in and swipe the credit cards(less figuratively speaking).

lacktheknack:

NuclearKangaroo:

lacktheknack:

You're asking that Americans stop compromising their... own... security and privacy?

Uh... you realize the only way they can do that is to exit the internet, right? Your privacy is compromised the instant your data his the first router if anyone is reading.

Unless you're saying that the NSA should be doing that, but then I question why you brought "Americans" into this in the first place.

boy do i really need to spell it out?

why do the american PEOPLE, the CITIZENS, allow the NSA, to invade their privacy without consent, and abuse system bugs to gain information, again, without consent, compromising the security of the data of these people, as well as their privacy, like i said

and since USA isnt the only country that uses the internet and most internet traffic goes through USA, NSA activities also compromise the security and privacy of the people around the world

Yes, please spell out what you want them to do. Everyone knows the problem, no one has a solution.

Shoot the NSA wholesale?

i dont know dude

my country is protesting because this wacko wants to turn my beautiful country into cuba 2.0 and destroy the democracy so many people died to obtain

maybe you could protest to preserve the right for privacy you, you parents and your grandparents have enjoyed so far, believe me, its not worth it to wait until the very last moment when your enemy is at its strongest

its surprising how unsurprised i am at this

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here