What Happened with Heartbleed?

Posted in laptop, Tech news  by Carol
August 24th, 2016

heartbleedWith all the talk about the NSA’s access to zero-day exploits, it may be time for a refresher on what happened with the Heartbleed vulnerability back in 2014. After all, this is the first time the public has turned its attention back to VEP’s since the fateful day that a major security flaw was discovered in the OpenSSL encryption software and the NSA allegedly had known about it beforehand.

The OpenSSl flaw created a backdoor through its encryption, a security service used by a majority of websites and a multitude of other pieces of internet infrastructure. While the NSA denied these claims, two anonymous sources came forward to Ars Tecnica and disclosed that the NSA had known about the bug for “at least two years.”
“When Edward Snowden warned that the NSA is ‘setting fire to the future of the internet,’ this is presumably the kind of thing he was talking about,” explained Jamell Jaffer, deputy legal director at the American Civil Liberties Union. “If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function. The NSA has lost sight of its mission, and it has lost sight of the values of the society it’s supposed to be protecting,” he continued.
heartbleed2NSA spokesperson Vanee Vines reputed any claims that the NSA was knowledgeable of the attacks, saying in an official statement that the “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector security report. Reports that say otherwise are wrong.”
In response to the Bloomberg story that published the revelations of the two anonymous sources, the Office of the Director of National Intelligence’s Public Affairs Office issued a direct denial:
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong… The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure an reliable internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
heartbleed3The ODNI went on to explain that it would have been in the Federal government’s best interest to fix any such bug: “It is in the national interest to responsibly disclose the vulnerability rather than hold it for an investigative or intelligence purpose.”
Perhaps in this particular case, the Heartbleed bug really would have been too dangerous for the government to quietly exploit. That said, it’s difficult to understand exactly what the situation was since there’s little to no transparency when it comes to the NSA’s dealings. Perhaps now that it’s possible to hack the NSA, the general public will be able to learn more about what exactly the “No Such Agency” gets up to.

Leave a Reply