Sources Say the NSA Kept Heartbleed Bug A Secret And Exploited It For Years
Et tu, CVE-2014-0160?
We’ve only known about the Heartbleed threat since April 7th, but sources say the bug was no surprise to the NSA. In a violation of trust that may end America’s remaining patience for irresponsible surveillance, the NSA kept the coding flaw a secret and left citizens vulnerable to threats from criminals and foreign intelligence agencies for years.
If you’ve been living under a safely encrypted rock for the past five days, the Heartbleed Bug is an error in Open SSL Coding that impacted 2/3 of the entire Internet and allowed undetected third parties to view private data—in other words, an ideal surveillance tool. According to Bloomberg, two anonymous sources have come forward to say the NSA knew about the bug and used it to gather passwords and other data. The NSA declined to comment—a right they apparently didn’t think the average Internet user deserved.
Not surprisingly, the NSA is already denying any knowledge:
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
Sadly the revelation of another possible violation of privacy linked to the NSA might not come as a surprise to many Americans. Comments on a Gizmodo article about the NSA’s secret knowledge of the bug imply that many Internet users think there’s no end to how little the NSA values the privacy of the citizens it’s allegedly protecting. For many experts though, the specific threats users were exposed to by Heartbleed make this possible recent transgression particularly appalling: Says Bloomberg, “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
That’s a worry echoed by Jason Healy, director of the cyber statecraft initiative and former Air Force cyber officer, who said to Bloomberg, “It flies in the face of the agency’s comments that defense comes first[…]They are going to be completely shredded by the computer security community for this.” John Pescatore, director of emerging security trends and a former NSA employee, also fears average Internet users may have unknowingly exposed data to foreign criminals or spy organizations.
Thankfully we’re all in full Heartbleed damage-control mode now, but that doesn’t necessarily mean the worst of the NSA betrayals has come and gone: the organization may have more unpleasant surprises in store. Bloomberg says “the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers.” Hopefully the NSA isn’t knowingly exposing citizens to more egregious threats—we’re still debating the predictability of their latest transgression.