When it bleeds, it pours.
The National Security Agency reportedly knew of and exploited the massive Internet bug revealed to the public this week and known now as “Heartbleed” in order to gather intelligence information on targets.
This new revelation packs an extra twist that other recent NSA leaks have lacked: Regardless of its purpose for intelligence gathering, the NSA may have known for years about a historic security flaw that may have affected up to two-thirds of the Internet. Instead of trying to repair that flaw—which has potentially impacted countless people—the NSA reportedly manipulated it in secret.
“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” Bloomberg first reported Friday, citing two people “familiar” with the matter. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
In a statement late Friday afternoon, the NSA denied the Bloomberg report. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” said agency spokeswoman Vanee Vines. “Reports that say otherwise are wrong.”
In a follow-up statement, NSC Spokesperson Caitlin Hayden said that the Obama administration “takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
Unlike previous statements about alleged NSA activities, the statements made by the NSA and White House today are definitive, with little room for differing interpretations.
The Heartbleed bug was revealed publicly for the first time earlier this week, and has been described by numerous cybersecurity experts as one of the worst security glitches the web has ever encountered. Heartbleed is caused by a minor two-year-old flaw in software coding of a program known as OpenSSL that is meant to provide extra protection to websites.
Considerable attention has been paid to Heartbleed’s potential use by criminal hackers to collect war chests filled with online passwords, personal information and banking data, but it remains unclear whether any such bad actors knew of or exploited it prior to its disclosure. A fix was rolled out five days ago, but concerns persist that much of the Internet’s security has been compromised.
Some Internet freedom and privacy groups began speculating that intelligence agencies may have exploited Heartbleed for surveillance purposes shortly after news of the bug broke earlier this week. The Electronic Frontier Foundation suggested earlier exploitations of the bug detected in November of last year “makes a little more sense for intelligence agencies than for commercial or lifestyle malware.”
Earlier Friday, the Department of Homeland Security issued guidance on Heartbleed, saying that “everyone has a role to play to ensuring [sic] our nation’s cybersecurity.”
This post was updated Friday afternoon after the NSA statement was released.
What We're Following See More »
Democrats in the House are threatening to shut down the government if Republicans expedite a vote on a bill to repeal and replace Obamacare, said Democratic House Whip Steny Hoyer Thursday. Lawmakers have introduced a one-week spending bill to give themselves an extra week to reach a long-term funding deal, which seemed poised to pass easily. However, the White House is pressuring House Republicans to take a vote on their Obamacare replacement Friday to give Trump a legislative victory, though it is still not clear that they have the necessary votes to pass the health care bill. This could go down to the wire.
Members of Congress are eyeing a one-week spending bill which would keep the government open past the Friday night deadline, giving lawmakers an extra week to iron out a long-term deal to fund the government. Without any action, the government would run out of funding starting at midnight Saturday. “I am optimistic that a final funding package will be completed soon," said Rep. Rodney Frelinghuysen, R-N.J., chairman of the House Appropriations Committee.
"President Trump informed Mexican President Pena Nieto and Canadian Prime Minister Justin Trudeau on Wednesday afternoon that he will not pull the U.S. from the North American Free Trade Agreement (NAFTA) despite reports earlier in the day that he had considered doing so. ... The three leaders agreed to proceed quickly with renegotiation plans as the initial review process comes to a close."
"A new bill to revive a permanent nuclear waste repository in Yucca Mountain, Nev., fails to address the concerns of Nevada lawmakers, suggesting the latest attempt may not resolve a 20-year impasse over the issue." The state's congressional delegation "shared their opposition to the nuclear waste policy amendment during a House Energy and Commerce subcommittee hearing focused on the legislation," and promised that Gov. Brian Sandoval would oppose it at every turn. "The new bill aims to finally use some $31 billion that has accumulated in the Nuclear Waste Fund, set aside in 1982 to collect specifically for a permanent repository."