According to a report from Bloomberg, the National Security Agency (NSA) is said to have known about the Heartbleed bug for years, using the flaw in the system as a way to gather intelligence. The bug, which was revealed this week, has been causing panic among internet users worried about the security of their passwords on major sites such as Facebook, Google, Yahoo!, and GoDaddy.
The report says that that NSA knew about Heartbleed for at least two years. “Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”
This calls into question the validity of the NSA, which has repeatedly come under fire over the last year for its surveillance techniques. “It flies in the face of the agency’s comments that defense comes first,” said former Air Force cyber officer Jason Healey.
According to one of Bloomberg’s sources, the NSA discovered the Heartbleed bug shortly after it was introduced in 2012, but instead of notifying the public, Heartbleed “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.”
“We’ve never seen any quite like this,” said vice president of security research at Zscaler Michael Sutton. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”
Security analyst Graham Cluley talked with Digital Trends, noting, “If it’s true that the NSA knew about the Heartbleed bug, but didn’t tell anyone about it, then they’ve let down everyone who uses the Internet — both around the globe, as well as the law-abiding citizens they are supposed to protect in the United States.”
James Lewis, cybersecurity senior fellow at the Center for Strategic and International Studies, said that processes at the NSA dictate that such a discovery would have ensured knowledge of the Heartbleed flaw went to the NSA’s director. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.” If that’s true, it appears the security of everyone on the web was deemed to be of less importance than having easy access to the data of millions.
What do you think about the NSA withholding Heartbleed’s discovery from everyone for so long?
[Images via Google]