How the NSA shot itself in the foot by denying prior knowledge of Heartbleed vulnerability

How the NSA shot itself in the foot by denying prior knowledge of Heartbleed vulnerability

Summary: In admitting it didn't know about a massive security flaw in one of the Web's most used encryption libraries, the NSA inadvertently revealed a massive institutional failure.

TOPICS: Security

The National Security Agency has eyes and ears everywhere. At least, so we thought.

In 2012, during a classified but widely-known operation at Fort Meade, MD, government crypotographers and developers downloaded the OpenSSL source code, as it does with dozens of other software published on the Web. The operation's objective was to find weaknesses in the library and exploit those vulnerabilities as part of wider efforts by the intelligence agency to conduct mass-scale surveillance.

After the code was downloaded and compiled, the developers were soon able to pinpoint a programming flaw in the code, which would have allowed the agency to collect usernames and passwords far quicker, more efficiently, and at a lower cost than its bulk data collection programs, notably its fiber cable tapping operation named Upstream. 

Executives and senior officials heralded it as one of the biggest vulnerability discoveries in the intelligence agency's recent history. A single programming flaw that it could exploit and use to tap directly into the communications of hundreds of millions of users, and gain system administrative privileges to vacuum up every shred of data it could find. Not just once, but at will, and it was untraceable. 

It was the NSA's golden goose.

Except, none of that happened, according to a statement by the U.S.' director of national intelligence, James Clapper, who said on Friday following the Bloomberg report citing two people familiar with the situation. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report."

"Reports that say otherwise are wrong," he added, noting that the U.S. government "relies" on OpenSSL to protect its users on government websites. "If the… government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

Either one of two things happened: Bloomberg got screwed over by its sources, or the U.S. government is outright lying and clambering to save face with the already disgruntled public.

Clapper's response instead disclosed a seismic vulnerability in the intelligence agency's own mission, to "protect U.S. national security systems and to produce foreign signals intelligence information."

Clapper has, either intentionally (though more likely inadvertently) revealed the agency's own core internal weaknesses and deficiencies probably more so than any other revelation leaked by whistleblower Edward Snowden, who remains responsible for the biggest global intelligence leak in post-World War II history.

The NSA's job, first and foremost, has been blown up by the Snowden leaks in a specific and precise way than the agency's simplistic "protect America" rhetoric -- from tapping fiber cables, demanding data from Silicon Valley servers, intercepting wireless transmissions, and exploiting vulnerabilities and flaws in common encryption standards in order to vacuum up all the data things.

Forget what you think about the NSA right now. Speaking in devil's advocate terms, as taxpayers we pay for the NSA to protect the U.S. and its citizens and interests at home and abroad from foreign threats. With an international "mutual assured destruction" policy between our friends, enemies, and frenemies on the world stage, intelligence gathering is just a fact of life. And the NSA is not going anywhere any time soon,

By admitting that the NSA had not exploited the Heartbleed bug, described as "catastrophic" and the "worst vulnerability found" on the Internet since commercial traffic began to flow along its pipes, it shows how fundamentally flawed the agency is.

Previous leaks have shown that the NSA has spent hundreds of millions of dollars in actively exploiting weaknesses in encryption standards in conjunction with its British electronic eavesdropping counterpart, GCHQ. These activities "undermine the fabric of the Internet," according to security experts.

"If the… government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL." — James Clapper

It's not outside the bounds of reason to suggest that the NSA, arguably, should have found the bug within days, weeks, or even months after it was reportedly accidentally introduced into the OpenSSL cryptographic library, more than two years ago. 

Knowing how crucial and intrinsically important the library is to the world's web servers and online operations, the NSA should have downloaded the source code along with other libraries available on the Web, compiled it, poked it within an inch of its limits to find bugs, flaws, and weaknesses, and discovered the Heartbleed bug long before it was disclosed earlier this month.

Whether or not the NSA should have exploited the vulnerability for its own intelligence-gathering operations remains an entirely separate question, which will not be answered here.

