Even If NSA Didn't Use Heartbleed In The Past, It Still Could Be Making Use Of It

from the this-isn't-over dept

We've already been discussing how President Obama has told the NSA it can continue exploiting computer security flaws, rather than fixing them, and also how the NSA's offensive and defensive roles are incompatible with each other. However, I wanted to highlight a more concerning point raised by Julian Sanchez about the NSA and Heartbleed in the article about the NSA's dual role: and it's that, even granting the fact that the NSA might not have known about Heartbleed until it became public, the NSA could still use it to their advantage, in part because it has so much old encrypted data stored up:

Here, however, is the really crucial point to recognize: NSA doesn't need to have known about Heartbleed all along to take advantage of it.

The agency's recently-disclosed minimization procedures permit "retention of all communications that are enciphered." In other words, when NSA encounters encryption it can't crack, it's allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed, Heartbleed can be used to steal a site's master encryption keys – keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don't generate new keys as a safeguard against retroactive exposure.

If NSA moved quickly enough – as dedicated spies are supposed to – the agency could have exploited the bug to steal those keys before most sites got around to fixing the bug, gaining access to a vast treasure trove of stored traffic.

As Sanchez notes, this creates a dilemma for those who discover such flaws. Normally, they should want to reveal such things to the NSA to help with protecting networks. But doing so now might expose more risk. And, in fact, it seems likely that the NSA was aware of the bug prior to its revelation to the public. Note that in its denial of the Bloomberg story, it just says it wasn't aware prior to "April 2014," but not on which date in April it found out about it. Thus, it's likely the NSA had a heads up, and could collect a bunch of private keys to use against its encrypted data store for a few days before everyone else was informed to fix the vulnerability.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    That One Guy (profile), Apr 14th, 2014 @ 2:24pm

    Come again?

    Normally, they should want to reveal such things to the NSA to help with protecting networks.

    Umm, who would ever be so stupid as to point out a security vulnerability to the NSA in hopes of protecting a network?

    That's like pointing out that a house filled with valuables has a broken lock on the back door, absent owners, and no video security, to a well known gang of B&E experts, there's only one real possible end to that, and it's not 'improved security'.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Mason Wheeler (profile), Apr 14th, 2014 @ 3:31pm

    Re: Come again?

    Umm, who would ever be so stupid as to point out a security vulnerability to the NSA in hopes of protecting a network?

    It worked pretty well for Cliff Stoll.

    Of course, that was back in the 80s.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 4:12pm

    A Finnish company named Codenomicon, found the Heartbleed bug first using a software probing technique known as 'fuzzing'.

    https://en.wikipedia.org/wiki/Fuzz_testing

    I'm finding it hard to believe the NSA didn't know about the Heartbleed bug, before it's public disclosure. I would hope the NSA, with a multibillion dollar annual budget, would have been fuzzing for software vulnerabilities in one of the most widely deployed cryptographic libraries, OpenSSL.

    Then again, perhaps they're actually that incompetent, despite their sky high budget. I dunno. I guess it's 50/50, but I'm leaning towards the NSA probably knowing about Heartbleed, especially after the anonymous Bloomberg sources stating the NSA did know about it.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 4:14pm

    The NSA has so ruined it's creditability, it could claim the sky was blue and grass was green and everyone would be hunting for the catch in that statement seeking the hidden meaning.

    I've no sympathy for them as they have been guided by psychopaths into something that is an anathema to what democracy is supposed to be about.

    Trust in the government is at an all time low, not just by it's own citizens but by the global community as well.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 6:21pm

    If the NSA couldn't find Heartbleed in the most used crypto library by far on the Internet, with their thousands of security researchers and billions of dollars in resources every year, why the hell does it even exist?

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Coyne Tibbets (profile), Apr 14th, 2014 @ 6:59pm

    Keep that criminal communication

    "In other words, when NSA encounters encryption it can't crack, it's allowed to and apparently does vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it [...]"

    ...because having unbreakable encryption is proof you have something to hide, right? And we all know having something to hide proves you are a criminal, right?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:21pm

    I am not getting it: what is wrong with spy agency expoliting flaws per se?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Kal Zekdor (profile), Apr 14th, 2014 @ 8:40pm

    Re:

    I am not getting it: what is wrong with spy agency expoliting flaws per se?

    Not much, actually, prima facie.

    Except for the fact that the NSA is not supposed to be a spy agency.

    The NSA is supposed to play a defensive role, not an offensive one. The true harm is not, as you say, the act of exploiting the Heartbleed flaw per se, but rather it would be the inaction of not informing the general public of this widespread vulnerability.

    Indeed, if the NSA knew about Heartbleed for even a few days before the general public, then by not informing those United States Citizens (who they are ostensibly protecting) affected by this vulnerability, they not only have failed in their mission of defense, but have implicitly harmed the vital infrastructure of this Nation.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.