Even If NSA Didn't Use Heartbleed In The Past, It Still Could Be Making Use Of It

from the this-isn't-over dept

We've already been discussing how President Obama has told the NSA it can continue exploiting computer security flaws, rather than fixing them, and also how the NSA's offensive and defensive roles are incompatible with each other. However, I wanted to highlight a more concerning point raised by Julian Sanchez about the NSA and Heartbleed in the article about the NSA's dual role: and it's that, even granting the fact that the NSA might not have known about Heartbleed until it became public, the NSA could still use it to their advantage, in part because it has so much old encrypted data stored up:

Here, however, is the really crucial point to recognize: NSA doesn't need to have known about Heartbleed all along to take advantage of it.

The agency's recently-disclosed minimization procedures permit "retention of all communications that are enciphered." In other words, when NSA encounters encryption it can't crack, it's allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed, Heartbleed can be used to steal a site's master encryption keys – keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don't generate new keys as a safeguard against retroactive exposure.

If NSA moved quickly enough – as dedicated spies are supposed to – the agency could have exploited the bug to steal those keys before most sites got around to fixing the bug, gaining access to a vast treasure trove of stored traffic.

As Sanchez notes, this creates a dilemma for those who discover such flaws. Normally, they should want to reveal such things to the NSA to help with protecting networks. But doing so now might expose more risk. And, in fact, it seems likely that the NSA was aware of the bug prior to its revelation to the public. Note that in its denial of the Bloomberg story, it just says it wasn't aware prior to "April 2014," but not on which date in April it found out about it. Thus, it's likely the NSA had a heads up, and could collect a bunch of private keys to use against its encrypted data store for a few days before everyone else was informed to fix the vulnerability.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, heartbleed, nsa, safety, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 14 Apr 2014 @ 2:24pm

    Come again?

    Normally, they should want to reveal such things to the NSA to help with protecting networks.

    Umm, who would ever be so stupid as to point out a security vulnerability to the NSA in hopes of protecting a network?

    That's like pointing out that a house filled with valuables has a broken lock on the back door, absent owners, and no video security, to a well known gang of B&E experts, there's only one real possible end to that, and it's not 'improved security'.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2014 @ 4:12pm

    A Finnish company named Codenomicon, found the Heartbleed bug first using a software probing technique known as 'fuzzing'.

    https://en.wikipedia.org/wiki/Fuzz_testing

    I'm finding it hard to believe the NSA didn't know about the Heartbleed bug, before it's public disclosure. I would hope the NSA, with a multibillion dollar annual budget, would have been fuzzing for software vulnerabilities in one of the most widely deployed cryptographic libraries, OpenSSL.

    Then again, perhaps they're actually that incompetent, despite their sky high budget. I dunno. I guess it's 50/50, but I'm leaning towards the NSA probably knowing about Heartbleed, especially after the anonymous Bloomberg sources stating the NSA did know about it.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2014 @ 4:14pm

    The NSA has so ruined it's creditability, it could claim the sky was blue and grass was green and everyone would be hunting for the catch in that statement seeking the hidden meaning.

    I've no sympathy for them as they have been guided by psychopaths into something that is an anathema to what democracy is supposed to be about.

    Trust in the government is at an all time low, not just by it's own citizens but by the global community as well.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2014 @ 6:21pm

    If the NSA couldn't find Heartbleed in the most used crypto library by far on the Internet, with their thousands of security researchers and billions of dollars in resources every year, why the hell does it even exist?

    link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 14 Apr 2014 @ 6:59pm

    Keep that criminal communication

    "In other words, when NSA encounters encryption it can't crack, it's allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it [...]"

    ...because having unbreakable encryption is proof you have something to hide, right? And we all know having something to hide proves you are a criminal, right?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2014 @ 7:21pm

    I am not getting it: what is wrong with spy agency expoliting flaws per se?

    link to this | view in chronology ]

    • icon
      Kal Zekdor (profile), 14 Apr 2014 @ 8:40pm

      Re:

      I am not getting it: what is wrong with spy agency expoliting flaws per se?

      Not much, actually, prima facie.

      Except for the fact that the NSA is not supposed to be a spy agency.

      The NSA is supposed to play a defensive role, not an offensive one. The true harm is not, as you say, the act of exploiting the Heartbleed flaw per se, but rather it would be the inaction of not informing the general public of this widespread vulnerability.

      Indeed, if the NSA knew about Heartbleed for even a few days before the general public, then by not informing those United States Citizens (who they are ostensibly protecting) affected by this vulnerability, they not only have failed in their mission of defense, but have implicitly harmed the vital infrastructure of this Nation.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.