After a week of speculation from security experts, Bloomberg reported Friday that the National Security Agency has actively known about and exploited the Heartbleed security bug for at least two years. According to Michael Riley:
Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.
On Wednesday Sophos Security Senior Adviser Chet Wisniewski told BuzzFeed that the NSA was perhaps the only organization in a position to find and exploit an OpenSSL bug like Heartbleed. “If they did know about it they would not have told anyone or sent a patch out or secretly sent a note to say, ‘Hey look at this line of code.’ When they find this stuff they hold onto it as long as humanly possible because it gives them unfettered access to information.”
Reached for comment after the Bloomberg report, Wisniewski told BuzzFeed, “I’m not surprised but obviously this is disappointing. If the NSA knows about it we can assume most major agencies in other goverments know about it as well.”
“This behavior is quite literally part of the NSA’s job,” he continued. “And we’re obviously not the only ones to employ surveillance teams to look at these crypto-libraries and see if there are vulnerabilities. I’m guessing but I think it’s fair to assume the Russians, Chinese, and Israelis probably knew about it too.”
Already, many are predicting this will strike a particular nerve in the tech community, which has spent the better part of the last year parsing through NSA surveillance leaks. “The initial reaction from employees and engineers at big companies like Google after the NSA leaks was sort of a resounding ‘How dare you?’ I imagine now that there’s the possibility companies like Yahoo, Akamai, Amazon might have been vulnerable, there will be a very similar reaction,” Wisniewki said.
Updated — April 11, 6:05 p.m. ET: The NSA, White House, and office of the DNI strongly denied the Bloomberg reports this afternoon.
However, the Obama Admnistration has at given misleading answers to questions about electronic espionage in recent years, and some observers cast doubt on the denials.
Robert Caruso, a former command security unit officer in the Navy, suggested that the denials might be very narrowly true.
“It’s possible that they tried, figured out how to exploit it against our enemies but couldn’t do it within their regulations and concurrently decided not to tell us, which is still problematic politically,” he said. “I bet they looked at it, puzzled over it, and said, ‘gee, if we do it we’ll be looking at US citizen data — let’s not do that and let’s not tell anybody about it.”