From The Folks Who Wanted to Be In Charge of Cybersecurity
This week, the Internet is in a tizzy, rightfully so, over the discovery of the Heartbleed bug — one of the biggest security glitches in the history of the Internet.
But now come the juicier revelations that the NSA may have known about it for at least two years, and not only told no one about it, but used it regularly to gather intelligence.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.
The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.
And to think, if CISPA had become law like Rep. Mike Rogers (R-MI) and others wanted, the NSA would have been in charge of the nation’s cybersecurity policy.
UPDATE: The NSA and White House deny the allegations, releasing a statement this afternoon:
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” Hayden said. “The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.”