The Heartbleed Security Flaw, How Long It Existed, And The Role of the Intelligence Community
Your Car Is The Next Advertising And Data Collection Frontier

Heartbleed Spreads, The NSA Denies It Knew About The Security Flaw

Heartbleed logo A lot happened last week. First, there was the revelation about the Heartbleed security flaw, Then, the Heartbleed bug was found in Cisco routers and Juniper Networks equipment. Networking vendors, including F5 Networks and Fortigate, issued security alerts about their equipment. Many mobile devices running the Android operating system are vulnerable. There was speculation Friday about when the intelligence community learned about Heartbleed. Bloomberg reported on Friday that the NSA knew about it and used it for surveillance and hacking.

Also on Friday, the developer who introduced the error into the SSL open-source code apologized. For readers that are unfamiliar with the history of SSL (Secure Sockets Layer), it was introduced by Netscape in 1994.  Like any other software, there have been several versions (e.g., 1.0, 2.0, etc.) of it. Some versions have more vulnerabilities than other versions. SSL is also open-source software, meaning it is community-based: developers from several companies work on it (as their employers donate time and resources) to improve it. The theory is that several people working on software will make it stronger and better than otherwise.

There is no way for consumers to know which OpenSSL version a website uses. Sites may use their own, proprietary version or the open-source version. The Heartbleed site listed the vulnerability by version:

"OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g is NOT vulnerable. OpenSSL 1.0.0 branch is NOT vulnerable. OpenSSL 0.9.8 branch is NOT vulnerable. Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

This makes one wonder if there wasn't enough invested in OpenSSL improvements. Or, too many websites used older versions. Or both. Meanwhile, online criminals and identity thieves have gotten better and more skillful. So, software like OpenSSL needs to be continually improved.

Later on Friday, the Office of the Director of National Intelligence (ODNI) issued a statement responding to the Bloomberg report. The ODNI statement on April 11 read in part:

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.

Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services... If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

So, we are to believe that the largest, most advanced, and heavily funded intelligence agency on the planet did not know about a security flaw in encryption software. Encryption is essential to the business of spying, and we know from past news reports that the NSA sought to break all encryption.

So, I'm not believing the ODNI statement. The NSA and ODNI have made less than truthful statements before to the U.S. Congress. If they will lie to elected officials, they will lie to journalists and citizens. When these lies happen, they break the public's trust.

With trust broken, I find it most difficult to believe that the largest, most heavily funded, and advanced intelligence agency on the planet missed the Heartbleed security flaw. That's like the entire intelligence community missing the 9-11 hijackers' planning.

Since the surveillance document disclosures started last year, I have learned that it is important to parse the exact words in any statements from the ODNI and NSA. Did any NSA contractors and vendors know about Heartbleed? Did any NSA vendors and contractors exploit the Heartbleed flaw for surveillance and hacking? Did any other U.S. intelligence agencies know and use the Heartbleed security flaw? Did any other country's intelligence organization (e.g., GCHQ) know and use the Heartbleed security flaw? What definition of the word "know" is the ODNI using today? Did the NSA refer to this security flaw by a different name?

Hopefully, some investigative journalists are re-reading the disclosed documents for references to Heartbleed or an equivalent. More importantly, it is time for citizens to hear from Congressional officials on the intelligence oversight committees. It is time for the politicians responsible for oversight to do their jobs, or resign so we can elect representatives who will faithfully do their oversight jobs. It is time for the oversight committees to ask the tough direct questions, get honest (not prearranged) answers, hold the NSA and intelligence community accountable, and share what they've learned with their constituents.

NSA Android logoOn Friday, we also learned that the Heartbleed bug was found in Cisco routers and Juniper equipment. Networking vendors, including F5 Networks and Fortigate, have also issued security alerts about their equipment. What other brands have been affected? There are direct and indirect costs resulting from this mess. A poll earlier this year found that the public's confidence in online privacy has fallen for three straight years. Experts have warned that the dragnet NSA mass surveillance could cost U.S.-based cloud-services vendors $35 billion in lost revenues. Remember, lost revenues equal lost jobs.

