SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
NSA Exploited Heartbleed for Own Use
White House denial highlights 'fundamentally flawed' dual mission of government spy agency
Apr 13, 2014
Not only did the NSA know about the Heartbleed internet bug--found to have exposed the sensitive information of countless web users--but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal--as a means of obtaining passwords and other secure information--critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
"The president has identified cyber threats as among the most critical dangers facing the nation," added Cate. "Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them."
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users - even if that might make life harder for government hackers."
_____________________
An Urgent Message From Our Co-Founder
Dear Common Dreams reader, The U.S. is on a fast track to authoritarianism like nothing I've ever seen. Meanwhile, corporate news outlets are utterly capitulating to Trump, twisting their coverage to avoid drawing his ire while lining up to stuff cash in his pockets. That's why I believe that Common Dreams is doing the best and most consequential reporting that we've ever done. Our small but mighty team is a progressive reporting powerhouse, covering the news every day that the corporate media never will. Our mission has always been simple: To inform. To inspire. And to ignite change for the common good. Now here's the key piece that I want all our readers to understand: None of this would be possible without your financial support. That's not just some fundraising cliche. It's the absolute and literal truth. We don't accept corporate advertising and never will. We don't have a paywall because we don't think people should be blocked from critical news based on their ability to pay. Everything we do is funded by the donations of readers like you. Will you donate now to help power the nonprofit, independent reporting of Common Dreams? Thank you for being a vital member of our community. Together, we can keep independent journalism alive when it’s needed most. - Craig Brown, Co-founder |
Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
Lauren McCauley
Lauren McCauley is a former senior editor for Common Dreams covering national and international politics and progressive news. She is now the Editor of Maine Morning Star. Lauren also helped produce a number of documentary films, including the award-winning Soundtrack for a Revolution and The Hollywood Complex, as well as one currently in production about civil rights icon James Meredith. Her writing has been featured on Newsweek, BillMoyers.com, TruthDig, Truthout, In These Times, and Extra! the newsletter of Fairness and Accuracy in Reporting. She currently lives in Kennebunk, Maine with her husband, two children, a dog, and several chickens.
Not only did the NSA know about the Heartbleed internet bug--found to have exposed the sensitive information of countless web users--but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal--as a means of obtaining passwords and other secure information--critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
"The president has identified cyber threats as among the most critical dangers facing the nation," added Cate. "Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them."
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users - even if that might make life harder for government hackers."
_____________________
Lauren McCauley
Lauren McCauley is a former senior editor for Common Dreams covering national and international politics and progressive news. She is now the Editor of Maine Morning Star. Lauren also helped produce a number of documentary films, including the award-winning Soundtrack for a Revolution and The Hollywood Complex, as well as one currently in production about civil rights icon James Meredith. Her writing has been featured on Newsweek, BillMoyers.com, TruthDig, Truthout, In These Times, and Extra! the newsletter of Fairness and Accuracy in Reporting. She currently lives in Kennebunk, Maine with her husband, two children, a dog, and several chickens.
Not only did the NSA know about the Heartbleed internet bug--found to have exposed the sensitive information of countless web users--but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal--as a means of obtaining passwords and other secure information--critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
"The president has identified cyber threats as among the most critical dangers facing the nation," added Cate. "Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them."
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users - even if that might make life harder for government hackers."
_____________________
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.