The Heartbleed bug, which shocked the Internet and web security community earlier this week, has allegedly been a tool used by the National Security Agency (NSA) as an exploit for the past two years. Apparently, the bug was kept under secrecy by the NSA for the purpose of national security, according to an anonymous source who spoke with Bloomberg.
The source claims that the agency used the bug to obtain passwords and other forms of data from several locations, but it is not known for what purpose or if innocent individuals were caught in the crossfire. Furthermore, it is understood that the NSA knew about Heartbleed from back in 2012, and maintained access throughout its entire lifespan.
However, the NSA denies any involvement with the Heartbleed bug, but the security community will find it very hard to believe since the agency has already been compromised in the Snowden leaks.
"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong," according to an email from the agency.
Heartbleed is vulnerability that only affects websites and services that rely on the OpenSSL protocol. It means that all services related to Google and Amazon could have been a feeding ground for the NSA, since these services were unprotected until last week. What this means is that the NSA could have access to around two third of the Internet's encrypted data, which should be very frightening to users.
It is highly possible the NSA could have a number of similar vulnerabilities on file, so as Heartbleed becomes unusable; the agency might still have the means to gain access to encrypted files by using other methods readily available.
While it might seem quite crazy to think the NSA could locate the bug so early in its life, it might not be so crazy when enough thought is put into it. Bear in mind that the agency spends over $1.6 billion per year on data exploitation and processing, so it is not farfetched. If this is truly the case, then the NSA has severely tarnished its reputation with the security community, and may take a very long time before this relationship is fixed.