UPDATED: NSA Denies Claims That It Knew About Heartbleed And Did Nothing
from the well-that's-comforting dept
Update: The NSA has denied the Bloomberg report, briefly stating that the agency “was not aware of the recently identified Heartbleed vulnerability until it was made public.” We’ll continue to update as more information emerges.
The internet is still reeling from the discovery of the Heartbleed bug, and yesterday we wondered if the NSA knew about it and for how long. Today, Bloomberg is reporting that the agency did indeed know about Heartbleed for at least the past two years, and made regular use of it to obtain passwords and data.
While it’s not news that the NSA hunts down and utilizes vulnerabilities like this, the extreme nature of Heartbleed is going to draw more scrutiny to the practice than ever before. As others have noted, failing to reveal the bug so it could be fixed is contrary to at least part of the agency’s supposed mission:
Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.
“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”
There is, in fact, a massive hypocrisy here: the default refrain of NSA apologists is that all these questionable things they do are absolutely necessary to protect Americans from outside threats, yet they leave open a huge security hole that is just as easily exploited by foreign entities. Or consider the cybersecurity bill CISPA, which was designed to allow private companies to share network security information with the intelligence community, and vice versa, supposedly to assist in detecting and fixing security holes and cyber attacks of various kinds. But, especially after this revelation about Heartbleed, can there be any doubt that the intelligence community is far more interested in using backdoors than it is in closing them?
Filed Under: heartbleed, nsa, privacy
Comments on “UPDATED: NSA Denies Claims That It Knew About Heartbleed And Did Nothing”
I still think, that “bug” was purposefully introduced by the NSA.
They have quite a (by now documented) history of infiltrating and sabotaging security solutions.
Re: Re:
For what it’s worth, the guy who wrote the code says it was just a mistake: http://arstechnica.com/information-technology/2014/04/heartbleed-developer-explains-openssl-mistake-that-put-web-at-risk/
It’s not impossible that he’s lying, but the sort of bug that caused the leak is very plausibly a simple mistake.
Re: Re: Re:
My proposed conspiracy theory is that they well known guy who says it was an honest mistake may well have been enlisted to nefarious action 10 years ago, spending the first 8 years becoming a respected member of the community.
Never forget what was in one of the Snowden leaked presentations:
“consumers and other adversaries”
From the linked article:
?They actually have a process when they find this stuff that goes all the way up to the director? of the agency, Lewis said.
Of course it does.
And that's the end of SELinux
Or it should be, at least. There’s no way we can ever trust so much as a single line of code from the NSA ever again.
Re: And that's the end of SELinux
Not to be hipster but I never trusted SELinux in the first place after their efforts at weakening crypto. It is like taking legal advice from your opponents lawyer.
Re: Re: And that's the end of SELinux
Me too. I’ve always ignored SELinux stuff for this reason.
Re: And that's the end of SELinux
This SELINUX comes with almost all distros, but it isn’t put into action by default right? I know it is very user unfriendly, at least, it’s what my security solution for linux (grsecurity) was saying when selling itself to me, and weev says its the best so I think it must be, just annoying that I gotta get stuck with using an older kernel than I would like.
Re: Re: And that's the end of SELinux
Depends on the distro. Most distros aimed at the general purpose user don’t enable it by default, but some are aimed at a more security-conscious audience and enable it by default.
not bad for a government law enforcement agency that is supposed to be charged with looking after the USA and it’s citizens, even if it doesn’t care about anyone else!
Re: Re:
not bad for a government law enforcement agency
The NSA is not a law enforcement agency.
Fuck NSA.
Conflict of interest anyone?
This is what happens when you mix defensive and offensive goals under the same agency, the idea of defense by fixing the problem goes clean out the window in favor of offense by utilizing the problem.
In regards to the idea that the NSA was the cause of the problem, at this point I’d say that’s meaningless, if they knew about it and not only did nothing, but actively used it, then they’re just as guilty as if they had introduced it themselves.
Re: Conflict of interest anyone?
NSA probably has the best fuzzing tools available, and the collections of computers to allow the to do a lot of fuzzing on lots of programs in their own labs.
Re: Re: Conflict of interest anyone?
And I’m sure the “funding” would lean heavily toward the offensive side for the development and use of those tools – leaving the defensive side pretty much useless for actually protecting anyone anyway.
Let’s throw the CFAA at them.
Re: Re:
Government agents are specifically exempt, don’t you know?
