While Bruce Schneier may have been jumping to conclusions when he said:
“At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.”
“A lot of the narratives around Heartbleed have viewed this bug through a worst-case lens, supposing that it might have been used for some time, and that there might be tricks to obtain private keys somewhat reliably with it.”
And now Bloomberg is reporting that they have “two sources familiar with the matter” that claim the NSA has been exploiting the HeartBleed bug almost since it was first introduced into OpenSSL. “The U.S. National Security Agency knew for at least two years about a law in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence…”
In December, former head of the NSA, Michael Hayden explained to securitycurrent:
“Some vulnerabilities are such that they marginally (but importantly) weaken a system but exploitation still depended on skills, systems and technologies that few, if any, can match. If the judgment is what is called NOBUS (nobody but us could do this), the risk management decision is pretty easy. Of course, that judgment could change over time and still requires continuous due diligence.”
It may be time for that “due diligence” to be revisited by Congress.