So much for just a pinprick.
Bloomberg reports that the National Security Agency exploited the Heartbleed bug that left two-thirds of the Internet unprotected for the last two years. The agency is said to have found the bug shortly after its introduction and made it a “basic part” of its intelligence gathering.
The revelation comes shortly after the Department of Homeland Security issued a warning to American Internet users asking them to change their passwords after confirming that the sites they visit have been updated. It also follows a blog post from CloudFlare in which the company said that the gathering of private keys by exploiting the bug was “at a minimum, very hard.”
The NSA’s ability to take advantage of the Heartbleed bug was questioned shortly after its release. It’s become common to describe Internet security problems as vulnerabilities with which two types of people — nefarious hackers and intelligence agencies — can gather data. Now it seems that Heartbleed didn’t allow individuals to gather information, it simply helped the NSA in its efforts to collect information about basically anyone connected to the Internet.
The revelation makes the Department of Homeland Security’s send-off in today’s blog post seem bitterly ironic. As the Department wrote:
While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems. That is why everyone has a role to play to ensuring our nation’s cybersecurity. We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary.
Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others.
A “shared responsibility” indeed.
Updated (4:55pm PST, April 11, 2014): The NSA issued an official statement denying the above reports. It reads, in part:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.