Friday, April 11, 2014

Is the Heartbleed Security Flaw Really an NSA Designed Flaw?

Well, this is interesting news about, Heartbleed, the security flaw that appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites.

According to Bloomberg, citing "two people familiar with the matter," the National Security Agency knew about the securtiy flaw Heartbleed for at least two years and used the hole in encryption technology to gather intelligence.

I get it, protect the country by allowing a major vulnerability to exist on the internet's secure systems.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Heartbleed is a flaw that would allow anyone to read the memory of servers running OpenSSL, which leaves information such as usernames, passwords and credit card data exposed.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," says Codenomicon, a security firm that helped uncover Heartbleed and established a website to inform others.

According to Bloombeg, the Heartbleed flaw was introduced in early 2012. 

Got that? Heartbleed was introduced about 2 years ago.  The NSA has been exploiting the flaw for about 2 years.

Sounds to me like the NSA was in on it from the start. 


  1. They probably wrote it

    1. Its open source. Anyone can read the code.

    2. That doesn't mean anybody actually bothered to read it. Besides, OpenSSL code is a horrible mess.

  2. So the NSA can read your emails, get into your bank account, hack your broker, etc. but still can't hack Bitcoin. What is the problem with Bitcoin again Robert?

    1. How do you know they haven't already? The smartest people with the resources in the world are in charge of the security behind OpenSSL, and it took them two years to find the flaw.

    2. government seems to be tracking bitcoin transactions just fine and selecting targets for prosecution as their need and desire dictates.

    3. The OpenSSL team is very irresponsible when it comes to security. The library has historically been plagued by bugs.

      Theo DeRaadt, the lead developer of OpenBSD ( which is a UNIX operating system focused primarily on security and founder of the OpenSSH project had some things to say about this recently on a mailing list. He's one of the foremost security-minded developers on the planet and while many people don't like his abrasive personality there is no one who questions his knowledge on this subject.


      The even bigger problem with SSL is the entire trust system of Root Certificate Authorities and Subordinate Intermediate Signing CAs. This is an architectural problem, not a code problem.

      For an example of what can go wrong, read about the DigiNotar incident:

  3. The very first thought that went through my head when I received the Heartbleed vulnerability alert was that this was probably the vulnerability the NSA introduced and/or used. Scumbags.

  4. Robert,

    OpenSSL is open source software. All of the source code is publicly available in a source repository, it is located at;a=log

    Anyone can submit code but only the project "committers" can check it in to the repo. If you look at the page, you'll see there's a record of every change made to OpenSSL. The "commitdiff" link for each shows the code that was replaced and the new code.

    It's possible that the NSA had something to do with introducing the bug, but the most likely scenario is that they have entire teams of people monitoring the source code changes checked into popular software libraries that are relied on by many other applications and analyzing them for exploitable bugs.

    1. "the most likely scenario is that they have entire teams of people monitoring the source code changes checked into popular software libraries"

      You think so? What evidence do you have of this? I do software development for living. Granted, it's not Open Source, but in my experience, the assumption is that if you're doing software dev on project, it's not to be malicious at the source.

      If there was premeditated design in this at the NSA level, it would be very easy to code multiple exploits that look like typos or bugs. If they are caught at code review, then that is the presumption, they were bugs.

      If you are using test-driven design, you'd have to know this exact scenario to catch it.

      Like I said, the presumption is a benign coder doing the best they can. Flip a coin, it could go either way.

    2. Cory,

      I was a developer in the past and have done software and systems security research and engineering for the past decade and a half. I currently work for a well-known open source software company, I discuss this from personal experience and knowledge.

      Cory, the problem with Heartbleed was architectural. For a test to have caught this bug, you'd have to simultaneously be sending the exploit to the SSL listener while running the test. So yes, you'd have to know about it for a testcase to find it.

      I typically spend several days per week auditing code for bugs with security impact. Most software is unfortunately terrible.

      The offending code checkin is here:;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1

      As you can see, the name of the committer is attached. He's submitted a number of patches and features to SSL. Some are in the old SSL CVS repo from before they moved to git. If you believe him to be an NSA asset, you can search the internet for other projects he's submitted code to and look for other bugs. If you found any, you'd be doing a great public service.

      The reason I think it's the most likely scenario is that it's a very common occurrence for hackers of all stripes to monitor source code checkins to open source projects to hunt for bugs. It's true for nation-states, for researchers seeking bug bounties, and for black hat criminal hackers. There is a market for working exploits. People look for them and, depending on their motivation, either use them, report, them, or sell them.

    3. Adam thanks for that explanation. I was not implying that I was aware he was an NSA asset. I was just saying that the Dev community is inherently naive in some aspects, namely that developers working on a code base are doing so in a benign fashion. From that perspective, things may not be questioned or looked at in the same way. With something like security related codebase, that naivete could be readily taken advantage of.

      Surely you cannot believe that any intelligence asset that was tasked to create a specific exploit would have NSA written on his forehead? Again, I'm not saying this is an NSA mole that did this on purpose, only that should there be an objective like that, it would most assuredly come from someone who was a historically trusted coder.

      You and I both know that the only difference between exploit and bug is the disposition of the developer to wrote the code.

  5. After all the security breaches we've witnessed over the years it is clear that anything done on the internet is subject to spying and hacking. Cyber-security does not exist.

    1. Don't kid yourself. Everything computer related is subject to the possibility of hacking and exploitation. Anything with a chip runs software. Software just does what its programmed to do.