Re: Re: Re:
Except that it does apply to government agencies. Brennan admitted that the CFAA applies to the CIA.
http://www.wyden.senate.gov/news/press-releases/brennan-letter-to-wyden-acknowledges-that-cfaa-applies-to-the-cia
Re: Re: Re: Re:
That’s where the difference between ‘On paper’ and ‘In practice’ come into play, technically falling under a law means nothing if the odds of actually being charged and prosecuted for breaking it are effectively zero, and they know it.
They knew about this “at least the past two years”? Wasn’t this flaw introduced two years ago?
If one person can do it, many can. How many others found this bug and used it while the NSA was sitting on this thumbs?
Re: Re:
“sitting on their thumbs”? Oh no, I think not. I’m sure they were quite busy with it, e.g., http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-how-to-hunt-system-admins/
Re: Re:
Impossible, obviously only the certified geniuses at the NSA could ever take advantage of security holes like this, or any of the other weaknesses that the NSA intentionally creates, so letting a security hole like this exists so they can exploit it, and/or creating other security holes to make their jobs easier in no way would ever allow other people/agencies to compromise affected systems.
/s
Re: Chronno S. Trigger
The NSA is a terrorist organization.
Re: Re:
Eventually you’ll come to realize that the U.S. government itself is the terrorist organization here, and the NSA is just one of their tools.
possibly the NSA didn’t know about it but are claiming to so that it will make “the terrorists” afraid, and waste their resources redoing their own technology
Re: Re:
“possibly the NSA didn’t know about it but are claiming to so that” …. they preserve the myth of their all-knowing superiority in their own megalomaniacal brains. Heaven help all those high paid experts if they missed something in plain sight. Can’t have that, funding might be cut.
Re: Re:
Ah yes, great plan: piss off the entire world to scare a few terrorists.
No, that’s just not how they work – they’d rather keep it a secret, given their history of coverups and secrecy.
Re: Re:
i thought “we” were fighting uneducated cave dwellers with leftover stingray missiles from those nice gifts Reagan and Rambo made to the mujahideen.
Binary Evaluation Set
Either:
The NSA is lying and they actually failed to find the flaw, despite the fact that probing for buffer overruns is Hacking 101.
Result: They are too incompetent to protect us from the real threats.
The NSA is telling the truth and they spent two years knowing about a serious security flaw in the infrastructure of the internet, may have exploited it, and certainly failed to report it to the nation and enable us to protect ourselves.
Result: They committed treason.
Pick one.
Re: Binary Evaluation Set
I’m going to go with #2 – but I know they’ll never been accused or convicted of treason, so it’s an easy one to choose.
Re: Binary Evaluation Set
It’s not treason. Illegal, probably, but “treason” isn’t the charge.
Treason has a very specific definition: “Waging war against the United States, or giving aid and comfort to its enemies.”
The NSA has done neither. Stop using “treason” to describe everything bad someone in the government does.
Re: Re: Binary Evaluation Set
If failure to fix a major security threat isn’t “giving aid and comfort to our nation’s enemies” I will eat my mouse. Without salt.
Re: Re: Re: Binary Evaluation Set
If failure to fix a major security threat isn’t “giving aid and comfort to our nation’s enemies” I will eat my mouse.
I think failure to act will not meet the bar for treason. You have to actively do something to give aid to a specific nation that is considered an enemy. The NSA didn’t take any action here, and their inaction may have helped many bad actors, but not particularly enemy states. My understanding, anyway.
Re: Re: Re:2 Binary Evaluation Set
Choosing not to act is, in fact, an act. And from the standpoint of governments, every other government is an enemy, actual or potential, and must be guarded against.
Re: Re: Re:3 Binary Evaluation Set
Choosing not to act is, in fact, an act. And from the standpoint of governments, every other government is an enemy, actual or potential, and must be guarded against.
What you’re saying probably has no relevance in the context of the law. It doesn’t matter that philosophically choosing not to act is an act, it only matters whether the law considers it so. IANAL but I’m pretty sure the law treats acting and failure to act very differently. The same with the meaning of “enemy”.
Re: Re: Re:2 Binary Evaluation Set
You seem to miss the point of what ‘giving aid’ means. Do you think that if a known terrorist was found hiding in your basement, and it turned out he got in on his own, but you knew about it, and said nothing, would you be comfortable with your lawyer raising the same feeble defense on your behalf? “Your honor, my client did not act, therefore he cannot be said to have been aiding the terrorist who he knew was hiding in his basement.”
Re: Re: Re:3 Binary Evaluation Set
Do you think that if a known terrorist was found hiding in your basement, and it turned out he got in on his own, but you knew about it, and said nothing,
That’s a terrible analogy to knowing about a security flaw and not publishing it.
