Bloomberg sources report today that NSA security agency knew and exploited the vulnerability known as the “Heartbleed Bug” for at least 2 years. The move was apparently not to spy on citizens. It’s being said that the NSA have used the Heartbleed vulnerability to find passwords regularly on targets, and gather sensitive information.
What makes it such an issue for the majority of users of major websites is the backdoor is kept open. Criminal groups and hackers, identity and financial thieves and the spy agencies of other governments could have easily used the same tactic.
How long did they know about it? The sources claim about two years. Just imagine how much information could have leaked, and how many lives potentially affected, in that time.
This is not likely to be the only vulnerability the NSA has been exploiting, or the last. With thousands of hackers on their payroll, both officially and contracted, they have plenty of manpower. Companies and individuals doing vigilante security checks can’t compete to find them first.
But perhaps the most disturbing implications about this are related to the NSA’s past actions.
For one thing, they can’t claim any more that their primary purpose is national security. They have willingly exposed the nation to threats both domestic and global by keeping this secret.
Second, it gives us a bit of insight into their attempts to bully tech companies into creating backdoors into user information and communication. It wasn’t enough to have a secret key; they wanted a backup to do it without having to search out the keyhole.
If there was anything that the NSA could have done to completely implicate themselves, it was this. At least a small fraction of the security community has been willing up until this point to concede that their actions may have been misguided, but in the public’s general interests.
Now, there is no such defense. The NSA has no interest in the welfare or defense of the public. They exposed a large portion of the internet to something they knew could cause severe problems for everyone who uses it.
So, who are they working for? I doubt even they know at this point.
NSA and White House responded on Twitter saying:
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
— IC on the Record (@icontherecord) April 11, 2014