NSA Said to Exploit Heartbleed Bug for Intelligence for

Years
By Michael Riley - Apr 12, 2014
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites
send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical
intelligence, two people familiar with the matter said.
The agencys reported decision to keep the bug secret in pursuit of national security interests threatens to
renew the rancorous debate over the role of the governments top computer experts. The NSA, after declining
to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was
made public by a private security report earlier this month.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability
before 2014 are wrong, according to an e-mailed statement from the Office of the Director of National
Intelligence.
Related:
Millions of Android Devices Vulnerable to Heartbleed Bug
Heartbleed Found in Cisco, Juniper Networking Products
Opinion: Heartbleed's Password Heartbreak
Video: What the NSA Knew and When
Heartbleed appears to be one of the biggest flaws in the Internets history, affecting the basic security of as
many as two-thirds of the worlds websites. Its discovery and the creation of a fix by researchers five days ago
prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing
and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their
systems.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are
the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of
ordinary users were left vulnerable to attack from other nations intelligence arms and criminal hackers.
Controversial Practice
It flies in the face of the agencys comments that defense comes first, said Jason Healey, director of the
cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. They are going to be
completely shredded by the computer security community for this.
Experts say the search for flaws is central to NSAs mission, though the practice is controversial. A
presidential board reviewing the NSAs activities after Edward Snowdens leaks recommended the agency halt
the stockpiling of software vulnerabilities.
When new vulnerabilities of the Heartbleed type are discovered, they are disclosed, the Office of the Director
of National Intelligence said in response to the Bloomberg report. A clear process exists among agencies for
deciding when to share vulnerabilities, the office said in a statement.
This administration takes seriously its responsibility to help maintain an open, interoperable, secure and
reliable Internet, Shawn Turner, director of public affairs for the office, said in the statement. Unless there is
a clear national security or law enforcement need, this process is biased toward responsibly disclosing such
vulnerabilities.
Hunting Flaws
The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws
that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw
was found, are primary targets.
The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one
of the failings of open source software development.
While many Internet companies rely on the free code, its integrity depends on a small number of
underfunded researchers who devote their energies to the projects.
In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated
analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction,
according to one of the people familiar with the matter, and it became a basic part of the agencys toolkit for
stealing account passwords and other common tasks.
NSA Spying
The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling
series of leaks from Snowden, who was a former agency contractor.
The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.s
largest spy agency. The NSA protects the computers of the government and critical industry from cyber-
attacks, while gathering troves of intelligence attacking the computers of others, including terrorist
organizations, nuclear smugglers and other governments.
Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their
data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging
security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.
One Agency
If you combine the two into one government agency, which mission wins? asked Pescatore, who formerly
worked in security for the NSA and the U.S. Secret Service. Invariably when this has happened over time,
the offensive mission wins.
When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it
underscored an uncomfortable truth: The public may be placing too much trust in software and hardware
developers to insure the security of our most sensitive transactions.
Weve never seen any quite like this, said Michael Sutton, vice president of security research at Zscaler, a
San Jose, California-based security firm. Not only is a huge portion of the Internet impacted, but the
damage that can be done, and with relative ease, is immense.
The potential stems from a flawed implementation of protocol used to encrypt communications between
users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage
could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.
Exploiting Flaw
Questions remain about whether anyone other than the U.S. government might have exploited the flaw
before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.
If criminals found the flaw before a fix was published this week, they could have scooped up troves of
passwords for bank accounts, e-commerce sites and e-mail accounts worldwide.
Evidence of that is so far lacking, and its possible that cybercriminals missed the potential in the same way
security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park,
California.
The fact that the vulnerability existed in the transmission of ordinary data -- even if its the kind of data the
vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep
it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International
Studies.
Determining Risk
They actually have a process when they find this stuff that goes all the way up to the director of the agency,
Lewis said. They look at how likely it is that other guys have found it and might be using it, and they look at
whats the risk to the country.
Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a
short period of time and then discreetly contacting software makers or open source researchers to fix it.
The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection
governments and others use to transmit highly sensitive information.
I knew hackers who could break it nearly 15 years ago, Lewis said of the SSL protocol.
That may not soothe the millions of users who were left vulnerable for so long.
Panels Recommendation
Following the leaks about NSAs electronic spying, President Barack Obama convened a panel to review
surveillance activities and suggest reforms. Among the dozens of changes put forward was a
recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be
used only in rare instances and for short periods of time.
If the NSA knows about a vulnerability, then often other nation states and even criminal organizations can
exploit the same security vulnerability, said Harley Geiger, senior counsel for the Center for Democracy &
Technology in Washington. What may be a good tool for the NSA may also turn out to be a tool for
organizations that are less ethical or have no ethics at all.
Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the
worlds most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said
the countrys ability to spot terrorist threats and understand the intent of hostile leaders would be vastly
diminished if their use were prohibited.
To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net
To contact the editors responsible for this story: Sara Forden at sforden@bloomberg.net Winnie OKelley
2014 BLOOMBERG L.P. ALL RIGHTS RESERVED.