The NSA knew about the Heartbleed, a security bug that potentially exposes sensitive consumer information, for about two years, according to Bloomberg. Citing "two people familiar with the matter," Bloomberg reports that the intelligence agency declined to make the security flaw public "in pursuit of national security interests." If Bloomberg's timeline is correct, then the NSA discovered the flaw almost as soon as it was introduced into the openSSL security protocols used by as much as two thirds of the web to secure traffic (learn more about Heartbleed here).
When the bug became public knowledge on Monday, many speculated that the security flaw — which could potentially allow individuals to access passwords, credit card information, and other personal data from some "secure" servers — might have been something the NSA already knew about. Bloomberg's report is the first indication that the speculation is justified. Bloomberg writes:
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
The Atlantic Council's Jason Healey put it another way to Bloomberg: “They are going to be completely shredded by the computer security community for this.” The NSA declined to comment to Bloomberg for the story, but we already knew that the agency — and others like it internationally — are not quick to publicly expose security flaws they discover in the course of gathering intelligence. In its review of the NSA's intelligence gathering techniques, a presidential review group addressed the agency's track record with ensuring security, although not specifically allegations that the agency intentionally withholds critical net safety information:
The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.
Read the full report at Bloomberg.
Update: The NSA released a statement addressing Bloomberg's report later on Friday, denying prior knowledge of Heartbleed: