The National Security Agency reportedly knew about the Heartbleed
bug for at least two years, kept it secret, and exploited it to gather
intelligence -- news that is fueling criticism that the agency's spying
efforts undermine the safety of the Internet for everyone.
By using Heartbleed, the NSA "was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost," Bloomberg reports,
citing two unnamed people familiar with the matter. "Millions of
ordinary users were left vulnerable to attack from other nations'
intelligence arms and criminal hackers."
Though the NSA
initially declined Bloomberg's request to comment "on the agency's
knowledge or use of" the Heartbleed bug, it issued a denial late Friday:
The "NSA was not aware of the recently identified vulnerability in
OpenSSL, the so-called Heartbleed vulnerability, until it was made
public in a private-sector cybersecurity report. Reports that say
otherwise are wrong."
Heartbleed
is a security vulnerability in OpenSSL, software that's used by many
Web sites to encrypt Web communications. The bug can reveal the contents
of a server's memory, where the most sensitive of data is stored,
including usernames, passwords, and credit card numbers. The revelation of the flaw this week sent major sites such as Google, Facebook, Yahoo, and Dropbox scrambling to patch their systems and had Internet users hustling to change their passwords.
Critics of the NSA say that its reported efforts to increase surveillance and other capabilities by undermining encryption, weakening network security standards, and influencing the building of backdoors into tech products
threaten to destroy the security of the Internet. The agency is charged
with both the defensive task of protecting US computer networks from
attack and the offensive task of finding and exploiting vulnerabilities.
Critics say these goals are at odds with each other: the surveillance
wing might want to keep a vulnerability in place, secret, and
exploitable, but this same hole that it's using to spy could be
discovered and exploited by foes or criminals.
Last December,
the NSA review panel handpicked by President Obama said that though it
hadn't found evidence to support reports that the US government
intentionally introduced backdoors into encryption software, it recommended that the government make it clear that the NSA will not undermine global encryption standards or demand changes to any products and services to make it easier for the agency to collect user data.
In his reform speech the following month, Obama declined to address that recommendation in detail,
saying instead that the issue would be studied to determine "how we can
continue to promote the free flow of information in ways that are
consistent with both privacy and security."
He also said, "we
cannot prevent terrorist attacks or cyberthreats without some capability
to penetrate digital communications -- whether it's to unravel a
terrorist plot; to intercept malware that targets a stock exchange; to
make sure air traffic control systems are not compromised; or to ensure
that hackers do not empty your bank accounts." It would, of course, be
ironic if the agency's "capability to penetrate" communications was
pegged to a vulnerability that hackers could also potentially unearth
and use to drain bank accounts.
The Bloomberg report quoted a
cybersecurity specialist, who discussed the NSA's process when it comes
to handling vulnerabilities:
"The fact that the
vulnerability existed in the transmission of ordinary data -- even if
it's the kind of data the vast majority of users are concerned about --
may have been a factor in the decision by NSA officials to keep it a
secret, said James Lewis, a cybersecurity senior fellow at the Center
for Strategic and International Studies.
"They actually have a
process when they find this stuff that goes all the way up to the
director" of the agency, Lewis said. "They look at how likely it is that
other guys have found it and might be using it, and they look at what's
the risk to the country."
Lewis said the NSA has a range of
options, including exploiting the vulnerability to gain intelligence for
a short period of time and then discreetly contacting software makers
or open source researchers to fix it.
The complete Bloomberg report is here.
Update, 2:50 p.m. PT: The Office of the Director of National Intelligence has posted a lengthier denial on its "IC [Intelligence Community] on the Record" site:
"NSA was not aware of the recently identified vulnerability in
OpenSSL, the so-called Heartbleed vulnerability, until it was made
public in a private sector cybersecurity report. Reports that say
otherwise are wrong.
"Reports that NSA or any other part of the
government were aware of the so-called Heartbleed vulnerability before
April 2014 are wrong. The Federal government was not aware of the
recently identified vulnerability in OpenSSL until it was made public
in a private sector cybersecurity report. The Federal government relies
on OpenSSL to protect the privacy of users of government websites and
other online services. This Administration takes seriously its
responsibility to help maintain an open, interoperable, secure and
reliable Internet. If the Federal government, including the
intelligence community, had discovered this vulnerability prior to last
week, it would have been disclosed to the community responsible for
OpenSSL.
"When Federal agencies discover a new vulnerability in
commercial and open source software - a so-called "Zero day"
vulnerability because the developers of the vulnerable software have
had zero days to fix it - it is in the national interest to
responsibly disclose the vulnerability rather than to hold it for an
investigative or intelligence purpose.
"In response to the
recommendations of the President's Review Group on Intelligence and
Communications Technologies, the White House has reviewed its policies
in this area and reinvigorated an interagency process for deciding when
to share vulnerabilities. This process is called the Vulnerabilities
Equities Process. Unless there is a clear national security or law
enforcement need, this process is biased toward responsibly disclosing
such vulnerabilities.
No comments:
Post a Comment