Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

White House Details Zero-Day Bug Policy

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

The White House and National Security Agency have strongly denied reports that the NSA had known about the Heartbleed vulnerability in OpenSSL for years and was actively exploiting it for intelligence-gathering purposes.

Those allegations appeared Friday in a Bloomberg News report -- citing unnamed sources -- claiming the NSA kept secret details about the Heartbleed vulnerability for at least two years. The vulnerability (a.k.a. CVE-2014-0160), which can be used to spoof and steal encrypted information from millions of vulnerable websites, was recently discovered and made public by Google engineer Neel Mehta and Finnish security firm Codenomicon.

But the NSA -- via Twitter -- and the Obama administration quickly disputed the Bloomberg report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report," read a statement released Friday by the Office of the Director of National Intelligence (ODNI). "Reports that say otherwise are wrong." The ODNI also noted that the federal government relies on OpenSSL to secure government websites, and claimed that if any agency -- including the NSA -- had previously discovered the vulnerability, "it would have been disclosed to the community responsible for OpenSSL."

[How does Heartbleed affect your enterprise's internal network? Read Heartbleed's Intranet & VPN Connection.]

The discovery of the Heartbleed bug has triggered questions about how fast government agencies should come clean if and when they discover a never-before-seen bug. On that front, Richard Clarke, a member of a presidential panel that reviewed the NSA's practices and issued specific recommendations to the White House, told Bloomberg News that three weeks ago, President Obama told government agencies that -- in most cases -- if they discover a zero-day vulnerability, the information will be publicly disclosed.

The ODNI statement issued Friday echoed that instruction, saying that going forward, agencies would be "biased toward responsibly disclosing such vulnerabilities" using a predefined inter-agency review known as the Vulnerabilities Equities Process.

But the Obama administration also reserved the right to withhold zero-day vulnerability information for cases where "there is a clear national security or law enforcement need."

Some privacy experts questioned the leeway that the White House left intelligence agencies such as the NSA. "The policy has a loophole so big that you could drive a truck through it," Christopher Soghoian, principal technologist at the American Civil Liberties Union, told Bloomberg News. On the other hand, he said, the fact that the president is even discussing zero-day policies represents "a really big shift."

But some security experts have argued that, by definition, it's not the job of the NSA -- or any other country's intelligence service -- to publicly share information about zero-day threats. Errata Security CEO Robert David Graham pointed out that the existence of the Heartbleed bug was hardly the NSA's fault, and if the agency did decline to warn OpenSSL or anyone else about the flaw, that was well within its remit. "Finding such bugs and keeping them quiet is wholly within the NSA's mission statement," he said in a blog post. "Their job is to spy on foreigners and keep state secrets safe. Generally, state secrets aren't on machines exposed to the Internet, so keeping the bug secret had no impact on that."

Furthermore, the NSA may not have needed Heartbleed. Documents leaked by Edward Snowden, for example, revealed the existence of a top-secret NSA program code-named BULLRUN, which was designed to defeat specific encryption protocols, including SSL. A recent Bloomberg News report, furthermore, cited two unnamed sources who claimed that the NSA has at least two techniques for defeating SSL.

The discovery of the OpenSSL vulnerability has led millions of consumers to change their online passwords and prompted businesses to put costly fixes in place. The flaw exists in versions 1.0.1 and 1.0.2 beta of OpenSSL, which is an open-source implementation of the SSL and TLS protocols that provide websites with cryptographic capabilities. In recent days, both researchers and attackers have demonstrated how the vulnerability can be easily -- if not immediately -- exploited to recover a site's private keys.

As of last week, Netcraft reported that about 500 million websites are vulnerable to the Heartbleed bug. By Monday, only about 30,000 vulnerable sites had reportedly changed their digital certificates; the rest remain vulnerable to Heartbleed.

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today (free registration required).

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ScottW834
50%
50%
ScottW834,
User Rank: Apprentice
4/16/2014 | 8:52:04 AM
Credibility and the Civil Cyber War
The US Government has lost its credibility.  What reason is there to trust them?  That said, what reason was there ever to trust them.  Patriotism in this country demands distrust of those that govern.

There is a World Cyber War going on.  It is many faceted.  It includes what is rapidly becoming a Civil Cyber War against governments that have been exposed for snooping on their own citizens.  It will be a long time if ever before the private sector will truly trust a partnership with government in regards to technology and security.  Ultimately, I think that is fine as a check and ballance.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
4/15/2014 | 9:10:25 PM
Don't expect the NSA to help or even come clean
It wasn't the NSA's responsibility to find the HeartBleed bug, and if they did find it, I wouldn't believe their statements that they didn't use it. For them to say otherwise would tip off various parties that their servers are no longer safe to use, while the NSA would prefer they go on using them as before.vvvvv
securityaffairs01
50%
50%
securityaffairs01,
User Rank: Apprentice
4/15/2014 | 6:52:10 PM
What's new?
We cannot be surprised. NSA, as any other intelligence has used, and will use in the future exploits to gather sensitive information and foreign government secrets.

What we are seeing is just the tip of the iceberg ... we are in the middle of a cyber war, but people ignore it.

 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...