The NSA knew about the vulnerability Heartbleed two years ago

The National Security Agency has been aware of the vulnerability, recently named Heartbleed, over the past two years. The NSA also regularly used this vulnerability to gain access to the desired information. About this edition of Bloomberg became known from two unnamed people.

However, representatives of the NSA, in response to the publication of these data, stated that the agency's experts were familiar with the bug CVE-2014-0160 only after the mass distribution of information about it in the media. Heartbleed is perhaps the most dangerous vulnerability in the history of the Internet; it has affected the basics of security for approximately two thirds of all websites.

Using this vulnerability, an attacker can gain access to the target server's memory areas, which allows him to steal user passwords and private keys. Bruce Schneier, an information security expert, rated the risk of vulnerability on a ten-point scale at 11 points. The developer, who made the mistake and became the author of this vulnerability, claims that he did it by inattention.

Many Internet companies and millions of ordinary users rely on free software, which is written by several thousand developers, without receiving any payment for their efforts. It is on these developers that the security of the free code rests.
')
The NSA also has in its staff more than a thousand paid experts whose main task is to search for vulnerabilities in free software. The main goal is open implementations of security protocols. Of course, the found vulnerabilities are not made public and are classified for use in pursuit by the agency. No wonder - the NSA spends millions of dollars searching for bugs that allow them to steal information.

According to an unnamed source, the agency became aware of the vulnerability CVE-2014-0160 soon after it appeared in the OpenSSL code - that is, in early 2012. Heartbleed quickly became an important part of the NSA hacker attacks toolkit. James Lewis, a computer security expert at the Center for Strategic and International Studies, says that the process of finding vulnerabilities is well established, and information about interesting bugs quickly gets from ordinary experts to management. The agency's experts assess the visibility of the vulnerability and the possibilities of its use, as well as estimate the risks for US organizations.

Further, as Lewis says, the NSA may decide to use the found vulnerabilities to obtain secret information. The expert claims that the SSL protocol has had many problems throughout its development, therefore it is not the main way to protect information of state structures. The data of millions of ordinary users were open to attack.

Finding "holes" is an important part of the agency. The Council of the US President, which conducted a review of the activities of the NSA after the leaks of Edward Snowden, noted that the agency should stop collecting software vulnerabilities, and instead promote their correction. Hiding such an important vulnerability could trigger a new round of criticism of the activities of the NSA.

Bug CVE-2014-0160, due to its prevalence, could allow the NSA to receive regular users' passwords and private data all over the world. It remains unclear whether the US government has used Heartbleed for private purposes.

According to an unnamed source, at the moment the NSA has thousands of vulnerabilities that can break through the security of many important computer systems. The intelligence officials, however, say that the inability to use a formed set of attacks will greatly weaken the ability to detect terrorist threats and obtain information about the intentions of hostile regimes.