Follow along: the saga of the Heartbleed and the NSA
Monday, April 7
The OpenSSL Project publically announces the Heartbleed vulnerability in OpenSSL, a widely used standard for encrypting data shared over the web.
Monday, April 8
Companies, including Amazon, Yahoo, GitHub, Google, Bitsight, and LastPass patch OpenSSL to protect against Heartbleed.
Thursday, April 10
Organizations, including the Electronic Frontier Foundation, speculate that intelligence agencies exploited Heartbleed for years.
Friday, April 11
Bloomberg reports that the NSA exploited the Heartbleed bug for over two years in order to obtain passwords and other user data. The Office of the Director of National Intelligence denies the Bloomberg report. The denial exposed the “Vulnerabilities Equity Process”, in which “national security” or “law enforcement” needs take precedent over revealing and closing existing vulnerabilities.
Monday, April 14
– A second Bloomberg report details alternative ways the NSA may have exploited OpenSSL which could have been confused with Heartbleed, including a program called alpha green.
– Hackers obtain user data from Mumsnet and the Canadian tax agency through Heartbleed vulnerability.
– The NSA releases “Mitigations for OpenSSL TLS/DTLS Heartbeat Extension Vulnerability” with mitigation support and hotlines for both industry and government.
Note: This section will be updated as more information is released.
The NSA’s abuse of encryption vulnerabilities
Heartbleed is a recently discovered vulnerability in OpenSSL, the common standard for encrypting data shared over web. Major websites depend on OpenSSL and companies are scrambling to patch their servers and are urging their users to change their passwords to secure their data. Security company CloudFlare showed how quickly hackers could obtain data from a server with an unpatched version of OpenSSL. It took less than a day.
According to a Bloomberg report released late last week, the NSA knew of and exploited the Heartbleed bug for over two years in order to obtain passwords and other user data. The Director of National Intelligence quickly denied the report, but even the denial demonstrates the conflict that persists within the NSA, which is charged with two competing missions: signals intelligence, under which it conducts its surveillance operations, and information assurance, which tasks NSA with “ensur[ing] appropriate security solutions are in place to protect and defend information systems.” For example, aside from the general denial of prior knowledge, NSA only public statement regarding Heartbleed and its impact on the internet was issued more than a week after the vulnerability was revealed. Whether or not the NSA actually knew of and exploited Heartbleed, or any other ominously named vulnerability as part of its signals intelligence mission, this incident highlights the U.S. government’s compromised commitment to preserve the integrity of computer systems and encryption standards.
Some believe they’re not telling the whole truth about their capacity to exploit OpenSSL. According to previous Snowden revelations, the NSA maintains a program, codenamed BULLRUN, for the specific purpose of cracking SSL. The denial explained publicly that NSA maintains broad authority to use and not disclose vulnerabilities as part of the Vulnerabilities Equity Process (“VEP”). Reportedly, the VEP is in place to determine when the U.S. government will share vulnerabilities with developers and the public. The VEP creates a ‘bias’ towards revealing vulnerabilities, but only when there’s not a national security or law enforcement need. The brief description provided about the VEP does not indicate whether the impact the vulnerability could have on the population is taken into account in making this determination.
The tale of the conflict between the NSA’s missions has arisen before, in regard to revelations that the NSA worked with private security firms to establish backdoors and that it had developed and used supercomputers to break encryption. President Obama’s Review Group on Intelligence and Communications Technologies saw this conflict of interest and advised significant structural changes to the NSA. For instance, the there should be a separate authority to conduct information assurance and the NSA should not work against encryption.
Yet, the Administration seems to understand the importance of system integrity. President Obama issued Executive Order 13636 in February ordering the National Institute of Standards and Technology to work with the private sector to develop a framework for limiting cybersecurity risks for critical infrastructure. In its draft Framework, NIST created a tiered system to demonstrate compliance. A fully compliant organization collaborates with partners by sharing information to generally increase cybersecurity. U.S. agencies should aim for full compliance just as any company should.
Tech companies are still reeling after a big post-PRISM financial hit. The latest revelations about the government’s encryption policy should only increase concern in the business community. We’re already seeing companies lose user data due to Heartbleed, placing both their bottom lines and their customers’ privacy at risk. Access has created the Data Security Action Plan with seven steps companies can take to protect their users. While some vulnerabilities are impossible to predict, the Data Security Action Plan urges companies to “initiate a notification and patching system to promptly address known, exploitable vulnerabilities.” We urge the Obama administration to work towards a more secure future by addressing encryption vulnerabilities as they arise.