Even If NSA Didn't Use Heartbleed In The Past, It Still Could Be Making Use Of It
from the this-isn't-over dept
We've already been discussing how President Obama has told the NSA it can continue exploiting computer security flaws, rather than fixing them, and also how the NSA's offensive and defensive roles are incompatible with each other. However, I wanted to highlight a more concerning point raised by Julian Sanchez about the NSA and Heartbleed in the article about the NSA's dual role: and it's that, even granting the fact that the NSA might not have known about Heartbleed until it became public, the NSA could still use it to their advantage, in part because it has so much old encrypted data stored up:As Sanchez notes, this creates a dilemma for those who discover such flaws. Normally, they should want to reveal such things to the NSA to help with protecting networks. But doing so now might expose more risk. And, in fact, it seems likely that the NSA was aware of the bug prior to its revelation to the public. Note that in its denial of the Bloomberg story, it just says it wasn't aware prior to "April 2014," but not on which date in April it found out about it. Thus, it's likely the NSA had a heads up, and could collect a bunch of private keys to use against its encrypted data store for a few days before everyone else was informed to fix the vulnerability.Here, however, is the really crucial point to recognize: NSA doesn't need to have known about Heartbleed all along to take advantage of it.
The agency's recently-disclosed minimization procedures permit "retention of all communications that are enciphered." In other words, when NSA encounters encryption it can't crack, it's allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed, Heartbleed can be used to steal a site's master encryption keys – keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don't generate new keys as a safeguard against retroactive exposure.
If NSA moved quickly enough – as dedicated spies are supposed to – the agency could have exploited the bug to steal those keys before most sites got around to fixing the bug, gaining access to a vast treasure trove of stored traffic.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, heartbleed, nsa, safety, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Come again?
Umm, who would ever be so stupid as to point out a security vulnerability to the NSA in hopes of protecting a network?
That's like pointing out that a house filled with valuables has a broken lock on the back door, absent owners, and no video security, to a well known gang of B&E experts, there's only one real possible end to that, and it's not 'improved security'.
[ link to this | view in chronology ]
Re: Come again?
It worked pretty well for Cliff Stoll.
Of course, that was back in the 80s.
[ link to this | view in chronology ]
https://en.wikipedia.org/wiki/Fuzz_testing
I'm finding it hard to believe the NSA didn't know about the Heartbleed bug, before it's public disclosure. I would hope the NSA, with a multibillion dollar annual budget, would have been fuzzing for software vulnerabilities in one of the most widely deployed cryptographic libraries, OpenSSL.
Then again, perhaps they're actually that incompetent, despite their sky high budget. I dunno. I guess it's 50/50, but I'm leaning towards the NSA probably knowing about Heartbleed, especially after the anonymous Bloomberg sources stating the NSA did know about it.
[ link to this | view in chronology ]
I've no sympathy for them as they have been guided by psychopaths into something that is an anathema to what democracy is supposed to be about.
Trust in the government is at an all time low, not just by it's own citizens but by the global community as well.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Keep that criminal communication
...because having unbreakable encryption is proof you have something to hide, right? And we all know having something to hide proves you are a criminal, right?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Not much, actually, prima facie.
Except for the fact that the NSA is not supposed to be a spy agency.
The NSA is supposed to play a defensive role, not an offensive one. The true harm is not, as you say, the act of exploiting the Heartbleed flaw per se, but rather it would be the inaction of not informing the general public of this widespread vulnerability.
Indeed, if the NSA knew about Heartbleed for even a few days before the general public, then by not informing those United States Citizens (who they are ostensibly protecting) affected by this vulnerability, they not only have failed in their mission of defense, but have implicitly harmed the vital infrastructure of this Nation.
[ link to this | view in chronology ]