Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NSA Denies Exploiting ‘Heartbleed’ Vulnerability

WASHINGTON – The US National Security Agency on Friday denied a report claiming it was aware of and even exploited the “Heartbleed” online security flaw to gather critical intelligence.

WASHINGTON – The US National Security Agency on Friday denied a report claiming it was aware of and even exploited the “Heartbleed” online security flaw to gather critical intelligence.

The stern denial came amid growing panic among Internet users the world over about the newly exposed flaw, after a report by Bloomberg News said the spy agency decided to keep quiet about the matter and even used it to scoop up more data, including passwords.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” NSA spokeswoman Vanee Vines said in an email.

“Reports that say otherwise are wrong.”

OpenSSL is online-data scrambling software commonly used to protect passwords, credit card numbers and other data sent via the Internet.

A White House official also denied that any US agency was aware of the bug before it was revealed by security researchers earlier this month.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” White House national security spokeswoman Caitlin Hayden said in a statement.

“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet.

Advertisement. Scroll to continue reading.

“If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

‘Part of NSA Arsenal’ 

Bloomberg, citing two people said to be familiar with the matter, said the NSA was able to make Heartbleed part of its “arsenal” to obtain passwords and other data, without making public a vulnerability which could affect millions of Internet users.

The report said the secretive intelligence agency has more than 1,000 experts devoted to ferreting out these kinds of flaws and found the Heartbleed glitch shortly after its introduction.

The agency then made it part of its “toolkit for stealing account passwords and other common tasks,” the report said. The claim was met with concerns in the security community.

“If the NSA really knew about Heartbleed, they have some *serious* explaining to do,” cryptographer Matthew Green said on Twitter.

The Heartbleed flaw lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

Warnings about the dangers have expanded in recent days, with everyone from website operators and bank officials to Internet surfers and workers who tele-commute being told their data could be in danger.

NSA was already in the spotlight after months of revelations about its vast data-gathering capabilities, along with partner intelligence agencies.

Documents leaked by former NSA contractor Edward Snowden indicated that the NSA has been able to collect data from millions of phone records and Internet conversations as part of its intelligence gathering.

NSA officials argue they use such data only to help root out suspected terrorists.

President Barack Obama has ordered reforms that would halt government bulk collection of telephone records, but critics argue this does not go far enough to protect civil liberties.

RelatedWhy The Heartbleed Vulnerability Matters and What To Do About It

Additional Resources:

 Heartbleed Bug Advisory Whitepaper from Accuvant Labs (PDF)

• Is Your Enterprise Managing Certificates? Three Reasons It Should Be.

 

• Forrester Attacks On Trust Report

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.