A new report about the massive internet security software bug that’s been shaking up the Web all week indicates the National Security Agency both knew about and exploited the flaw to to spy on internet traffic for at least two years.
Bloomberg News broke the story in a Friday report citing two sources “familiar with the matter” that claim the agency knew about the Heartbleed bug in OpenSSL, which encrypts web traffic on HTTPS sites and services to secure the most sensitive of user information including usernames, passwords, emails, communications, account and credit card information, and neglected to report it to the cyber community.
According to one of the sources the agency discovered the bug shortly after its introduction to the Internet on Dec. 31, 2011, after which it became an essential and commonly used tool to steal login information and other data.
“They actually have a process when they find this stuff that goes all the way up to the director,” cybersecurity senior fellow at the Center for Strategic and International Studies James Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”
The compromised version of OpenSSL is used by some of the biggest names on the Web, and is estimated to have violated the security of two-thirds of internet traffic over more than two years, exposing unencrypted data in plain text to interception by hackers.
Bloomberg sources claim the signals intelligence agency “was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission,” but at the cost of leaving millions of users vulnerable to similar attacks by foreign intelligence services and criminals.
“It flies in the face of the agency’s comments that defense comes first,” director of the cyber statecraft initiative at the Atlantic Council and former Air Force cyber officer Jason Healey said. “They are going to be completely shredded by the computer security community for this.”
An NSA spokesperson declined to comment on the agency’s knowledge or use of Heartbleed, but experts cited by Bloomberg said finding such software vulnerabilities is crucial to NSA’s mission — a practice President Obama’s NSA review board recommended stopping in the wake of former contractor Edward Snowden’s classified program leaks.
The software programmer responsible for the flaw claimed it was accidental in a Friday report, but immediately speculated the bug could have been used by intelligence agencies in exactly the way described by Bloomberg sources.
Websites and services have been mounting fixes all week, but many have warned users to stay offline entirely for days until the patch is widely adopted, as changing passwords prior will still leave them vulnerable — if not more so since a description of the flaw has gone public.