Re: Re: Binary Evaluation Set
Update to prior comment: make that “willful failure”. And there can be no doubt that, if they did in fact fail to report and get a major threat fixed, it was willful.
Re: Re: Binary Evaluation Set
Actually, knowing about a critical security vulnerability which ‘enemies’ can take advantage of, and which affects everything the united states government has online, is giving aid and comfort of enemies.
You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.
Re: Re: Re: Binary Evaluation Set
Actually, knowing about a critical security vulnerability which ‘enemies’ can take advantage of, and which affects everything the united states government has online, is giving aid and comfort of enemies.
If nobody has ever been convicted of or even charged with treason for doing that, then that claim sounds speculative.
You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.
He specifically said the NSA is doing bad things, just not treason.
Interesting how that ties in with previous reporting
See http://www.bankinfosecurity.com/report-nsa-circumvented-encryption-a-6045 from September 2013 which reads in part:
Bruce Schneier, a widely followed cryptography expert, author and blogger, characterizes the revelation as explosive. “Basically, the NSA is able to decrypt most of the Internet,” he writes in his blog. “They’re doing it primarily by cheating, not by mathematics. … Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.”
According to the news report, some of NSA’s most exhaustive efforts have concentrated on encryption widely used in the United States, including Secure Sockets Layer, virtual private networks and the protection used on fourth generation smart phones.
Note the explicit mention of SSL as well as Schneier’s comment that they’re decrypting most of the Internet.
Swipe at Open Source
Personally I liked their little attack on open source software:
“The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.”
and
“While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.”
Let’s remember though that while open source developers may have introduced Heartbleed by accident, they also revealed it when they found it. The NSA, by contrast, exploited it even though it was their duty to reveal it. And when the commercial developers at RSA introduced a security flaw, it was deliberate because they were *PAID* to do it.
Re: Swipe at Open Source
I would assume that they have a backdoor in the proprietary solutions, and want people to move to these, so that they keep their spying capabilities.
Re: Swipe at Open Source
The commenters over as Ars Technica have been ganging up on anyone saying anything negative about the Open Source community, by negative voting those comments into blocking & moderation, often without giving factual rebuttal. It’s interesting to see that here, where there’s a little freer commenting setup, that the potential NSA/Open Source connection is more openly talked about.
Obviously, tech observers are coming to the obvious conclusion that there’s a bit of a smoking gun here. And Open Source people doth protest too much, methinks.
Clearly, this incident is showing that Open Source software is no panacea in The Battle to Save the Internet (minimal hyperbole intended). The community is going to seriously have to up their game in terms of code openness, oversight, and review, if they want to be taken seriously, from now on…this screw-up was that bad.
Re: Re: Swipe at Open Source
No, open source isn’t a panacea: it’s necessary, but not sufficient.
I’ve said that for years. Decades, actually. Open source allows us to play the game, it doesn’t guarantee that we’ll win it. We clearly need to think about how this went wrong — whether or not it was deliberate sabotage — and we need to figure out how to prevent similar failures in the future.
One thing that would sure help would be if all the major sites that rely on this code kicked in a few bucks to support it. $100K is chump change to most of them, but if they all kicked just that tiny amount in, there would be enough funding to put half a dozen people to work on OpenSSL full time and to have the code audited and to have it extensively tested by fuzzers. (Let me note in passing that these operations are spending WAY more than $100K cleaning up this mess. So it would be cost-effective as well as very cheap.)
Re: Re: Re: Swipe at Open Source
“I’ve said that for years. Decades, actually.”
Me too. And, truthfully, only a small percentage of OSS folks have every said otherwise (and they’re the kind of zealots that exist everywhere are should be disregarded.)
However, the attacks on “open source” that we’re seeing now are intimating that there is something about open source that makes it more dangerous to use than closed source, and heartbleed is somehow the proof of this. That’s 100% industrial-grade bullshit.
Open source and closed source software are roughly equally error-prone. The history of closed-source software contains quite a few problems on the scale of heartbleed, after all.
The primary difference between the two is that with open source, there’s a greater chance that problems will be found before they bite too hard, and even more importantly, they tend to get fixed and those fixes distributed much more quickly.
Closed source software is full of examples of serious vulnerabilities that have gone unfixed for years despite being reported.
Re: Re: Re:2 Swipe at Open Source
Your points are well-taken. I’d like to comment on the speed of the response of the community, just to add to what you’ve said.
