NSA Used Heartbleed Attack, Failed To Warn Of Its Danger

The U.S. National Security Agency knew for years about the Heartbleed bug and exploited it against Americans, according to Bloomberg.

System administrators, software developers, and computer support personnel are trained to report immediately all security flaws. Bloomberg says that didn’t happen here.

The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

Keeping bugs secret from the public is prudent, as this keeps additional bad guys from realizing that a bug is present for exploitation. There is only one reason for keeping flaws secret from the programmers who made the errors, however, and that is to be able to keep using the flaw. The agency irresponsibly left Americans unsafe.

While the NSA ought to be exploiting any weakness in the information infrastructure of foreign governments and America’s enemies, without a warrant it should not do so to Americans. In addition, failure to disclose flaws also allows other attackers to continue to use the flaws against the American public.

FreedomWorks and Senator Rand Paul are suing the NSA on behalf of all Americans.

The Heartbleed bug is the result of a programming flaw in the OpenSSL suite of software that powers many Internet sites’ security. In the flawed implementation, a server (such as a web site) receives a request from the client for a piece of information of a certain size.

Rather than checking that the piece of information, such as a password, is the requested size, the flawed server implementation would deliver a chunk of information the requested size — up to 64 kilobytes of information. Since multiple users’ security information is often stored together, the Heartbleed exploit usually delivers other users’ secrets. It may not be the information an attacker is seeking, and only affects data the server had recently accessed, but the attack can be repeated over and over.

Together with the NSA’s massive and illegal collection of data on all individuals, these secrets could be used to spy on Americans. People often use the same password in multiple locations, so finding one password would allow the NSA to use it in the other locations it discovered with its illegal phone and Internet tracking.