The National Security Agency (NSA) has dismissed reports that it has been exploiting the Heartbleed vulnerability to carry out internet surveillance.
Only two hours after Bloomberg broke the story late last week, which cited “two people familiar with the matter” proclaiming that the U.S. surveillance agency has been aware of the bug for two years, and has been exploiting it ever since to gather ‘critical intelligence’ from websites, White House and NSA representatives quickly released statements to counter the allegations.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” said White House National Security Council spokeswoman Caitlin Hayden in a statement.
Former director of the NSA General Michael Hayden also added, “This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.”
The Bloomberg report also stated that the Heartbleed bug, which exploits a flaw in the Secure Sockets Layer (SSL) and Transport Layer Security protocol (TLS) designed to stop prying eyes viewing internet activity, has been used by NSA officers to obtain passwords and other basic data to act as the “building blocks of the sophisticated hacking operations at the core of its mission.” This means ordinary users’ would be vulnerable to attack from other nations’ intelligence arms and criminal hackers, according to the report.
Despite both the NSA’s and White House’s quick denials of spying claims leveraging Heartbleed included in the Bloomberg report, privacy advocates and other IT security experts were just as fast to lash out at the government agency for these reported questionable activities.
NSA knowing about #Heartbleed and not saying anything is the number one reason I’m proud to be an independent security programmer.
— Nadim Kobeissi (@kaepora) April 11, 2014
NSC statement denying NSA knowledge of Heartbleed hints at law enforcement use of 0-days, not just intel agencies. pic.twitter.com/4Ic1j5eaPc
— Christopher Soghoian (@csoghoian) April 11, 2014
More immediate reactions to the news shared on Twitter last Friday by other security professionals’ can be found here.
Indeed this is not the first time the NSA’s practices have been questioned. The Verge reports that the agency is spending just under $1.6 billion a year on data processing and exploitation, while The New York Times added over the weekend that President Barack Obama himself has decided that the agency should reveal internet flaws to the general public, but only if it’s “a clear national security or law enforcement need.”
Nick Pickles, director of civil liberties group Big Brother Watch, told SCMagazineUK.com in an email correspondence that – if the rumors are true – it goes against what is supposed to be the NSA’s mission.
“There is a fundamental contradiction in having the NSA be responsible to cyber security and exploiting vulnerabilities in software,” Pickles said.
He added, “Whether or not the NSA knew about Heartbleed, the wider question about whether the NSA should have a duty to notify software producers of vulnerabilities in their products must be addressed. President Obama’s NSA review made clear that cyber offense and cyber defense should be done by separate organizations but that questions has been wholly ignored by the White House.”
The report could well see questions asked of the Obama administration and specifically on its intention to reform NSA actions and practices, but this is on the basis that Bloomberg’s story is correct.
Some in the industry have speculated on how true the story is. Via his Twitter handle, IT security expert Ashkan Soltani tentatively suggests that there simply may have been confusion between the reporter’s initial question on Heartbleed and the source’s more general comment on the NSA’s ability to monitor or break SSL.
Whatever the facts, Pickles explained that confident in online security is a founding principle upon which the global digital economy is built. If the general public begins to question that confidence and the government’s intentions in helping to sustain it, problems are bound to arise.
“This is such a critical question that it cannot be dealt with in vague assurances and Congress should put on a legal footing the government’s responsibilities to maintain the integrity of essential networks above potential intelligence benefits,” he added.
In an email correspondence with SCMagazineUK.com, Dave Lacey, futurologist at IOActive, added that while consumers should “not be surprised” if the intelligence agency has been exploiting the bug, cyber criminals are the ones that represent the greater risk.
“No security technology is 100 percent secure,” Lacey said. “There are always potential flaws in design, implementation, administration and use. The problem with Heartbleed illustrates the danger of technology monoculture. When something goes wrong the impact is potentially huge…fortunately the exploitation looks relatively difficult.”
Heartbleed was first brought to public attention on April 7 by researchers at Google and Finnish security firm, Codenomicon, who discovered that web servers and other kits running OpenSSL encryption system versions 1.0.1 to 1.0.1f could potentially be used by hackers to steal data without being traced.
The flaw – which is said to have affected two-thirds of websites that use OpenSSL as well as routers and networking gear from Cisco and Juniper Networks, introduced in early 2012 can be rectified as soon as web servers upgrade to a newer version of the open source software – such as 1.0.1g. Alternatively, should this not fix the problem, web developers are being urged to recompile applications to turn off the Heartbeat extension, while users of some web services have been recommended to change passwords.