NSA said to have used Heartbleed bug

WASHINGTON — The National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S. government’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Md.-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, Calif.-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, Calif.

The fact that the vulnerability existed in the transmission of ordinary data – even if it’s the kind of data the vast majority of users are concerned about – may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

“I knew hackers who could break it nearly 15 years ago,” Lewis said of the SSL protocol.

That may not soothe the millions of users who were left vulnerable for so long.

Following the leaks about NSA’s electronic spying, President Barack Obama convened a panel to review the country’s surveillance activities and suggest reforms. Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.

Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Traffic idles while waiting for the lights to change along 33rd Avenue West on Tuesday, April 2, 2024 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Lynnwood seeks solutions to Costco traffic boondoggle

Let’s take a look at the troublesome intersection of 33rd Avenue W and 30th Place W, as Lynnwood weighs options for better traffic flow.

A memorial with small gifts surrounded a utility pole with a photograph of Ariel Garcia at the corner of Alpine Drive and Vesper Drive ion Wednesday, April 10, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Death of Everett boy, 4, spurs questions over lack of Amber Alert

Local police and court authorities were reluctant to address some key questions, when asked by a Daily Herald reporter this week.

The new Amazon fulfillment center under construction along 172nd Street NE in Arlington, just south of Arlington Municipal Airport. (Chuck Taylor / The Herald) 20210708
Frito-Lay leases massive building at Marysville business park

The company will move next door to Tesla and occupy a 300,0000-square-foot building at the Marysville business park.

A closed road at the Heather Lake Trail parking lot along the Mountain Loop Highway in Snohomish County, Washington on Wednesday, July 20, 2023. (Annie Barker / The Herald)
Mountain Loop Highway partially reopens Friday

Closed since December, part of the route to some of the region’s best hikes remains closed due to construction.

Emma Dilemma, a makeup artist and bikini barista for the last year and a half, serves a drink to a customer while dressed as Lily Munster Tuesday, Oct. 25, 2022, at XO Espresso on 41st Street in Everett, Washington. (Ryan Berry / The Herald)
After long legal battle, Everett rewrites bikini barista dress code

Employees now have to follow the same lewd conduct laws as everyone else, after a judge ruled the old dress code unconstitutional.

The oldest known meteor shower, Lyrid, will be falling across the skies in mid- to late April 2024. (Photo courtesy of Pixabay)
Clouds to dampen Lyrid meteor shower views in Western Washington

Forecasters expect a storm will obstruct peak viewing Sunday. Locals’ best chance at viewing could be on the coast. Or east.

AquaSox's Travis Kuhn and Emerald's Ryan Jensen an hour after the game between the two teams on Sunday continue standing in salute to the National Anthem at Funko Field on Sunday, Aug. 25, 2019 in Everett, Wash. (Olivia Vanni / The Herald)
New AquaSox stadium downtown could cost up to $120M

That’s $40 million more than an earlier estimate. Alternatively, remodeling Funko Field could cost nearly $70 million.

Downtown Everett, looking east-southeast. (Chuck Taylor / The Herald) 20191022
5 key takeaways from hearing on Everett property tax increase

Next week, City Council members will narrow down the levy rates they may put to voters on the August ballot.

Everett police officers on the scene of a single-vehicle collision on Evergreen Way and Olivia Park Road Wednesday, July 5, 2023 in Everett, Washington. (Photo provided by Everett Police Department)
Everett man gets 3 years for driving high on fentanyl, killing passenger

In July, Hunter Gidney crashed into a traffic pole on Evergreen Way. A passenger, Drew Hallam, died at the scene.

FILE - Then-Rep. Dave Reichert, R-Wash., speaks on Nov. 6, 2018, at a Republican party election night gathering in Issaquah, Wash. Reichert filed campaign paperwork with the state Public Disclosure Commission on Friday, June 30, 2023, to run as a Republican candidate. (AP Photo/Ted S. Warren, File)
6 storylines to watch with Washington GOP convention this weekend

Purist or pragmatist? That may be the biggest question as Republicans decide who to endorse in the upcoming elections.

Keyshawn Whitehorse moves with the bull Tijuana Two-Step to stay on during PBR Everett at Angel of the Winds Arena on Wednesday, April 17, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
PBR bull riders kick up dirt in Everett Stampede headliner

Angel of the Winds Arena played host to the first night of the PBR’s two-day competition in Everett, part of a new weeklong event.

Simreet Dhaliwal speaks after winning during the 2024 Snohomish County Emerging Leaders Awards Presentation on Wednesday, April 17, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Simreet Dhaliwal wins The Herald’s 2024 Emerging Leaders Award

Dhaliwal, an economic development and tourism specialist, was one of 12 finalists for the award celebrating young leaders in Snohomish County.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.