Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

As the world comes to terms with the full seriousness of the Heartbleed bug, questions are starting to be asked about the role that the National Security Agency (NSA) may have played in the security flaw. On the morning of Friday 11th April rumours started to circulate on social media sites such as Twitter and Reddit, and it wasn’t long before they were picked up by the mainstream press.

heartbleed

Bloomberg published an article claiming that two people close to the NSA had informed them that the infamous government agency had known about Heartbleed for as long as two years – using it to gather critical intelligence, obtain passwords, and grab other basic data that ultimately became the foundation for its recent-unveiled hacking operations.

Knowledge of the Heartbleed flaw supposedly allowed the agency to bypass strong encryption systems – the same systems that had been hailed by Edward Snowden as “one of the few things that you can rely on” in a Q&A session with British newspaper The Guardian in June 2013.

Social media users came down on both sides of the argument, some praising the NSA for using the bug to their advantage, whilst others criticised the agency for allowing the flaw to carry on for so long unreported.

nsa1

nsa2

nsa4

The agency initially declined to comment on the story, but by mid-afternoon they were forced to deny that they had any knowledge of the glitch. NSA spokesperson Vanee Vines issued the following statement to the media:

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong” 

The statement was quickly ridiculed, with people pointing out that given the NSA’s history of lying, there was no reason to suddenly believe them in this latest episode.

nsa3

nsa5 

As the rumours refused to die, the Federal Administration was forced to take action. The White House National Security Council Spokesperson Caitlin Hayden followed her NSA counterpart by issuing a statement on behalf of Barack Obama and the American government:

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL”

Although the story fans the flames of anger that many still feel after last year’s NSA spying revelations, it has to be pointed out that the practicalities of using Heartbleed to steal data are not particularly efficient for the agency.

As Wired Magazine points out, the nature of the bug means only 64kb data of system’s memory can be obtained by sending a query, and the data that is returned is entirely random. There is no limit to the number of queries that can be made, but nobody has yet come forward with method that proves the ability to reliably and consistently extract a server’s persistent key by using Heartbleed. Various challenges have started to emerge online to crack the code, with website optimisation company Cloudfare issuing the following statement:

“If it is possible [to retrieve a private key], it is at a minimum very hard. We have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible”.

That said, the NSA has held ambitions of cracking SSL to decrypt traffic for a long time. Since British press reported that in late 2013 the NSA and its UK counterpart GCHQ had successful hacked much of the encryption used to protect bank accounts, emails, and online transactions, there has been increasing speculation amongst security experts about whether the agency had finally achieved its goal.

Ultimately no one can be sure of whether the NSA was involved. Given the lack of hard evidence is would be dangerous to suggest that they were definitely aware of Heartbleed, but it could also be argued that there is no smoke without fire. It’s for you to decide.

Do you think the NSA was involved, or are the reports a result of the media taking advantage of the public’s sense of vulnerability? Let us know in the comments below.

Update: Since this article was first written least four people have independently solved Cloudfare’s Heartbleed Challenge. The first to do so was software engineer Fedor Indutny at NCSC-FI, roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day.

nsa6

It means website hosts now need start the expensive and time consuming job of revoking their SSL certificates. Failure to do so jeopardises both the site and its users because it means hackers that have the private keys can impersonate servers even if they have already been patched.

By Daniel Price

About Daniel Price

Daniel is a Manchester-born UK native who has abandoned cold and wet Northern Europe and currently lives on the Caribbean coast of Mexico. A former Financial Consultant, he now balances his time between writing articles for several industry-leading tech (CloudTweaks.com & MakeUseOf.com), sports, and travel sites and looking after his three dogs.

Find out more
View All Articles

Sorry, comments are closed for this post.

Comic
Using Cloud Technology In The Education Industry

Using Cloud Technology In The Education Industry

Education Tech and the Cloud Arguably one of society’s most important functions, teaching can still seem antiquated at times. Many schools still function similarly to how they did five or 10 years ago, which is surprising considering the amount of technical innovation we’ve seen in the past decade. Education is an industry ripe for innovation…

5% Of Companies Have Embraced The Digital Innovation Fostered By Cloud Computing

5% Of Companies Have Embraced The Digital Innovation Fostered By Cloud Computing

Embracing The Cloud We love the stories of big complacent industry leaders having their positions sledge hammered by nimble cloud-based competitors. Saleforce.com chews up Oracle’s CRM business. Airbnb has a bigger market cap than Marriott. Amazon crushes Walmart (and pretty much every other retailer). We say: “How could they have not seen this coming?” But, more…

What Futuristic Tech Will You See In Your Lifetime?

What Futuristic Tech Will You See In Your Lifetime?

