The Heartbleed security bug disclosed last week may be among the most wide-reaching vulnerabilities on the web to ever be discovered, but the researchers who detected the glitch didn’t exactly rush to reveal it to the world.
While the days between the discovery of the bug sometime last month and the public disclosure on April 9 are documented to have included intense discussions between security experts searching for a proper patch and a way to push the news forward, the United States government may have been left in the darks for days, according to recent reports.
On Monday this week, Brendan Sasso wrote for the National Journal that it’s unclear when, exactly, the US government did in fact find out about the flaw. But if it wasn’t ahead of last month’s discovery by security experts and the announcement on April 9 that followed, then Google, cyber firm CloudFlare and certain Linux-based developers were familiar with the exploit well ahead of the feds for once.
“Companies often wait to publicize a security flaw so they can have time to patch their own services,” Sasso wrote. “But keeping the bug secret from the US government could have left federal systems vulnerable to hackers.”
Indeed, just this week Canada’s federal tax agency admitted that it had fallen victim to Heartbleed, and some of the biggest websites on the internet have issued warnings to their customers about the potential effects of the exploit. Sources told Sasso, however, that security experts may have purposely waited to keep government agencies from getting on the same page.
According to a recent report published by Sydney Morning Herald, any ignorance about the exploit on the part of the US government ahead of last week’s disclosure would have put the feds way behind certain tech firms when it came time to patch up the exploit. Ever since the NSA was accused on April 11 last week by Bloomberg News reporter Michael Riley of having relied on Heartbleed to hack high-value intelligence targets for at least two years prior to the official disclosure of the exploit, the government has insisted it only recently became aware of the bug.
Moments after the Bloomberg article was published last week, agency spokesperson Vanee’ Vines told TIME magazine that the “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong.” The Office of the Director of National Intelligence and a White House spokesperson have both made similar claims.
Google security researcher Neel Mehta first discovered Heartbleed on March 21 or before, the SMH reported, and by that evening the Mountain View, California-based company had committed a patch for the flaw. CloudFlare found out by March 31, OpenSSL was informed the following day and soon after certain tech firms were told under embargo that the exploit had been discovered and needed to be processed as efficiently as possible in order to disclose it to the public quickly.
"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," White House spokeswoman Caitlin Hayden said in a statement recently.
Regardless of when the NSA actually did discover the vulnerability, recent reports certainly did not help the agency claim ignorance this time around. In the midst of the ongoing NSA disclosures first published to the web last year by journalists working with former contractor Edward Snowden, the US intelligence community has been accused of exploiting other security vulnerabilities to hack the computers and correspondence of targets. RT has previously linked the NSA to French exploit-merchants Vupen, and last December a review panel assembled to assess the agency’s abilities said that the NSA must avoid stockpiling so-called “zero-day” exploits and instead disclose them to the security community to be promptly patched.
“Eliminating the vulnerabilities — ‘patching’ them — strengthens the security of US government, critical infrastructure, and other computer systems,” the group urged President Barack Obama.
But in the statement released by the White House after word of the exploit surfaced last week and copied by the ODNI, the US government said it would have apparently handled Heartbleed differently than the other exploits it’s been accused of implementing in cyberattacks.
Nevertheless, some now say that the NSA is the only one to blame if the US government was, in fact, in the dark ahead of the April 9 announcement. According to Sasso, American Civil Liberties Union technologist Chris Soghoian said that American cyber firms are likely hesitant to share information with the NSA after it became clear in the wake of the first Snowden leaks that the agency will risk undermining the security of the entire internet if it means it can use an exploit to hone in on a high-value intelligence target.
"I suspect that over the past eight months, many companies have taken a real hard look at their existing policies about tipping off the US government," he said. "That's the price you pay when you're acting like an out-of-control offensive adversary."
Soghoian’s comments mirror remarks made in late 2012 by computer hacker Andrew Auernheimer, who shortly after was sentenced to spend 41 months in prison after disclosing a security vulnerability on the servers of AT&T that allowed him to access the email addresses of 114,000 Apple iPad owners. Last week, the Third Circuit Court of Appeals vacated that conviction.
“It’s not unheard of for governments, including that of the US, to use exploits to gather both foreign and domestic intelligence,” he wrote at the time for an op-ed published in Wired. “In an age of rampant cyber espionage and crackdowns on dissidents, the only ethical place to take your zero-day is to someone who will use it in the interests of social justice. And that’s not the vendor, the governments, or the corporations — it’s the individuals.”