Despite the egregious infringement of privacy and security on the ordinary American and foreigner alike, one is, nevertheless somewhat skeptically, actually inclined to believe the strongly-worded, stern-toned, and brazenly written statement by Clapper, who up until now has shied away from making public refutations about the NSA's capabilities and activities -- not least, because he stuffed it up once before on the floor of Congress. Historically, previous statements have either declined to comment citing ongoing intelligence operations, or released documents in an attempt to counter the media negativity and public outrage with its own version of events.

Clapper has not been the most candid or honest official in the Obama administration official since the breakout of leaks by the media in June 2013. In testimony to Congress following the disclosure of the PRISM program, Clapper misled officials about the bulk collection of American's metadata, and was pulled apart by the press as a result.

U.S. President Barack Obama defended Clapper in an interview with CNN's Jake Tapper earlier this year. He said: "Clapper's] concern was that he had a classified program that he couldn't talk about and he was in an open hearing in which he was asked, he was prompted to disclose a program, and so he felt that he was caught between a rock and a hard place."

Clapper's candid statement debut on Friday was further hardened by his closing sentiments.

"When Federal agencies discover a new vulnerability in commercial and open source software – a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," Clapper said.

"Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."

Reading in between the lines of Clapper's comments, it's clear because that the scope and range of this bug was so wide and pervasive, had the NSA have discovered it, there's a strong hint that it may have not disclosed it – keeping it for itself to dive further into our private lives than the Snowden leaks have shown thus far.

But it didn't, because it was too busy looking in the wrong direction.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Questions

    There are 'indications' that the OpenSSL Heartbleed vulnerability might have been used in exploits in November, 2013:
    ""We have spoken to Ars Technica's second source, Terrence Koeman, who reports finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit."

    If this can be corroborated by others via their own archived TLS-layer traffic logs, then the question is who was exploiting Heartbleed prior to the vulnerability becoming public knowledge?

    A software quality assurance project, known as the POSSE Project, was initiated in 2001 to apply OpenBSD Project code auditing techniques to other important open source projects, including the OpenSSL Project:

    I wonder why the U.S. military shut the POSSE Project down in April, 2003, "without notice"?
    Rabid Howler Monkey
  • So, either lying or incompetent

    Interesting choice.
    Which is the worse proposition, in those meant to protect you?
    • Well said, Boothy_P

      I vote for lying giving Clapper's Congressional testimony track record.
    • What makes you think they're trying to protect you?

      Because they said so? They also said they weren't 'reading' your email. Clapper lied under oath to effing congress about surveillance in the United States. Besides, how is the NSA keeping you safe by tracking your movements, who you've talked to and what was said? Yea, you're right, they're NOT trying to keep you safe. They're just monitoring you. And everyone else. Without probable cause, no warrants, no common sense.

      The NSA obviously, willfully, violates the 4th. Amendment. Every day. On purpose. They know what they are doing is wrong, and that's why they lie about what they are doing. Why do they do this? I don't know. But I know it has nothing to do with protecting me.

      And it's not lying or incompetent. It's lying and incompetent.
    • incompetent is the worse scenario

      because other people could be exploiting the weakness against the nsa. if the nsa is lying, presumably they would have at least protected their own.
    • NSA & GCHQ are not very good at their jobs...

      This has been my beef over this fiasco - what the hell were our so-called "security services" doing?

      Tapping all our phones and spying on our Facebook accounts is easy meat. But give them something a tad complex to deal with, then they are utterly buggered. That's why they missed this bug. That's also why they lean on companies to weaken encryption or give them special back doors.

      Despite their wide-ranging and probably unconstitutional powers, and despite the shedloads of public money that is pumped in their direction, truth is that our secret police are simply not very good at their jobs.
      • Should just add...

        IMO the strongest argument for slimming down both NSA and GCHQ and making what remains a lot more accountable to those who ultimately pay their wages is not because our secret police are scary, dishonest and unconstitutional.

        It's because they are expensive, bureaucratic and useless!
  • Perish the thought!

    "or the U.S. government is outright lying and clambering to save face with the already disgruntled public."

