The US National Security Agency (NSA) reportedly knew about the Heartbleed bug flaw and regularly used it to gather critical intelligence, according to the Bloomberg news agency.
Heartbleed is the name given to a software vulnerability in OpenSSL, an open-source cryptographic library widely used to secure Internet communications. OpenSSL is commonly used by Web servers, VPN software, and even on networking gear.
The bug exposes random bits of information from device memory, such as login credentials, keys, and certificates. Network administrators and service providers have been scrambling to close the vulnerability on affected systems, and some companies have assured users the problem has been addressed on their end.
The big question up until now has been who else knew about the security flaw, and what servers may have been targeted. Unnamed sources told Bloomberg NSA experts used the Heartbleed flaw to obtain passwords and other basic data that were the “building blocks of the sophisticated hacking operations,” according to the report.
The agency reportedly found the Heartbleed glitch shortly after it appeared in the code, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks, the sources said. An NSA spokesperson declined to comment on the matter.
Looking for and stockpiling software vulnerabilities is part of the NSA’s mission, although the practice is highly controversial because the agency keeps the discovery of the flaw a secret. By choosing not to report the vulnerability, the NSA adds a tool to its arsenal, but it also leaves users unprotected because the bug doesn’t get fixed.
“It flies in the face of the agency’s comments that defense comes first,” Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, told Bloomberg. “They are going to be completely shredded by the computer security community for this.”
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.