Compare, for example, the speed with which this flaw was (a) disclosed (b) analyzed (c) measured (d) fixed in the source (e) fixed in the distributions that use it (f) published (in the source and in the distributions) and (g) made understandable by a plethora of web sites, proof-of-concept attack tools, etc. with, for example the glacial response of Adobe to a 0-day in Acrobat: http://news.slashdot.org/story/11/12/07/0057227/adobe-warns-of-critical-zero-day-vulnerability
The impressive response speed (some distributions were updated within 12 hours) probably helped partially mitigate the consequences of this. That’s only possible because it’s open source — well, and because everyone recognized how serious this was rather quickly. That, at least, is one positive takeaway from the situation.
Re: Re: Re:2 Swipe at Open Source
There’s an even more important advantage of open source, IMO. If the original creators have no interest in developing the software any further, be it features or bugfixes, then you can always find someone to continue the work; you have access to the source, and permission to modify it. Even if you can’t do it yourself, you can always hire people to do it for you. With a propietary model you may not have that option, and you are completely at the mercy of the original vendor.
Re: Re: Re:3 Swipe at Open Source
Just look at how much Microsoft is raking in to maintain XP for various governments and large firms.
Re: Re: Swipe at Open Source
“The community is going to seriously have to up their game in terms of code openness, oversight, and review,”
It is interesting that even corporations who PAY people to work on open-source projects didn’t find this (and presumably other problems yet to be uncovered). It is asking a great deal of volunteers to work on this type of project if nobody is feeding them or paying their mortgage. One of the biggest problems has always been the lack of strong technical management for many open-source projects. I would do it but I also need to eat.
Re: Re: Re: Swipe at Open Source
Huh? From Slate.com:
Two corporations who “PAY people to work on open-source projects” did indeed find this.
Re: Re: Re: Swipe at Open Source
Open Source does not automatically mean “volunteer” any more than it automatically means “free”. There are lots of (and the numbers are increasing over time) software engineers who are paid to work on and develop open source software.
Re: Re: Swipe at Open Source
“Open Source software is no panacea in The Battle to Save the Internet “
No, open source software IS the internet. Open source definition: All the open projects of smart people who have actually created the internet for all practical purposes, as it is known today. Smart people like to do things openly, that way other smart people can contribute. Smart, huh?
Proprietary internet software: capitalists attempting to profit from the internet by attempting (and usually failing) to create equivalent proprietary versions of open source technology (once they see what cool new tool the smart people have made, they want to glom on for free and then sell it to others). These flawed technologies are then marketed to users, and obtain their userbase by virtue of that marketing rather than actual usefulness of the proprietary tool. Which is usually a broken and relatively hapless attempts to immitate what open source successfully does. Take a look at AD vs LDAP if you need an example.
Make no mistake, without the open source community through the years, todays internet would not exist. Period.
Previously they claimed that they only kept vulnerabilities to themselves if they thought they were only the ones with the resources to exploit them. Clearly that was yet another lie since Heartbleed is exploitable by anyone.
If this is true...
The last few days have been devastating to the NSA… as holes are being closed, private keys and certs are being recreated, and users’ passwords are being changed worldwide – most of their goodies are dissolving slowly.
The “bad guys” were probably the first to act on the news of this exploit, as they probably have the most to lose – so any pilfered passwords or keys that the NSA has already collected from them are probably junk now.
On the bright side, maybe the internet will “speed up” as the NSA will stop pounding against servers worldwide siphoning off the data that they’ve had unfettered access to for 2 years now.
Re: If this is true...
The scariest part of this is not that the NSA had access — although that’s bad enough.
The scariest part is not that other intelligence agencies might also have had access — although that’s worse.
The scariest part is that there exist criminal organizations on this planet with the financial and personnel resources to get in on this game too. There are some enormous operations that involve the fusion of organized crime with extremely smart highly-skilled technical people — the prototype of which was the Russian Business Network. These organizations are smart enough, rich enough, and clueful enough to exploit this.
Re: Re: If this is true...
I dunno. I think the NSA having access is worse than the other two groups.
As was surmised all along, the NSA purposely setups up bugs or knows of them and doesn’t reveal them to take advantage. Either way makes internet users far less secure. Microsoft was what you could say ‘busted’ over notifying the NSA of zero day bugs and then not fixing them for long spans of time.
This story just keeps going. It seems to have the legs of a giraffe. Every time you think they couldn’t possibly sink lower, you get a new reset on what that low is.
Face it, the entire government has went bonkers for data and any excuse, be it terrorism, kids, mom, or apple pie will work.
When will enough actually be enough?
Can’t wait to hear the NSA’s usual mouthpieces try to spin THIS one.
