Heartbleed, the enormous security bug that could affect up to two-thirds of the internet, has left more than 500,000 websites exposed to attackers. And while many are worried their information was left vulnerable to criminal hackers, one security adviser believes the National Security Agency could well have been the true beneficiary of the flaw.
“This is an honest amateur programming mistake,” Sophos Security Senior Adviser Chet Wisniewski told BuzzFeed, noting that there is almost zero likelihood surveillance organizations were behind the flaw. “It sounds like somebody just hit the ‘enter’ key before completing their thought.”
That said, Wisniewski believes that if surveillance organizations like the NSA discovered the flaw before it became public, they wouldn’t hesitate to capitalize on it and certainly wouldn’t have notified programming communities.
“That’s exactly what the leaked NSA programs are supposed to do: Find the flaws, exploit them and never tell anyone,” he said.
While any advance government knowledge of Heartbleed would obviously be kept secret, Wisniewski believes there’s a good chance organizations like the NSA knew about the flaw ahead of the recent discovery. “I’d put the odds at 50-50. If they did know about it they would not have told anyone or sent a patch out or secretly sent a note to say, ‘Hey look at this line of code.’ When they find this stuff they hold onto it as long as humanly possible because it gives them unfettered access to information.”
According to Wisniewksi, an organization like the NSA certainly has the right personnel to uncover this type of flaw. Government surveillance organizations employ teams that are auditing these crypto libraries like OpenSSL, which is maintained and run by an underfunded, four-person volunteer team of programmer/cryptographers. “You and I can look at that code all day long and we’re not going to find anything,” Wisniewski said. “But if two independent organizations both uncovered the flaw last week, I’d put a good likelihood on a spy organization that was actively looking for and auditing these crypto libraries to find the bug.”
Yet for all the concern over username, password, and secret key security in the aftermath of Heartbleed, Wisniewski thinks there’s been a lot of overreacting.
“Changing all your passwords is always good advice, Wisniewski said. “If you’re worried the NSA is capturing all your data then you have good reason because this bug is a dream for them. If you’re worried about hackers in Russia stealing your passwords during online activity over the past few days, that’s much more unlikely. It’s quite unlikely that your garden variety attacker found this flaw and exploited it before it went public. The best guess is that the only ones exploiting this are spy agencies, if anyone at all.”
The real concern, Wisniewski notes, is how the bug will affect smaller sites in the weeks, months, and years to come. “This week 75% of sites affected will get fixed, but what happens to the other 25%? What about the other 25 million admins who set up their sites and walked away? That stuff will be out there and can be heavily exploited for a long time,” he said. Since Heartbleed can help attackers find password information, visitors to smaller, hobbyist sites and even mid-range sites with careless or unknowledgeable administrators could be at risk for years to come. And it would be very difficult to know.
“If one guy is running a soccer blog for his kid’s soccer team and doesn’t patch the bug, some attacker can come in down the line and comprise the site and put a virus on that will attack visitors,” Wisniewski said. “The big sites are almost all fixed or will be soon. The real concern is for the future.”