Google Knew About Heartbleed and Didn’t Tell the Government

Federal systems remained vulnerable to hackers even after researchers identified the bug.

The Heartbleed logo provided through 
National Journal
Brendan Sasso
April 14, 2014, 11:31 a.m.

Google knew about a crit­ic­al flaw in In­ter­net se­cur­ity, but it didn’t alert any­one in the gov­ern­ment.

Neel Me­hta, a Google en­gin­eer, first dis­covered “Heart­bleed” — a bug that un­der­mines the widely used en­cryp­tion tech­no­logy OpenSSL — some time in March. A team at the Finnish se­cur­ity firm Code­nomi­con dis­covered the flaw around the same time. Google was able to patch most of its ser­vices — such as email, search, and You­Tube — be­fore the com­pan­ies pub­li­cized the bug on April 7.

The re­search­ers also no­ti­fied a hand­ful of oth­er com­pan­ies about the bug be­fore go­ing pub­lic. The se­cur­ity firm Cloud­Flare, for ex­ample, said it fixed the flaw on March 31.

But the White House said Fri­day that no one in the fed­er­al gov­ern­ment knew about the prob­lem un­til April. The ad­min­is­tra­tion made the state­ment to deny an earli­er Bloomberg re­port that the Na­tion­al Se­cur­ity Agency had been ex­ploit­ing Heart­bleed for years.

“Re­ports that NSA or any oth­er part of the gov­ern­ment were aware of the so-called Heart­bleed vul­ner­ab­il­ity be­fore April 2014 are wrong. The Fed­er­al gov­ern­ment was not aware of the re­cently iden­ti­fied vul­ner­ab­il­ity in OpenSSL un­til it was made pub­lic in a private sec­tor cy­ber­se­cur­ity re­port,” Caitlin Hay­den, a White House spokes­wo­man, said in a state­ment.

“If the fed­er­al gov­ern­ment, in­clud­ing the in­tel­li­gence com­munity, had dis­covered this vul­ner­ab­il­ity pri­or to last week, it would have been dis­closed to the com­munity re­spons­ible for OpenSSL.”

Hay­den emailed to cla­ri­fy that the “private sec­tor cy­ber­se­cur­ity re­port” refers to the April 7 an­nounce­ment. 

Asked wheth­er Google dis­cussed Heart­bleed with the gov­ern­ment, a com­pany spokes­wo­man said only that the “se­cur­ity of our users’ in­form­a­tion is a top pri­or­ity” and that Google users do not need to change their pass­words.

Com­pan­ies of­ten wait to pub­li­cize a se­cur­ity flaw so they can have time to patch their own ser­vices. But keep­ing the bug secret from the U.S. gov­ern­ment may have left fed­er­al sys­tems vul­ner­able to hack­ers. The IRS said it’s not aware of any vul­ner­ab­il­it­ies in its sys­tem, but oth­er agen­cies that use OpenSSL could have been leak­ing private in­form­a­tion to hack­ers. 

The gov­ern­ment en­cour­ages com­pan­ies to re­port cy­ber­se­cur­ity is­sues to the U.S. Com­puter Emer­gency Read­i­ness Team, which is housed in the Home­land Se­cur­ity De­part­ment. US-CERT has a 24-hour op­er­a­tions cen­ter that re­sponds to se­cur­ity threats and vul­ner­ab­il­it­ies.

Chris­toph­er Sog­hoi­an, the prin­cip­al tech­no­lo­gist for the Amer­ic­an Civil Liber­ties Uni­on, said the U.S. gov­ern­ment only has it­self to blame if tech com­pan­ies don’t trust it to handle sens­it­ive se­cur­ity in­form­a­tion.

He said that be­cause gov­ern­ment agen­cies of­ten share in­form­a­tion with each oth­er, there’s no way for a com­pany to be sure the NSA won’t get in­form­a­tion shared with an­oth­er agency and use it to hack in­to private com­mu­nic­a­tions.

“I sus­pect that over the past eight months, many com­pan­ies have taken a real hard look at their ex­ist­ing policies about tip­ping off the U.S. gov­ern­ment,” he said. “That’s the price you pay when you’re act­ing like an out-of-con­trol of­fens­ive ad­versary.”

{{ BIZOBJ (video: 4883) }}

What We're Following See More »
Trump Won’t Debate Sanders After All
1 hours ago

Trump, in a statement: “Based on the fact that the Democratic nominating process is totally rigged and Crooked Hillary Clinton and Deborah Wasserman Schultz will not allow Bernie Sanders to win, and now that I am the presumptive Republican nominee, it seems inappropriate that I would debate the second place finisher. ... I will wait to debate the first place finisher in the Democratic Party, probably Crooked Hillary Clinton, or whoever it may be.”

Airbag Recalls Target 12 Million Automobiles
4 hours ago

"The National Highway Traffic Safety Administration identified on Friday the makes and models of 12 million cars and motorcycles that have been recalled because of defective air bag inflators made by Japanese supplier Takata. The action includes 4.3 million Chryslers; 4.5 million Hondas; 1.6 million Toyotas; 731,000 Mazdas; 402,000 Nissans; 383,000 Subarus; 38,000 Mitsubishis; and 2,800 Ferraris. ... Analysts have said it could take years for all of the air bags to be replaced. Some have questioned whether Takata can survive the latest blow."

Secret Service Disciplines 41 Agents Over Chaffetz Leak
4 hours ago

Homeland Security Secretary Jeh Johnson says 41 Secret Service agents have been disciplined in the fallout of an investigation over the agency's leak of personnel files. The leaker, who has resigned, released records showing that Oversight and Government Reform Chair Jason Chaffetz—who was leading an investigation of Secret Service security lapses—had applied for a job at the agency years before. The punishments include reprimands and suspension without pay. "Like many others I was appalled by the episode reflected in the Inspector General’s report, which brought real discredit to the Secret Service," said Johnson.

Romney Talks Cost of His Futile Anti-Trump Fight
6 hours ago

Mitt Romney spoke in an interview with the Wall Street Journal about his decision to challenge Donald Trump. “Friends warned me, ‘Don’t speak out, stay out of the fray,’ because criticizing Mr. Trump will only help him by giving him someone else to attack. They were right. I became his next target, and the incoming attacks have been constant and brutal.” Still, "I wanted my grandkids to see that I simply couldn’t ignore what Mr. Trump was saying and doing, which revealed a character and temperament unfit for the leader of the free world.”

Puerto Rico Relief Stalled on the Hill
6 hours ago

"A bill to help Puerto Rico handle its $70 billion debt crisis is facing an uncertain future in the Senate. No Senate Democrats have endorsed a bill backed by House Speaker Paul Ryan and Minority Leader Nancy Pelosi, while some are actively fighting it. ... On the Republican side, senators say they’re hopeful to pass a bill but don’t know if they can support the current legislation — which is expected to win House approval given its backing from leaders in that chamber."