The critical “Heartbleed” bug reported earlier this week to have affected the security of most of the internet was discovered by researchers at the United States National Security Agency two years earlier, according to a new report.
On Friday afternoon, Bloomberg News journalist Michael Riley reported that the NSA knew about the monstrous flaw for at least two years ahead of this week’s announcement, but kept it hidden from technologists and instead exploited it to hack the computers and correspondence of certain intelligence targets.
Earlier in the week, the open-source OpenSSL internet security project issued an emergency advisory after discovery of the Heartbleed bug revealed a weakness that may have for years allowed hackers to access online information otherwise thought to be protected by the SSL/TLS encryption standard used by around two-thirds of the web.
But according to sources that Riley says are familiar with the matter, the NSA kept details of the bug a secret shortly after first discovering it in early 2012 so that it could be added to the agency’s toolbox of exploits and hacks.
“The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” Riley wrote.
“Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” he added. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
Shortly after Bloomberg published their report, agency spokeswoman Vanee Vines told the National Journal that the NSA “was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report.”
“Reports that say otherwise are wrong,” she said, dismissing Riley’s report.
In December, a five-person review group handpicked by US President Barack Obama to reassess the NSA’s intelligence gathering abilities said that the government must not stockpile details about any so-called “zero day” vulnerabilities, or flaws unknown to computer programs who have thus had “zero days” to patch them.
“In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the group told the president. “Eliminating the vulnerabilities — “patching” them — strengthens the security of US Government, critical infrastructure, and other computer systems.”
“We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability.”
Pres. Obama has since asked Congress to adhere to one of that group’s recommendations — halting the government’s bulk collection of telephony metadata — but has not publically spoken of zero days before or after this week’s discovery of Heartbleed.
Previously, however, journalists and privacy advocates working with the trove of classified NSA documents disclosed last year by former contractor Edward Snowden said that the secretive intelligence agency had been undermining the very security of the internet by exploiting other flaws to hack targets.
At a security conference in December, expert Jacob Appelbaum from Germany’s Der Spiegel magazine said that the NSA had acquired the means to compromise any Apple iPhone in the world and occasionally relied on a number of high-tech tools and implants to hack targets.
“Basically the NSA, they want to be able to spy on you. And if they have ten different options for spying on you that you know about, they have 13 ways of doing it and they do all 13. So that’s a pretty scary thing,”said Appelbaum, who previously spoke on behalf of WikiLeaks at a US conference and is a core member of the Tor anonymity project.
And since June, NSA leaks disclosed by Mr. Snowden have shown that the NSA has done everything from physically tapping into fiber optic undersea internet cables to get further access to the world’s communications, to tricking the systems administrators of private companies into installing malware that would open up their machines to American spies.