Futuristic Tech The world and what people can do is increasingly being driven by technology. It has already shaped the world we live in, but over the next few decades it is set to shape the world in ways that we can barely imagine. There have already been some great leaps in IoT technology recently,…

The Lighter Side Of The Cloud – Hiding Spots

The Lighter Side Of The Cloud – Hiding Spots

By David Fletcher Please feel free to share our comics via social media networks such as Twitter, Facebook, LinkedIn, Instagram, Pinterest. Clear attribution (Twitter example: via@cloudtweaks) to our original comic sources is greatly appreciated.

Recent Articles - Posted by
Fintech Exploiting AI and Blockchain Technology

Fintech Exploiting AI and Blockchain Technology

AI and Blockchain Technology The field of artificial intelligence (AI) had progressed rapidly in the last ten years, though first recognized in the 1950s. From autonomous motor vehicles to digital personal assistants, the technology is making its way into a variety of industries, enabling better task automation, language processing, and data analytics. But more recently,…

Why Security Practitioners Need To Apply The 80-20 Rules To Data Security

Why Security Practitioners Need To Apply The 80-20 Rules To Data Security

The 80-20 Rule For Security Practitioners  Everyday we learn about yet another egregious data security breach, exposure of customer data or misuse of data. It begs the question why in this 21st century, as a security industry we cannot seem to secure our most valuable data assets when technology has surpassed our expectations in other regards.…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Don’t Be Intimidated By Data Governance

Don’t Be Intimidated By Data Governance

Data Governance Data governance, the understanding of the raw data of an organization is an area IT departments have historically viewed as a lose-lose proposition. Not doing anything means organizations run the risk of data loss, data breaches and data anarchy – no control, no oversight – the Wild West with IT is just hoping…

Get Ready For Virtual Reality and the Cloud

Get Ready For Virtual Reality and the Cloud

Virtual Reality Cloud We’re lucky to live in an era where virtual reality is no longer relegated to the confines of a sci-fi movie universe. Thanks to technology introduced by products like Oculus Rift, consumers now have access to virtual environments with fully immersive graphic capabilities. As a result, companies have only just begun to…

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

The Cloud Is Not Enough! Why Businesses Need Hybrid Solutions

Why Businesses Need Hybrid Solutions Running a cloud server is no longer the novel trend it once was. Now, the cloud is a necessary data tier that allows employees to access vital company data and maintain productivity from anywhere in the world. But it isn’t a perfect system — security and performance issues can quickly…

Disaster Recovery – A Thing Of The Past!

Disaster Recovery – A Thing Of The Past!

Disaster Recovery  Ok, ok – I understand most of you are saying disaster recovery (DR) is still a critical aspect of running any type of operations. After all – we need to secure our future operations in case of disaster. Sure – that is still the case but things are changing – fast. There are…

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Recurring Revenue Business Metrics Recurring revenue is the secret sauce behind the explosive growth of powerhouses like Netflix and Uber. Unsurprisingly, recurring revenue is also quickly gaining ground in more traditional industries like healthcare and the automotive business. In fact, nearly half of U.S. businesses have adopted or are planning to adopt a recurring revenue model,…

Cloud Infographic – Cloud Computing And SMEs

Cloud Infographic – Cloud Computing And SMEs

Cloud Computing And SMEs SMEs (Small/Medium Sized Enterprises) make up the bulk of businesses today. Most cloud based applications created today are geared toward the SME market. Accounting, Storage, Backup services are just a few of them. According to the European Commission, cloud based technology could help 80% of organisations reduce costs by 10-20%. This infographic provided…

Big Data – Top Critical Technology Trend For The Next Five Years

Big Data – Top Critical Technology Trend For The Next Five Years

Big Data Future Today’s organizations should become more collaborative, virtual, adaptive, and agile in order to be successful in complex business world. They should be able to respond to changes and market needs. Many organizations found that the valuable data they possess and how they use it can make them different than others. In fact,…

Low Cost Cloud Computing Gives Rise To Startups

Low Cost Cloud Computing Gives Rise To Startups

Balancing The Playing Field For Startups According to a Goldman Sachs report, cloud infrastructure and platform spending could reach $43 billion by 2018, which is up $16 billion from last year, representing a growth of around 30% from 2013 said the analyst. This phenomenal growth is laying the foundation for a new breed of startup…

Infographic Introduction – Benefits of Cloud Computing

Infographic Introduction – Benefits of Cloud Computing

Benefits of Cloud Computing Based on Aberdeen Group’s Computer Intelligence Dataset, there are more than 1.6 billion permutations to choose from when it comes to cloud computing solutions. So what, on the face of it, appears to be pretty simple is actually both complex and dynamic regardless of whether you’re in the market for networking,…