Pages

Monday, April 14, 2014

Why It's A Big Deal If NSA Knew About -- And Exploited -- Heartbleed Bug


NSA is said to have exploited Heartbleed bug for intelligence for years. "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The agency's reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month." Michael Riley in Bloomberg.

Internet outraged in the wake of the news. Read the tweets. Eric Brown in International Business Times.

@dliebelson: So, under the pretense of protecting Americans, the NSA left millions of Americans open to identity theft. No words.

@ramez: Allegation that NSA knew about Heartbleed is just an allegation. But fits their statements about breaking SSL & collection of SSL sessions.

Analysis: Why it's a big deal if true. "On its face, it is difficult to imagine any justification that will even begin to soothe the shock and outrage among people and businesses, both American and non-American, who take computer security seriously. If it turns out that this vulnerability has been exploited, either by criminals or (more likely) by non-U.S. intelliigence agencies, the outrage will be even greater. The willingness of the private sector to cooperate with the U.S. government in sharing information about vulnerabilities will be compromised, perhaps irrevocably. The informal dominance of the U.S. in international Internet governance debates will be undermined. Organizations such as the Internet Engineering Task Force, which create many of the basic underlying protocols of the Internet, will move from grumbling and unhappiness to outright revolt." Henry Farrell in The Washington Post.

NSA denies it knew of the bug. "The NSA is disavowing its knowledge of the Heartbleed security vulnerability after a Bloomberg report suggested that the spy agency had exploited it for at least two years. 'NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,' NSA spokesperson Vanee Vines told The Post. "Reports that say otherwise are wrong.' The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014." Brian Fung in The Washington Post.

National Security Council backs disclosing security vulnerabilities. "Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday. The statement of White House policy came after a computer bug called 'Heartbleed' caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL, that was designed to protect online accounts....The NSC, which Obama chairs, advises the president on national security and foreign policy matters. Its spokeswoman, Caitlin Hayden, said in a statement Saturday that the federal government was not aware of the Heartbleed vulnerability in OpenSSL until it was made public in a private sector cybersecurity report." The Associated Press.

Heartbleed sheds light on how NSA uses bugs. "The turmoil caused by the 'Heartbleed' encryption bug is shedding light on a little-known element of the White House's surveillance overhaul package: how the government handles software holes and vulnerabilities. The National Security Agency has compiled a list of software bugs and holes known as 'zero days,' which the agency has exploited to gain access to secure networks before they can be fixed." Gautham Nagesh inThe Wall Street Journal.


No comments:

Post a Comment