NSA, Target, Heartbleed and Ethics

[Commentary] It’s no surprise that the National Security Agency may have used the Heartbleed exploit to tap into sensitive encrypted communication, including that of Google.

If you understand the nature of how the bug works, it goes hand in hand with undercover espionage. Heartbleed, the name given to the OpenSSL (Secure Socket Layer) flaw, allows sensitive information to leak (or bleed) from a server to any client connected to it. What makes this even more interesting is that the data is leaked to any computer connected to the server, so there’s no need to hijack someone else’s connection in order to exploit it. Here’s a simple scenario:

1. NSA connects to server with the Heartbleed flaw.
2. NSA stays connected, gathering leaked information until it receives the private SSL key of the server.
3. NSA stores private key and uses it to decrypt previous and future communication to the entire server’s domain, i.e., Google.com.

The worst part is that this vulnerability can be performed without any detection, and without leaving traces behind.

It’s important to note that the ability of not leaving any traces behind makes the bug even worse, because administrators cannot go back to determine what was lost. Now, this could have been used by the NSA, or it could have been used by a hacker. The end result is the same. Snooping and data loss are possible.

I would take this a step further and question whether breaches like Target’s data loss were the result of it.

[Martini, CEO, Iboss Network Security]