Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

As the world comes to terms with the full seriousness of the Heartbleed bug, questions are starting to be asked about the role that the National Security Agency (NSA) may have played in the security flaw. On the morning of Friday 11th April rumours started to circulate on social media sites such as Twitter and Reddit, and it wasn’t long before they were picked up by the mainstream press.

heartbleed

Bloomberg published an article claiming that two people close to the NSA had informed them that the infamous government agency had known about Heartbleed for as long as two years – using it to gather critical intelligence, obtain passwords, and grab other basic data that ultimately became the foundation for its recent-unveiled hacking operations.

Knowledge of the Heartbleed flaw supposedly allowed the agency to bypass strong encryption systems – the same systems that had been hailed by Edward Snowden as “one of the few things that you can rely on” in a Q&A session with British newspaper The Guardian in June 2013.

Social media users came down on both sides of the argument, some praising the NSA for using the bug to their advantage, whilst others criticised the agency for allowing the flaw to carry on for so long unreported.

nsa1

nsa2

nsa4

The agency initially declined to comment on the story, but by mid-afternoon they were forced to deny that they had any knowledge of the glitch. NSA spokesperson Vanee Vines issued the following statement to the media:

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong” 

The statement was quickly ridiculed, with people pointing out that given the NSA’s history of lying, there was no reason to suddenly believe them in this latest episode.

nsa3

nsa5 

As the rumours refused to die, the Federal Administration was forced to take action. The White House National Security Council Spokesperson Caitlin Hayden followed her NSA counterpart by issuing a statement on behalf of Barack Obama and the American government:

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL”

Although the story fans the flames of anger that many still feel after last year’s NSA spying revelations, it has to be pointed out that the practicalities of using Heartbleed to steal data are not particularly efficient for the agency.

As Wired Magazine points out, the nature of the bug means only 64kb data of system’s memory can be obtained by sending a query, and the data that is returned is entirely random. There is no limit to the number of queries that can be made, but nobody has yet come forward with method that proves the ability to reliably and consistently extract a server’s persistent key by using Heartbleed. Various challenges have started to emerge online to crack the code, with website optimisation company Cloudfare issuing the following statement:

“If it is possible [to retrieve a private key], it is at a minimum very hard. We have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible”.

That said, the NSA has held ambitions of cracking SSL to decrypt traffic for a long time. Since British press reported that in late 2013 the NSA and its UK counterpart GCHQ had successful hacked much of the encryption used to protect bank accounts, emails, and online transactions, there has been increasing speculation amongst security experts about whether the agency had finally achieved its goal.

Ultimately no one can be sure of whether the NSA was involved. Given the lack of hard evidence is would be dangerous to suggest that they were definitely aware of Heartbleed, but it could also be argued that there is no smoke without fire. It’s for you to decide.

Do you think the NSA was involved, or are the reports a result of the media taking advantage of the public’s sense of vulnerability? Let us know in the comments below.

Update: Since this article was first written least four people have independently solved Cloudfare’s Heartbleed Challenge. The first to do so was software engineer Fedor Indutny at NCSC-FI, roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day.

nsa6

It means website hosts now need start the expensive and time consuming job of revoking their SSL certificates. Failure to do so jeopardises both the site and its users because it means hackers that have the private keys can impersonate servers even if they have already been patched.

By Daniel Price

About Daniel Price

Daniel is a Manchester-born UK native who has abandoned cold and wet Northern Europe and currently lives on the Caribbean coast of Mexico. A former Financial Consultant, he now balances his time between writing articles for several industry-leading tech (CloudTweaks.com & MakeUseOf.com), sports, and travel sites and looking after his three dogs.

Find out more
View All Articles

Sorry, comments are closed for this post.

Comic
Pitney Bowes Selects Aria Systems for Billing on the New Commerce Cloud

Pitney Bowes Selects Aria Systems for Billing on the New Commerce Cloud

Top-Ranked Cloud Billing Company Enables Greater Speed and Frictionless Billing for Unparalleled Customer Experience San Francisco, CA – August 23, 2016 – Aria Systems, which helps enterprises grow subscription and usage-based revenue, today announced that Pitney Bowes has selected Aria’s cloud-based monetization platform as the key billing and monetization component of their new Commerce Cloud…

The Golden Age of Wearable Technology

The Golden Age of Wearable Technology

The Golden Age One of the biggest fads in the technology sector right now is wearable tech. From Smartwatches that let you check your emails, chat with friends and search the web, to fitness accessories that monitor your heart rate and your sleep patterns, this is truly the Golden Age of wearable technology. But some…

Marketing Execs Beefing Up on Martech Strategies

Marketing Execs Beefing Up on Martech Strategies

Martech Strategies As budgets shift from traditional marketing streams to marketing technology, it’s essential that both marketers and business leaders understand marketing technology and keep up with the developments. According to eMarketer, 78% of US senior marketers surveyed believe gaining this understanding of marketing technology is increasingly relevant to their success, and the majority of…

4 Monetization Models For The Digital Business Era

4 Monetization Models For The Digital Business Era

4 Monetization Models Digital business is expected to generate billions in new revenue in the next four to five years. However, MGI Research predicts that digital businesses will need to increase their time to market by 40 percent. Many global executives admit they are unprepared to monetize their operations. The million dollar question is: how…

Cybersecurity Experts Racing to Keep Pace with Growing Cyber Threats

Cybersecurity Experts Racing to Keep Pace with Growing Cyber Threats

The cyberwar is on! At this stage of the game, the stakes are higher than ever, and safeguarding networks from cyberattacks is a devilish combination of Chicken and Cat-and-Mouse. Attacks are now so commonplace that many events of serious cybersecurity breaches go uncovered by mainstream media. Despite the rapid advancements in IT security technology, hackers…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…

Rounding Out Your Security Strategy With The Enterprise Cloud

Rounding Out Your Security Strategy With The Enterprise Cloud

Enterprise Cloud Security Strategy No company wants to be the one to have to announce one of the world’s biggest data breaches. From managing networks and datacenters to protecting hundreds of applications, today’s enterprises face enormous challenges. With all the surface area that needs to be tracked and protected including APIs on the front-end, customer integrations…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Data Breaches: Incident Response Planning – Part 1

Data Breaches: Incident Response Planning – Part 1

Incident Response Planning – Part 1 The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it’s almost impossible to read news headlines without noticing yet another story about a data breach. As cybersecurity shifts from being a strictly IT issue to…

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Driving Success: 6 Key Metrics For Every Recurring Revenue Business

Recurring Revenue Business Metrics Recurring revenue is the secret sauce behind the explosive growth of powerhouses like Netflix and Uber. Unsurprisingly, recurring revenue is also quickly gaining ground in more traditional industries like healthcare and the automotive business. In fact, nearly half of U.S. businesses have adopted or are planning to adopt a recurring revenue model,…

The Business of Security: Avoiding Risks

The Business of Security: Avoiding Risks

The Business of Security Security is one of those IT concerns that aren’t problematic until disaster strikes. It might be tomorrow, it could be next week or next year. The fact is that poor security leaves businesses wide open for data loss and theft. News outlets just skim the surface, but hackers cost business up…

How Data Science And Machine Learning Is Enabling Cloud Threat Protection

How Data Science And Machine Learning Is Enabling Cloud Threat Protection

Data Science and Machine Learning Security breaches have been consistently rising in the past few years. Just In 2015, companies detected 38 percent more security breaches than in the previous year, according to PwC’s Global State of Information Security Survey 2016. Those breaches are a major expense — an average of $3.79 million per company,…

Unusual Clandestine Cloud Data Centre Service Locations

Unusual Clandestine Cloud Data Centre Service Locations

Unusual Clandestine Cloud Data Centre Service Locations Everyone knows what the cloud is, but does everybody know where the cloud is? We try to answer that as we look at some of the most unusual data centre locations in the world. Under the Eyes of a Deity Deep beneath the famous Uspenski Cathedral in the…

Cloud Infographic – Cloud Computing And SMEs

Cloud Infographic – Cloud Computing And SMEs

Cloud Computing And SMEs SMEs (Small/Medium Sized Enterprises) make up the bulk of businesses today. Most cloud based applications created today are geared toward the SME market. Accounting, Storage, Backup services are just a few of them. According to the European Commission, cloud based technology could help 80% of organisations reduce costs by 10-20%. This infographic provided…

Cloud Infographic – The Data Scientist

Cloud Infographic – The Data Scientist

Data Scientist Report The amount of data in our world has been exploding in recent years. Managing big data has become an integral part of many businesses, generating billions of dollars of competitive innovations, productivity and job growth. Forecasting where the big data industry is going has become vital to corporate strategy. Enter the Data…