The National Security Agency has known about the Heartbleed bug, which has compromised two-third of the world’s websites, for over two years, and has been actively trying to exploit it, according to reports. However, not long after the report surfaced, the NSA denied knowing about the bug before the public did, and called the reports “wrong.”
The revelation, which is likely to outrage a security industry already furious at the NSA, comes by way of Bloomberg, which cites two unidentified sources and reports:
“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost…The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.”
The Office of the Director of National Intelligence issued the following statement:
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
The news comes as companies and governments are still reeling from last week’s disclosure of Heartbleed, which lets attackers penetrate OpenSSL, the open source protocol used to encrypt passwords and other sensitive data. The vulnerability has exposed companies like Yahoo(s yhoo) and Google(s goog), as well as hardware providers like Cisco, and led the Canadian government to temporarily shut down its tax preparation service.
For now, however, it’s not clear how much actual damage has been done — or if only a handful of people, including those at the NSA, knew about the vulnerability. Some reassurance came today when security service CloudFlare said it is unlikely that hackers have been able to use Heartbleed to obtain private SSL keys used by websites. Companies have been actively patching their sites since last week’s disclosure.
While Heartbleed represents a useful weapon for the NSA to spy on its opponents, the agency’s failure to disclose it — if true — will anger those who believe that the U.S. government should focus on defensive measures like encryption and security — rather than using compromised standards as a means of attack. The NSA is still under criticism following disclosures by former contractor Edward Snowden that it deliberately introduced weaknesses into other global encryption standards.
This story was updated at 4:50pmET after the NSA issued a statement denying the report, and at 6:oopm with details.