Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

As the world comes to terms with the full seriousness of the Heartbleed bug, questions are starting to be asked about the role that the National Security Agency (NSA) may have played in the security flaw. On the morning of Friday 11th April rumours started to circulate on social media sites such as Twitter and Reddit, and it wasn’t long before they were picked up by the mainstream press.

Bloomberg published an article claiming that two people close to the NSA had informed them that the infamous government agency had known about Heartbleed for as long as two years – using it to gather critical intelligence, obtain passwords, and grab other basic data that ultimately became the foundation for its recent-unveiled hacking operations.

Knowledge of the Heartbleed flaw supposedly allowed the agency to bypass strong encryption systems – the same systems that had been hailed by Edward Snowden as “one of the few things that you can rely on” in a Q&A session with British newspaper The Guardian in June 2013.

Social media users came down on both sides of the argument, some praising the NSA for using the bug to their advantage, whilst others criticised the agency for allowing the flaw to carry on for so long unreported.

nsa1

nsa2

nsa4

The agency initially declined to comment on the story, but by mid-afternoon they were forced to deny that they had any knowledge of the glitch. NSA spokesperson Vanee Vines issued the following statement to the media:

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong” 

The statement was quickly ridiculed, with people pointing out that given the NSA’s history of lying, there was no reason to suddenly believe them in this latest episode.

nsa3

nsa5 

As the rumours refused to die, the Federal Administration was forced to take action. The White House National Security Council Spokesperson Caitlin Hayden followed her NSA counterpart by issuing a statement on behalf of Barack Obama and the American government:

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL”

Although the story fans the flames of anger that many still feel after last year’s NSA spying revelations, it has to be pointed out that the practicalities of using Heartbleed to steal data are not particularly efficient for the agency.

As Wired Magazine points out, the nature of the bug means only 64kb data of system’s memory can be obtained by sending a query, and the data that is returned is entirely random. There is no limit to the number of queries that can be made, but nobody has yet come forward with method that proves the ability to reliably and consistently extract a server’s persistent key by using Heartbleed. Various challenges have started to emerge online to crack the code, with website optimisation company Cloudfare issuing the following statement:

“If it is possible [to retrieve a private key], it is at a minimum very hard. We have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible”.

That said, the NSA has held ambitions of cracking SSL to decrypt traffic for a long time. Since British press reported that in late 2013 the NSA and its UK counterpart GCHQ had successful hacked much of the encryption used to protect bank accounts, emails, and online transactions, there has been increasing speculation amongst security experts about whether the agency had finally achieved its goal.

Ultimately no one can be sure of whether the NSA was involved. Given the lack of hard evidence is would be dangerous to suggest that they were definitely aware of Heartbleed, but it could also be argued that there is no smoke without fire. It’s for you to decide.

Do you think the NSA was involved, or are the reports a result of the media taking advantage of the public’s sense of vulnerability? Let us know in the comments below.

Update: Since this article was first written least four people have independently solved Cloudfare’s Heartbleed Challenge. The first to do so was software engineer Fedor Indutny at NCSC-FI, roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day.

nsa6

It means website hosts now need start the expensive and time consuming job of revoking their SSL certificates. Failure to do so jeopardises both the site and its users because it means hackers that have the private keys can impersonate servers even if they have already been patched.

By Daniel Price

Follow Me!

Daniel Price

Daniel is a Manchester-born UK native who has abandoned cold and wet Northern Europe and currently lives on the Caribbean coast of Mexico. A former Financial Consultant, he now balances his time between writing articles for several industry-leading tech (CloudTweaks.com & MakeUseOf.com), sports, and travel sites and looking after his three dogs.
Follow Me!

Sorry, comments are closed for this post.


CloudTweaks Sponsors - Find out more!

Popular

Top Viral Impact

Cloud Infographic – Monetizing Internet Of Things

Cloud Infographic – Monetizing Internet Of Things

Cloud Infographic – Monetizing Internet Of Things There are many interesting ways in which companies are looking to connect devices to the cloud. From the vehicles to kitchen appliances the internet of things is already a $1.9 trillion dollar market based on research estimates from IDC. Included is a fascinating infographic provided by AriaSystems which shows us some…

BYOD Will Continue To Define Workplaces In 2014

BYOD Will Continue To Define Workplaces In 2014

BYOD Will Continue To Define Workplaces In 2014 The bring-your-own-device trend has been the subject of scrutiny ever since its initial formation. Given how quickly personal smartphones and tablets became a fixture in everyday life, it makes perfect sense that these mobile machines would slip into workplaces. While BYOD has caused headaches for many businesses,…

The Future Of Work: What Cloud Technology Has Allowed Us To Do Better

The Future Of Work: What Cloud Technology Has Allowed Us To Do Better

The Future of Work: What Cloud Technology Has Allowed Us to Do Better The cloud has made our working lives easier, with everything from virtually unlimited email storage to access-from-anywhere enterprise resource planning (ERP) systems. It’s no wonder the 2013 cloud computing research IDG survey revealed at least 84 percent of the companies surveyed run at…

The Lighter Side Of The Cloud – Holiday Photos

The Lighter Side Of The Cloud – Holiday Photos

The Lighter Side Of The Cloud – Holiday Photos Enjoy our weekly comics provided by our talented cartoonists. By David Fletcher About Latest Posts Follow Me!Daniel PriceDaniel is a Manchester-born UK native who has abandoned cold and wet Northern Europe and currently lives on the Caribbean coast of Mexico. A former Financial Consultant, he now…


Established in 2009, CloudTweaks is recognized as one of the leading influencers in cloud computing, big data and internet of things (IoT) information. Our goal is to continue to build our growing information portal, by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

You can help continue to support our community by social sharing, sponsoring, partnering or contributing to this great educational resource.

Contact

CloudTweaks Media
Phone: 1 (212) 763-0021
contact@cloudtweaks.com

Join our newsletter