“Anyone who complains about their banks being vulnerable to hackers is a sissy! Either man up or start keeping your money in your mattress.”
(Hey, any bank CEOs out there? You’re not getting your lobbying money’s worth. Just saying.)
The problem with the NSA’s denial is that they are proven liars, and have every incentive to lie about this.
Re: Re:
Yeah, at this point I’d say the only people likely to believe their denial are those that have been supporting them this whole time no matter what(Feinstien and Rogers for example), to anyone not wearing ‘The spy agencies can do no wrong’-blinders the NSA has zero credibility, and they’ve only got themselves to blame.
and of course everyone is going to believe that! i dont think so!!
NSA and Heartbleed
The NSA denying that it knew anything about this security breach before it was made public this week is a lot of bullshit. Nothing the NSA says can be believed even with their new chief. After all, he’s only another Mike Rogers, full of shit and ready to stomp on the flgs and the constitution just as Barack Obama is.
FIPS
Anyone know if this bug is in the FIPS certified version of OpenSSL? If so, I would think that would call into question the security of any FIPS certified code.
Re: FIPS
Yes, you are right. This shines an ugly light on the emerging industry of corporate security hardening. In this industry, the security product gets an endorsement from the federal government. The company who wants to contract with the government must then use the security software which is endorsed by the government. This kind of debacle reveals how the entire security hardening industry is ultimately a cash grab, just like homeland security.
Of course they weren’t aware of Heartbleed.
They called it something else.
Update: The NSA has denied the Bloomberg report, briefly stating that the agency “was not aware of the recently identified Heartbleed vulnerability until it was made public.” We’ll continue to update as more information emerges.
Is that their least untruthful answer?
Re: NSA denial
Some possibilities:
* The NSA only considers itself “aware” of information when that information has been distributed to all employees and contractors.
* They consider an exploit to be “made public” the first time they transmit it across the Internet.
* They consider it public when the vulnerable source code is posted.
* They knew about it, but not by the name “Heartbleed”.
* The vulnerability was discovered earlier by someone else and “published” on some obscure hacking forum.
* The Five Eyes use wilful blindness for deniability: another agency developed the exploit, and sometimes the NSA asks them to grab and share some data without revealing how they got it.
* The NSA knew about it and can’t come up with any semantic tricks to justify a denial, and they simply don’t care about lying.
Hard to believe...
That they knew about it two years ago. If so, it probably would have been part of Snowden’s revelations. And they probably would have managed to stop Snowden before he left the country.
I would believe they knew about it before it became public, but I have a hard time believing two years ago.
Re: Hard to believe...
It’s the weekend. Give Glenn a few days to find the document.
Re: Re: Hard to believe...
It might take a little longer, he is visiting the US at the moment, and having the documents with him would be a bit foolish.
Re: Re: Hard to believe...
It shouldn’t take long now before it is released by either the Guardian or another outlet.
Could they be using the Sergeant Schultz excuse? Nah, my imagination.
Interesting
Of course the NSA is going to deny that they knew about this flaw before it was ‘officially’ found. That’s a given.
But I find it rather doubtful that the most powerful spy agency in the world, with all of it’s varied resources would not be privately aware of a vulnerability that would open up a technological nightmare-they’re supposed to be on the job for finding this kind of problem (defensive) and stopping hostile agents from using it against us.
We won’t talk about their efforts with various companies in opening up their source code and backdoors in the past. I mean, they weren’t looking for them and attempting to get them put in themselves?
Yes, it does seem a bit odd that they would not be the first to at least have heard about the problem in the beginning through private channels.
If that’s the case, they’re the most incompetent spy agency in the world.
Re: Interesting
Do those private channels include all the Internet communications, like between two black hat hackers?
They have a name for this
It’s called a Dereliction of Duty. It may not be Treason but its damn sure close and still requires nearly equal the punishment.
So the NSA is TOTALLY INCOMPETANT
time to shut the nsa down as it cant protect you
US govt knew
the software that’s out was …um er tested via US govt sites the sec they came available and guess what before the leak they were already fixed…..
THIS IS WHY WE KNOW THE NSA KNEW OF THIS BUG
A hundred years ago...
“I never believe anything until it’s officially denied.” ~ Otto von Bismarke
National Insecurity Agency
They claim that they reveal security holes if they are deemed dangerous to the general public or government.
I’d like to know if there’s a record of any security holes the NSA has gotten knowledge off in the past which was forwarded to developers in charge?
Anybody?
I really like the brunt of that last sentence – it reads like it came from the “control voice” of the Outer Limits (original version).