NSA Reportedly Exploited Heartbleed For Spying — But Strongly Denies the Allegation

Because the agency hasn’t already reportedly done enough.

National Journal
Dustin Volz and Matt Berman
See more stories about...
Dustin Volz Matt Berman
April 11, 2014, 11:20 a.m.

When it bleeds, it pours.

The Na­tion­al Se­cur­ity Agency re­portedly knew of and ex­ploited the massive In­ter­net bug re­vealed to the pub­lic this week and known now as “Heart­bleed” in or­der to gath­er in­tel­li­gence in­form­a­tion on tar­gets.

This new rev­el­a­tion packs an ex­tra twist that oth­er re­cent NSA leaks have lacked: Re­gard­less of its pur­pose for in­tel­li­gence gath­er­ing, the NSA may have known for years about a his­tor­ic se­cur­ity flaw that may have af­fected up to two-thirds of the In­ter­net. In­stead of try­ing to re­pair that flaw—which has po­ten­tially im­pacted count­less people—the NSA re­portedly ma­nip­u­lated it in secret.

“Put­ting the Heart­bleed bug in its ar­sen­al, the NSA was able to ob­tain pass­words and oth­er ba­sic data that are the build­ing blocks of the soph­ist­ic­ated hack­ing op­er­a­tions at the core of its mis­sion, but at a cost,” Bloomberg first re­por­ted Fri­day, cit­ing two people “fa­mil­i­ar” with the mat­ter. “Mil­lions of or­din­ary users were left vul­ner­able to at­tack from oth­er na­tions’ in­tel­li­gence arms and crim­in­al hack­ers.”

In a state­ment late Fri­day af­ter­noon, the NSA denied the Bloomberg re­port. “NSA was not aware of the re­cently iden­ti­fied vul­ner­ab­il­ity in OpenSSL, the so-called Heart­bleed vul­ner­ab­il­ity, un­til it was made pub­lic in a private-sec­tor cy­ber­se­cur­ity re­port,” said agency spokes­wo­man Vanee Vines. “Re­ports that say oth­er­wise are wrong.”

In a fol­low-up state­ment, NSC Spokes­per­son Caitlin Hay­den said that the Obama ad­min­is­tra­tion “takes ser­i­ously its re­spons­ib­il­ity to help main­tain an open, in­ter­op­er­able, se­cure and re­li­able In­ter­net. If the Fed­er­al gov­ern­ment, in­clud­ing the in­tel­li­gence com­munity, had dis­covered this vul­ner­ab­il­ity pri­or to last week, it would have been dis­closed to the com­munity re­spons­ible for OpenSSL.”

Un­like pre­vi­ous state­ments about al­leged NSA activ­it­ies, the state­ments made by the NSA and White House today are defin­it­ive, with little room for dif­fer­ing in­ter­pret­a­tions.

The Heart­bleed bug was re­vealed pub­licly for the first time earli­er this week, and has been de­scribed by nu­mer­ous cy­ber­se­cur­ity ex­perts as one of the worst se­cur­ity glitches the web has ever en­countered. Heart­bleed is caused by a minor two-year-old flaw in soft­ware cod­ing of a pro­gram known as OpenSSL that is meant to provide ex­tra pro­tec­tion to web­sites.

Con­sid­er­able at­ten­tion has been paid to Heart­bleed’s po­ten­tial use by crim­in­al hack­ers to col­lect war chests filled with on­line pass­words, per­son­al in­form­a­tion and bank­ing data, but it re­mains un­clear wheth­er any such bad act­ors knew of or ex­ploited it pri­or to its dis­clos­ure. A fix was rolled out five days ago, but con­cerns per­sist that much of the In­ter­net’s se­cur­ity has been com­prom­ised.

Some In­ter­net free­dom and pri­vacy groups began spec­u­lat­ing that in­tel­li­gence agen­cies may have ex­ploited Heart­bleed for sur­veil­lance pur­poses shortly after news of the bug broke earli­er this week. The Elec­tron­ic Fron­ti­er Found­a­tion sug­ges­ted earli­er ex­ploit­a­tions of the bug de­tec­ted in Novem­ber of last year “makes a little more sense for in­tel­li­gence agen­cies than for com­mer­cial or life­style mal­ware.”

Earli­er Fri­day, the De­part­ment of Home­land Se­cur­ity is­sued guid­ance on Heart­bleed, say­ing that “every­one has a role to play to en­sur­ing [sic] our na­tion’s cy­ber­se­cur­ity.”

This post was up­dated Fri­day af­ter­noon after the NSA state­ment was re­leased.

What We're Following See More »
ALL RIDERS TO BE AFFECTED
Metro to Begin Rolling Closures Next Month
4 minutes ago
THE DETAILS

Beginning next month, Metro will begin a series of "about 15 separate large-scale work projects," each of which will close down stations and/or sections of track for up to weeks at a time. The entire initiative is expected to take about a year. The Washington Post has a list of the schedule of closures, and which lines and stations they'll affect.

Source:
ANOTHER MEETING WITH PRIEBUS
Trump to Meet with Ryan, Leadership Next Week
11 minutes ago
THE LATEST

A day after saying he could not yet support Donald Trump's presidential bid, House Speaker Paul Ryan has invited the billionaire to a meeting in Washington next week with House leadership. Ryan and Republican National Committee Chairman Reince Priebus will also meet separately with Trump. 

Source:
‘EXACTING STANDARDS’
Obama on Trump: ‘This Is a Really Serious Job’
30 minutes ago
THE DETAILS

"President Obama used the White House podium on Friday to dismiss Donald Trump as an unserious candidate to succeed him, and said leading the country isn't a job that's suited to reality show antics." At a briefing with reporters, the president said, "I just want to emphasize the degree to which we are in serious times and this is a really serious job. This is not entertainment. This is not a reality show. This is a contest for the presidency of the United States. And what that means is that every candidate, every nominee needs to be subject to exacting standards and genuine scrutiny."

Source:
MORE EXECUTIVE ORDERS
Panama Papers Spur White House to Crack Down on Evasion
2 hours ago
THE DETAILS

In the The White House on Thursday night unveiled a series of executive actions to combat money laundering—"among the most comprehensive response yet to the Panama Papers revelations." The president's orders will tighten transparency rules, close loopholes that allow "foreigners to hide financial activity behind anonymous entities in the U.S., and demand stricter “customer due diligence” rules for banks.

Source:
THE QUESTION
Who’s #NeverTrump Courting as Possible Candidates
3 hours ago
THE ANSWER

The #NeverTrump movement is now mulling the idea of recruiting a candidate to run as an independent or under a third-party banner. But who might it be? The Hill offers a preliminary list.

  • Sen. Ben Sasse (R-NE)
  • Mitt Romney
  • 2012 (and perhaps 2016) Libertarian candidate Gary Johnson
  • Former Marine Gen. John Kelly
  • Rep. Justin Amash (R-MI)
  • Former Sen. Tom Coburn (R-OK)
  • South Carolina Gov. Nikki Haley
  • Sen. Rand Paul (R-KY)
Source:
×