Vulnerability Management

Heart of darkness

On Friday morning, April 11, one of our indefatigable reporters, Adam Greenberg, made the prediction that somehow or another the National Security Agency (NSA) would be tied to the Heartbleed vulnerability.

His was an opinion that many of us in the information security industry had and for which we were awaiting some kind of confirmation. Later that day it came, making Adam's voiced prediction in the bullpen that a.m. a bit eerie, as our Associate Editor Teri Robinson put it. 

So, here we are now, armed with the news that the NSA allegedly not only knew about Heartbleed for two years but also leveraged it for its seemingly constant spying efforts, which, of course, officials for the government agency and the White House fervently refute. 

As we reported on SCMagazine.com, it was only about two hours after the Bloomberg story broke the allegations – that the NSA has been exploiting the bug to gather “critical intelligence” from websites – that the denials came. One was directly from the former director of the government agency, General Michael Hayden. He said the presidential administration “takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.”

Whew. I feel better now. 

I, mean, we do have to forget the fact that this isn't the first time Hayden has denied reports about the NSA's questionable spying and hacking operations that, according to the “unnamed sources” in the Bloomberg report, are “at the core of its mission.”

And, I suppose we should also disregard the fact that Heartbleed, which exploits a long-standing flaw in SSL and TLS – protocols that actually were made to keep bad guys from seeing various interactions we undertake on the internet – allegedly has been enlisted by the NSA to amass stuff like passwords and other private data, technically making us all vulnerable to attacks by them or anyone else for that matter. 

But, on that last point, just how vulnerable are we to an assault by the NSA?

Well, Dave Lacey, futurologist at IOActive, emailed Doug Drinkwater, our reporter at SC UK, that while we as consumers shouldn't be all that shocked with news that the NSA possibly has been using Heartbleed to do its spying thing, NSA agents aren't the ones we need to worry about. Everyday cyber criminals are still more concerning, representing the greater risk to us all. 

Reminding us that no technology is 100 percent safe, Lacey added that “the problem with Heartbleed illustrates the danger of technology monoculture. When something goes wrong the impact is potentially huge…”

In this particular case, though, exploitation of Heartbleed appears to be a might difficult to execute, he said. 

So, what's next? Your guess is as good as mine. Most assuredly, more news will trickle out about NSA activities. After all, Snowden stole…What was the last figure? 1.7 million documents – but no one really knows – via a thumb drive. 

And, the exploits leveraging Heartbleed to enable breaches already have debuted. No doubt, cyber criminals will devise still more ways to parlay the hole. As well, some nation-state tech leaders, given their expertise and alleged head start, may have even more advanced exploits in hand. I'm not feeling better, after all. You?

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.