News

The NSA Knew About & Exploited Heartbleed

by L. Turner

Today in unsurprising news: Turns out the National Security Agency knew about and exploited the Heartbleed bug to gather intelligence. Two officials told Bloomberg News that the NSA has known about the Heartbleed security flaw for at least two years, but didn't reveal what they knew about what may be the worst internet flaw ever discovered.

Some outlets had previously speculated the NSA had to have known about the flaw, or even engineered it. Reports publicized by Edward Snowden revealed that the agency has intentionally created security flaws to preempt encryption, though no evidence has emerged specifically connecting the agency to the Heartbleed flaw.

The Heartbleed glitch occurs in Open SSL, a technology that's supposed to make your private data safe from hackers. The bug was discovered not by hackers but by a researcher and a security firm, who concluded that it would allow someone with the right technology to get personal data well as a site's secret cryptographic keys. A programmer told Mashable the flaw was an accident.

A 2010 government memo and other evidence suggests that the agency has at the very least been using similar bugs to steal data for years. The memo, released by Snowden and cited by a New York Times and ProPublica investigation, said the following:

For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.

Given that, it's just not much of a shock that the NSA knew about Heartbleed and used it. So much so that Bloomberg's revelation got a lot of "duhs" on Twitter:

One journalist, New York Magazine's Stefan Becket, noted that, assuming the NSA didn't engineer the bug, the agency was doing its job by exploiting it.

Then again, do we really want an agency charged with hacking into the world's data to be this good at its job?