    I know this seems improbable given the unblemished record of truth coming from the NSA and the government, but there's a remote chance they MIGHT be lying about this.
  • Bug didn't exist in 2011

    The code commit which introduced the heartbleed bug didn't occur until 11:59pm on December 31st, 2011. You are evidently as thorough in your reporting as you think the NSA is in their code review.
    • Minor typo

      Granted, you're not wrong. From the Heartbleed website:

      "Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

      That said, your tone and attitude wasn't constructive, and your comments could have been said in a far more pleasant manner. The date has been corrected.
      • Tone...

        Kinda like your tone in the article maybe?
    • Wasn't available to public....

      Until late March 2012. So many conspiracy theories to little time.
  • The NSA is much more like a vast IT department

    That answers primarily to the DoD and the CIA, and more indirectly to Congress. They are told what to do and not necessarily how to do it. My big issue with all these "revelations" about the NSA is that they portray the NSA as though it's some sort of rogue, autonomous organization - no. Which is why these exposés will have little, if any effect on how the NSA operates. If you are really, genuinely unhappy with the NSA, start with the members of Congress who have authorizing, reauthorizing, and expanding what the NSA not only can do, but is suppose to do.
  • Left hand doesn't know what the right is doing?

    I don't think intelligence agencies or even within a single intelligence agency necessarily know everything they know, so to speak. You could call it word play, but Clapper has seemingly lied to Congress before. It could be that they believe what they are saying and that the spokespeople say they didn't know about the bug even though a group within the agency might have?
  • Way over blown!

    The NSA doesn't care about your cat photos or what restaurant your going to for dinner. The NSA is scary because there are many unknowns about it, but they are looking for terrorists and the US's enemies. So what if the NSA is looking at your cat photos, your explicit images, or your work documents, etc. If you're not doing anything wrong, you shouldn't worry about the NSA!
    Pollo Pazzo
    • Protectifyin' our freedumbs!

      Free people aren't really free people if they regard freedom as a "nice to have" and not an essential component of civic life.

      More people are killed by deer than terrorists. So many of us now cower under our beds worrying about illusory terrorists that "they" have won without having to lift a finger in twelve years!

      They've taken our most valued treasure from us - our freedom - and did it by convincing us we ought to do it to ourselves!
    • Ok, Orwell

      "So what if the NSA is looking at your cat photos, your explicit images, or your work documents, etc. If you're not doing anything wrong, you shouldn't worry about the NSA!"

      The single most ridiculous post I have ever heard. Then why can't they just put a camera and microphone in your house, car, backyard, bathroom, whatever? If you're not doing anything wrong, why should you care?

      In fact, you should be implanted with location devices and montoring equipment. Why should you care, right? You're not doing anything wrong.....

      We have a legislated and fought for expectation of privacy that is not supposed to be violated with going through the proper checks and balances. Even if you're "not doing anything wrong", you expect the government to follow the rules, just like you have to.
    • Blind ignorance

      Every time I see a comment that says, "If your not doing anything illegal you have nothing to worry about", It makes me think how blind an ignorant this person is. Who determines illegality? Why are you wasting good tax dollars chasing remote fears that don't affect us any more than random school shootings? We have a government that promotes fear to justify its existence.
  • The NSA's principal interest

    In information security should be in insuring the very real needs of American business for information security, and not chasing after imaginary terrorists.
  • Not surprised

    Having worked as a contractor a time or two over the past several years, this doesn't surprise me in the least. First and foremost, the NSA is a bureaucracy, subject to the same tidal forces as all the rest of them.

    A project team such as the one described in the Bloomberg article (and I wouldn't doubt that there was one that found the vulnerability) suffers from a paradox at the outset: it can be small and nimble, quickly making decisions and inroads that lead to solutions to problems at breathtaking speed, but suffer from limited management attention, understanding or awareness beyond its organizational silo. Or, it can be larger, cross functional, and sponsored by a wide number of participating organizations, in which case, no decisions (and therefore actions taken) will get made in any kind of reasonable timeframe.

    While I have never worked for NSA, I have worked for enough other agencies to strongly suspect that the culture I found to be common in others is no different.