When it bleeds, it pours.
The National Security Agency reportedly knew of and exploited the massive Internet bug revealed to the public this week and known now as “Heartbleed” in order to gather intelligence information on targets.
This new revelation packs an extra twist that other recent NSA leaks have lacked: Regardless of its purpose for intelligence gathering, the NSA may have known for years about a historic security flaw that may have affected up to two-thirds of the Internet. Instead of trying to repair that flaw—which has potentially impacted countless people—the NSA reportedly manipulated it in secret.
“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” Bloomberg first reported Friday, citing two people “familiar” with the matter. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
In a statement late Friday afternoon, the NSA denied the Bloomberg report. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” said agency spokeswoman Vanee Vines. “Reports that say otherwise are wrong.”
In a follow-up statement, NSC Spokesperson Caitlin Hayden said that the Obama administration “takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
Unlike previous statements about alleged NSA activities, the statements made by the NSA and White House today are definitive, with little room for differing interpretations.
The Heartbleed bug was revealed publicly for the first time earlier this week, and has been described by numerous cybersecurity experts as one of the worst security glitches the web has ever encountered. Heartbleed is caused by a minor two-year-old flaw in software coding of a program known as OpenSSL that is meant to provide extra protection to websites.
Considerable attention has been paid to Heartbleed’s potential use by criminal hackers to collect war chests filled with online passwords, personal information and banking data, but it remains unclear whether any such bad actors knew of or exploited it prior to its disclosure. A fix was rolled out five days ago, but concerns persist that much of the Internet’s security has been compromised.
Some Internet freedom and privacy groups began speculating that intelligence agencies may have exploited Heartbleed for surveillance purposes shortly after news of the bug broke earlier this week. The Electronic Frontier Foundation suggested earlier exploitations of the bug detected in November of last year “makes a little more sense for intelligence agencies than for commercial or lifestyle malware.”
Earlier Friday, the Department of Homeland Security issued guidance on Heartbleed, saying that “everyone has a role to play to ensuring [sic] our nation’s cybersecurity.”
This post was updated Friday afternoon after the NSA statement was released.
What We're Following See More »
Beginning next month, Metro will begin a series of "about 15 separate large-scale work projects," each of which will close down stations and/or sections of track for up to weeks at a time. The entire initiative is expected to take about a year. The Washington Post has a list of the schedule of closures, and which lines and stations they'll affect.
A day after saying he could not yet support Donald Trump's presidential bid, House Speaker Paul Ryan has invited the billionaire to a meeting in Washington next week with House leadership. Ryan and Republican National Committee Chairman Reince Priebus will also meet separately with Trump.
"President Obama used the White House podium on Friday to dismiss Donald Trump as an unserious candidate to succeed him, and said leading the country isn't a job that's suited to reality show antics." At a briefing with reporters, the president said, "I just want to emphasize the degree to which we are in serious times and this is a really serious job. This is not entertainment. This is not a reality show. This is a contest for the presidency of the United States. And what that means is that every candidate, every nominee needs to be subject to exacting standards and genuine scrutiny."
In the The White House on Thursday night unveiled a series of executive actions to combat money laundering—"among the most comprehensive response yet to the Panama Papers revelations." The president's orders will tighten transparency rules, close loopholes that allow "foreigners to hide financial activity behind anonymous entities in the U.S., and demand stricter “customer due diligence” rules for banks.
The #NeverTrump movement is now mulling the idea of recruiting a candidate to run as an independent or under a third-party banner. But who might it be? The Hill offers a preliminary list.
- Sen. Ben Sasse (R-NE)
- Mitt Romney
- 2012 (and perhaps 2016) Libertarian candidate Gary Johnson
- Former Marine Gen. John Kelly
- Rep. Justin Amash (R-MI)
- Former Sen. Tom Coburn (R-OK)
- South Carolina Gov. Nikki Haley
- Sen. Rand Paul (R-KY)