Given all the revelations about the NSA and GCHQ spy agencies intercepting the communications of individuals all over the globe, the obvious question that arises is to what extent they were involved in the Heartbleed bug, the weakness in the OpenSSL protocol that enables third parties to extract 64K chunks of information at a time from targeted computers without the hosts being aware, a security problem so serious that it even caused the Canadian government to suspend electronic tax filing.
Suspicion has fallen on the two leading members of the ‘Five Eyes’ nations, the US NSA and the UK GCHQ. There are two levels of questions that can be raised.
- Was the NSA aware of the security flaw all along and did not sound the alarm because they were exploiting the flaw, even though it meant that millions of people would have been exposed to fraud?
- Did the NSA and/or GCHQ actually create the flaw?
Reports are emerging that the answer to the first is ‘yes’. Michael Riley has an explosive story in Bloomberg.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
Naturally the NSA has denied being aware of the bug and the New York Times, ever eager to serve as the government’s mouthpiece, has an article by David Sanger that seeks to absolve them of any involvement.
At the center of that technology are the kinds of hidden gaps in the Internet — almost always created by mistake or oversight — that Heartbleed created. There is no evidence that the N.S.A. had any role in creating Heartbleed, or even that it made use of it. When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.
This strains credulity because, as Riley says, finding such weaknesses and exploiting them is a central part of NSA’s mission to which it devotes enormous resources. Could they have been unaware of such a serious flaw for two years?
The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.
The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.
While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.
In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.
What about the more serious accusation that it was the NSA that actually created the flaw? It would not surprise me in the least since we already know that the NSA deliberately weakened encryption standards by using its influence in the National Institutes of Standards and Technology (NIST).
As Kim Zetter writes, finding ways to intercept encrypted traffic has long been a major part of the NSA’s efforts.
Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.
According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time, and there were suggestions that they might have succeeded. “Vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” GCHQ reported in one top-secret 2010 document. Although this was dated two years before the Heartbleed vulnerability existed, it highlights the agency’s efforts to get at encrypted traffic.
Natasha Lennard describes some theories about how the NSA may have created this flaw, saying “For some time, cryptographers have suggested that the NSA has been secretly paying open source developers (developers of open source tools like OpenSSL) to sneak in bugs.” What adds to the suspicions is that although this flaw has been around for two years, so far there have been no reports of its exploitation by non-governmental entities for criminal activities such as fraud. If ordinary cybercriminals created this flaw, they would likely have exploited it quickly before it was discovered.
There is no documentary evidence as yet that this is the case, but post-Snowden history suggests that you cannot go far wrong by assuming the worst about the NSA and GCHQ.