The National Security Agency on Friday strongly denied a news report that said the government failed to warn the public about the notorious Heartbleed software flaw — allegedly because the NSA wanted to continue using it to gather intelligence.
The story, by Bloomberg News, said the NSA left countless Internet users and businesses vulnerable to hackers for the past two years, in order to continue exploiting the Heartbleed bug as a powerful tool for obtaining passwords and other data from users’ accounts.
Both the NSA and the White House used uncharacteristically direct language in statements late Friday that flatly denied the report.
But the report and denials served to underscore the growing skepticism and mistrust surrounding government spy programs that have been revealed by a wave of news leaks in recent months.
“I don’t know first-hand that the NSA knew of this bug previously, but I don’t believe one has to stretch their imagination far to believe that to be a strong possibility,” said Marc Maiffret, chief technology officer at BeyondTrust, a cybersecurity firm.
“There are vulnerabilities that are known to some researchers and, yes, they are not disclosed to the public and to the general security community,” added Philip Lieberman, president of Lieberman Software, another security firm.
Still, he said: “When you find something that is this nasty, you generally go get it fixed quietly.”
The Heartbleed flaw is a vulnerability in what’s called the OpenSSL system, which is software that’s used to encrypt sensitive information on nearly two-thirds of all websites. After the glitch was disclosed publicly by tech company researchers this week, experts said hackers could use it to steal passwords and access a variety of web accounts, including email, banking and shopping services.
Bloomberg cited two unnamed “people familiar with the matter” as sources for its report, which said the NSA discovered the Heartbleed flaw shortly after it was accidentally created in 2012 by a programmer who was making adjustments in OpenSSL.
After that, Bloomberg said, the bug “became a basic part of the agency’s tool kit for stealing account passwords” and other information while most Internet users and security experts remained unaware of the flaw.
Bloomberg said the NSA declined to comment before the story came out.
That quickly changed.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong,” said agency spokeswoman Vanee Vines in a statement after Bloomberg released its story.
In a separate statement, the office of White House intelligence director James Clapper said: “If the federal government, including the intelligence community, had discovered this vulnerability before last week, it would have been disclosed to the community” of private and academic security researchers who are responsible for the OpenSSL encryption program.
Top executives from some of Silicon Valley’s Internet companies have previously protested the government’s efforts to obtain user data through various means, including efforts the companies said occurred without their knowledge.
While leading Internet companies declined to comment Friday, officials at some security firms said the Bloomberg report added fuel to a broader debate about the NSA’s operations.
“This again calls into discussion the right balance of modern intelligence agencies needing undisclosed vulnerabilities for espionage activities, while balancing how much those vulnerabilities also expose the very companies and countries they are meant to be protecting,” said Maiffret.
Many software developers and security experts were already dismayed by a New York Times report last fall that said the NSA had waged a secret campaign to weaken encryption standards so it can read coded messages.
In addition, other outlets, including the Washington Post, have reported both the NSA and Defense Department have extensive programs to identify and exploit so-called “zero-day” vulnerabilities — software flaws that haven’t yet been repaired — and have even purchased information about such flaws on a gray market of malware vendors.
The Heartbleed risk is considered so high that the U.S. Department of Homeland Security warned banks and other businesses on Friday to be on alert for hackers trying to exploit the bug. Government officials have also encouraged companies to share information so they can better combat the problem.
But security experts suggested the government’s credibility had already suffered before the Bloomberg report.
“Revelations about how governments had been surrendering commercial and personal privacy in the name of national security … have left citizens trust badly shaken,” said Steve Durbin, global vice president of the Information Security Forum, an organization of industry security professionals.
Referring to the Bloomberg report, Durbin added, “Certainly, these new revelations will do little to boost trust.”
Contact Brandon Bailey at bbailey@mercurynews.com or Steve Johnson at sjohnson@mercurynews.com
Protecting against Heartbleed
Experts recommend users change the passwords for all their online accounts to protect themselves from the ramifications of the Heartbleed bug. But before changing their passwords for specific websites, users should first check that those sites have fixed the Heartbleed problem.
Users can easily check if a site is secure by going to this website: http://filippo.io/Heartbleed/
There, type in the URL for any website that requires information from users, such as email providers, banks, social networks, shopping sites and more. The tool will quickly check the site and notify the user if it is safe or not.
Source: Wire services