In July 2013, we learned that the NSA had inserted code into the Google Android operating system software. Remember that? BusinessWeek reported on July 3, 2013:

"Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS... Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device."

So, we are to believe from Google that the NSA is trying to enhance or make security better. Really? How's that working for you? It doesn't seem too well, especially if it missed or failed to focus on OpenSSL encryption.

Some consumers have privately expressed their frustrations with having to change their online passwords piecemeal as each site implements Heartbleed fixes. Some people have just gone ahead and changed all of their passwords while hoping for the best. This raises more questions:

  • How long can this mess continue before it starts to have a big negative impact on people's willingness to use the Internet?
  • Will consumers use the Internet less and only for banking and shopping?
  • Or, are consumers so dependent on the convenience of the Internet that they will continue using it regardless of privacy abuses, except upon threat of death?
  • Can the Internet be fixed so it becomes the reliable, secure, private, and trustworthy medium we all hoped it would be?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

I realize that it is very hard to trust the government, particularly our intelligence agencies given their past record of mendacity and prevarication. But government's past misconduct isn't probative on the instant question about what the government knew about Heartbleed and when it knew it.

So what does the open-source record tell us? Well, it doesn't tell us much. Indicting the NSA with the statement that it knew of Heartbleed before 7 April 2014 is Bloomberg's unknown source, and that is it. Bloomberg is a responsible news organization, but it is impossible to evaluate the credibility of an unknown source. We can't know the agenda, competence, loyalties, or character of an unknown source. And when it comes to intelligence, we are in very murky waters, where it is even possible that Bloomberg's source, which I am sure it believes in good faith, is a foreign intelligence operative, who is seeking to accomplish some nefarious purpose, such as having our government force the NSA to disclose every exploit that it knows of. That, of course, would foolish intelligence policy, which would be very damaging to the United States' ability to conduct legitimate signals intelligence.

And that Bloomberg's source is risking the jeopardy of a serious federal felony and prison time cuts both ways: It argues for the sources' credibility but also makes one wonder about who would risk imprisonment and why he or she would do so.

Against all of that we have the NSA's categorical denial. But that too has problems. Unfortunately, NSA less than candid former statements undercut its credibility, even though its past misconduct does not, as a matter of logic, prove that its instant denial is a lie. More troubling is that NSA's denial has a vagueness that could conceal deceit. But, on the other hand, NSA can't reasonably be expected to issue a statement of such clarity that it compromises its legitimate secrets, such as its relationships with its private contractors.

And it also isn't clear that the NSA would have done anything wrong in a moral sense even if it did know about Heartbled and even if it exploited it for intelligence purposes, if it had good reason for doing so. And, even if NSA knew of Heartbleed, I don't know of any law that requires the NSA to disclose exploits, so such disclosures is a matter of the NSA's policy, where it must weigh the advantages and disadvantages for United States of disclosing or not disclosing exploits to the public, nor does law prohibit the NSA from using exploits to conduct intelligence operations agains foreign citizens and governments.

So we have assertions from an unknown source that NSA knew about Heartbleed that contends for credibility against NSA's denial that it knew about Heartbleed, where both the accuser and the NSA's denial leave much to be doubted as to even the facts of what NSA knew about Heartbleed and when it knew it, much less whether NSA did anything wrong regarding Heartbleed in either a moral or legal sense.

George Jenkins

FYI:

Heartbleed Disclosure Timeline: Who Knew What and When
http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

NSA Must Reveal Bugs Like Heartbleed, Except When They Help The NSA
http://www.wired.com/2014/04/obama-zero-day/?mbid=social_twitter

Obama Lests N.S.A. Exploit Some Internet Flaws, Officials Say
http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html

George
Editor
http://ivebeenmugged.typepad.com

The comments to this entry are closed.