Ever since Edward Snowden‘s shocking revelations about NSA, the agency has been at the bitter end of criticisms related to digital security. Bloomberg has now claimed that NSA knew about the Heartbleed bug and exploited it for two years.
The claim, if proved correct, could bring yet another barrage of damning criticisms to NSA’s doorstep. The agency has been accused of illegal and unconstitutional mass surveillance in the past and although White House has stepped up to limit these activities, NSA continues most of its previous operations with impunity.
The report in Bloomberg quotes two anonymous sources familiar with the matter. According to these sources, the agency discovered the bug right after it appeared in the OpenSSL protocol after an update some two years ago. Since then, the agency has been actively using the critical exploit to break into target machines and obtain passwords and other data of use.
The Heartbleed bug is a huge deal because it essentially affected nearly two-thirds of the web, making it one of the biggest web vulnerabilities in the history of the internet. Security experts at Google, in collaboration with certain other security firms, discovered and patched the exploit only this week. Before that, the bug was out there for years and probably exploited by criminals, hackers, intelligence agencies in other parts of the world and many more players.
So the big question that Bloomberg’s report raises is this: if NSA is tasked with ensuring national security, does that mean relinquishing the individual security of the US citizens? If the agency uses the same old argument of ‘national interests’ to pile up highly critical vulnerabilities in its hacking toolkit to be used against alleged enemies, what about the average user who is vulnerable because of these exploits and should be made aware about it? These are hard questions and there are no answers yet.
NSA has officially denied the allegation. A tweet from the agency’s official Twitter account reads, “NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.”
On the other side, White House has also come to the agency’s aid, adding that ‘If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.’