If you needed further motivation to change your passwords, it turns out that the NSA has been utilising the giant security vulnerability known as the “Heartbleed bug” to gather information about Internet users, Bloomberg reports.
The bug, which takes advantage of a previously unnoticed programming error in a widely used encryption standard to trick Web servers into giving up valuable user data, has affected nearly everyone on the Internet.
As we explained on Tuesday, as many as 66% of websites use the software containing the flaw, including major services like Facebook, Yahoo, and Gmail.
That makes it an extremely useful tool for the NSA’s data collection efforts, though its use throws into question the NSA’s intentions and efficacy. After all, it’s difficult, maybe even impossible, to determine which puts American cybersecurity at greater risk: leaving American citizens’ data vulnerable for two years, to a method that doesn’t leave a trace; or the threats that the NSA is fighting against using the bug itself.
It shouldn’t come as a surprise that the NSA found the vulnerability so quickly after its introduction. Since it was a small error that didn’t obviously break anything in the functionality of SSL, no one in the open-source community thought to look for it.
That’s exactly the kind of bug the NSA and its small army of security experts would try to look for: something widely used that’s hard to notice. Bloomberg’s Michael Riley reports that sources familiar with the matter claim that the bug quickly became “a basic part of the agency’s toolkit for stealing account passwords and other common tasks.”
Just because the fix to Heartbleed is slowly making its way onto servers doesn’t mean that the NSA is cut off from user data. Riley’s sources confirm that the agency has a database of thousands of vulnerabilites, many of which likely still haven’t been noticed by independent computer security researchers.