Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

Did The NSA Know About Heartbleed?

As the world comes to terms with the full seriousness of the Heartbleed bug, questions are starting to be asked about the role that the National Security Agency (NSA) may have played in the security flaw. On the morning of Friday 11th April rumours started to circulate on social media sites such as Twitter and Reddit, and it wasn’t long before they were picked up by the mainstream press.

heartbleed

Bloomberg published an article claiming that two people close to the NSA had informed them that the infamous government agency had known about Heartbleed for as long as two years – using it to gather critical intelligence, obtain passwords, and grab other basic data that ultimately became the foundation for its recent-unveiled hacking operations.

Knowledge of the Heartbleed flaw supposedly allowed the agency to bypass strong encryption systems – the same systems that had been hailed by Edward Snowden as “one of the few things that you can rely on” in a Q&A session with British newspaper The Guardian in June 2013.

Social media users came down on both sides of the argument, some praising the NSA for using the bug to their advantage, whilst others criticised the agency for allowing the flaw to carry on for so long unreported.

nsa1

nsa2

nsa4

The agency initially declined to comment on the story, but by mid-afternoon they were forced to deny that they had any knowledge of the glitch. NSA spokesperson Vanee Vines issued the following statement to the media:

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong” 

The statement was quickly ridiculed, with people pointing out that given the NSA’s history of lying, there was no reason to suddenly believe them in this latest episode.

nsa3

nsa5 

As the rumours refused to die, the Federal Administration was forced to take action. The White House National Security Council Spokesperson Caitlin Hayden followed her NSA counterpart by issuing a statement on behalf of Barack Obama and the American government:

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL”

Although the story fans the flames of anger that many still feel after last year’s NSA spying revelations, it has to be pointed out that the practicalities of using Heartbleed to steal data are not particularly efficient for the agency.

As Wired Magazine points out, the nature of the bug means only 64kb data of system’s memory can be obtained by sending a query, and the data that is returned is entirely random. There is no limit to the number of queries that can be made, but nobody has yet come forward with method that proves the ability to reliably and consistently extract a server’s persistent key by using Heartbleed. Various challenges have started to emerge online to crack the code, with website optimisation company Cloudfare issuing the following statement:

“If it is possible [to retrieve a private key], it is at a minimum very hard. We have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible”.

That said, the NSA has held ambitions of cracking SSL to decrypt traffic for a long time. Since British press reported that in late 2013 the NSA and its UK counterpart GCHQ had successful hacked much of the encryption used to protect bank accounts, emails, and online transactions, there has been increasing speculation amongst security experts about whether the agency had finally achieved its goal.

Ultimately no one can be sure of whether the NSA was involved. Given the lack of hard evidence is would be dangerous to suggest that they were definitely aware of Heartbleed, but it could also be argued that there is no smoke without fire. It’s for you to decide.

Do you think the NSA was involved, or are the reports a result of the media taking advantage of the public’s sense of vulnerability? Let us know in the comments below.

Update: Since this article was first written least four people have independently solved Cloudfare’s Heartbleed Challenge. The first to do so was software engineer Fedor Indutny at NCSC-FI, roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day.

nsa6

It means website hosts now need start the expensive and time consuming job of revoking their SSL certificates. Failure to do so jeopardises both the site and its users because it means hackers that have the private keys can impersonate servers even if they have already been patched.

By Daniel Price

About Daniel Price

Daniel is a Manchester-born UK native who has abandoned cold and wet Northern Europe and currently lives on the Caribbean coast of Mexico. A former Financial Consultant, he now balances his time between writing articles for several industry-leading tech (CloudTweaks.com & MakeUseOf.com), sports, and travel sites and looking after his three dogs.

Find out more
View All Articles

Sorry, comments are closed for this post.

Risks Of Virtualization In Public And Private Clouds

Risks Of Virtualization In Public And Private Clouds

Risks Of Virtualization Server virtualization is one of the cornerstone technologies of the cloud. The ability to create multiple virtual servers that can run any operating system on a single physical server has a lot of advantages. These advantages can appear in public, Infrastructure as a Service (IaaS), as well as in private clouds. However,…

The Global Rise of Cloud Computing

The Global Rise of Cloud Computing

The Global Rise of Cloud Computing Despite the rapid growth of cloud computing, the cloud still commands a small portion of overall enterprise IT spending. Estimates I’ve seen put the percentage between 5% and 10% of the slightly more than $2 trillion (not including telco) spent worldwide in 2014 on enterprise IT. Yet growth projections…

The Success Formula For Private Cloud Deployments

The Success Formula For Private Cloud Deployments

OpenStack For Private Clouds On February 15th Tom Bittman of Gartner published a blog which asserted that 95% of Private Clouds are Failing. When an industry analyst makes a statement that big, in one of the top three priorities for enterprise CIOs today, it’s critical that we as an industry step back and understand how we…

IoT Rapid Expansion Throughout The World

IoT Rapid Expansion Throughout The World

IoT Rapid Expansion Cyber Physical Systems (CPS) are a nomenclature used to define the world beyond IoT devices. CPS includes the robotic and automation systems that interact with the IoT devices. Based on that changing landscape I have come to realize that CPS and by default IoT devices actually have three distinct concerns. The three…

Destroying Cloud Data In The Age Of Data Multiplication

Destroying Cloud Data In The Age Of Data Multiplication

The Age of Data Multiplication We are surrounded by data, whether in our personal or professional lives with digital elements that are constantly being captured about us. This leads to exponentially increasing volumes of data whether from Internet-connected devices, video, cell records, customer transactions, healthcare and government records. Today, there is a growing awareness and…

Four Reasons Why CIOs Must Transform IT Into ITaaS To Survive

Four Reasons Why CIOs Must Transform IT Into ITaaS To Survive

CIOs Must Transform IT The emergence of the Cloud and its three delivery models of Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) has dramatically impacted and forever changed the delivery of IT services. Cloud services have pierced the veil of IT by challenging traditional method’s dominance…

Even Companies With A “Cloud First” Strategy Have Lingering Security Concerns

Even Companies With A “Cloud First” Strategy Have Lingering Security Concerns

Lingering Security Concerns Considering the cost and time-to-market advantages of SaaS applications in particular, it’s no surprise that companies are looking to the cloud to meet their business objectives. But what happens when a ‘cloud first’ company must also put security and compliance first? In a recent Bitglass survey report from a cloud access security…

CloudTweaks is recognized as one of the leading influencers in cloud computing, infosec, big data and the internet of things (IoT) information. Our goal is to continue to build our growing information portal by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

Advertising