NSA denies exploiting 'Heartbleed' vulnerability

Apr 11, 2014 by Rob Lever
A student from an engineering school attends the first edition of the Steria Hacking Challenge, in France, on March 16, 2013

The US National Security Agency on Friday denied a report claiming it was aware of and even exploited the "Heartbleed" online security flaw to gather critical intelligence.

The stern denial came amid growing panic among Internet users the world over about the newly exposed flaw, after a report by Bloomberg News said the spy agency decided to keep quiet about the matter and even used it to scoop up more data, including passwords.

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokeswoman Vanee Vines said in an email.

"Reports that say otherwise are wrong."

OpenSSL is online-data scrambling software commonly used to protect passwords, and other data sent via the Internet.

A White House official also denied that any US agency was aware of the bug before it was revealed by security researchers earlier this month.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House national security spokeswoman Caitlin Hayden said in a statement.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet.

"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

'Part of NSA arsenal'

Bloomberg, citing two people said to be familiar with the matter, said the NSA was able to make Heartbleed part of its "arsenal" to obtain passwords and other data, without making public a which could affect millions of Internet users.

The report said the secretive intelligence agency has more than 1,000 experts devoted to ferreting out these kinds of flaws and found the Heartbleed glitch shortly after its introduction.

The agency then made it part of its "toolkit for stealing account passwords and other common tasks," the report said.

The claim was met with concerns in the security community.

"If the NSA really knew about Heartbleed, they have some *serious* explaining to do," cryptographer Matthew Green said on Twitter.

The Heartbleed flaw lets hackers snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

Warnings about the dangers have expanded in recent days, with everyone from website operators and bank officials to Internet surfers and workers who tele-commute being told their data could be in danger.

NSA was already in the spotlight after months of revelations about its vast data-gathering capabilities, along with partner intelligence agencies.

Documents leaked by former NSA contractor Edward Snowden indicated that the NSA has been able to collect data from millions of phone records and Internet conversations as part of its intelligence gathering.

NSA officials argue they use such data only to help root out suspected terrorists.

President Barack Obama has ordered reforms that would halt government bulk collection of telephone records, but critics argue this does not go far enough to protect civil liberties.

Explore further: Heartbleed bug shutters more Canadian gov't websites

add to favorites email to friend print save as pdf

Related Stories

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Obama proposes to end NSA bulk data collection

Mar 25, 2014

US President Barack Obama is proposing to end the National Security Agency's controversial bulk telephone data collection, exposed by fugitive intelligence contractor Edward Snowden.

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

Recommended for you

Prosecutors target credit card thieves overseas

Sep 12, 2014

Criminals from around the world buy and sell stolen credit card information with ease in today's digital age. But if they commit their crime entirely outside the United States, they may be hard to prosecute.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

gxander
5 / 5 (2) Apr 12, 2014
The NSA never lies to the public or Congress when it comes to security.

SEN. RON WYDEN (D-Ore.): "This is for you, Director Clapper, again on the surveillance front. And I hope we can do this in just a yes or no answer because I know Senator Feinstein wants to move on. Last summer, the NSA director was at a conference, and he was asked a question about the NSA surveillance of Americans. He replied, and I quote here, 'The story that we have millions or hundreds of millions of dossiers on people is completely false.'
"The reason I'm asking the question is, having served on the committee now for a dozen years, I don't really know what a dossier is in this context. So what I wanted to see is if you could give me a yes or no answer to the question, does the NSA collect any type of data at all on millions or hundreds of millions of Americans?"
Director of National Intelligence JAMES CLAPPER: "No, sir."
AJW
5 / 5 (1) Apr 12, 2014
What is the purpose in NSA responding or reporting on this item? Who would trust their statements?
d_robison
not rated yet Apr 12, 2014
What is the purpose in NSA responding or reporting on this item? Who would trust their statements?

Why completely trust anything you can't verify yourself, regardless of the source? Just a fun thought experiment regarding why people trust certain outlets of information over others.

Anyways, I wouldn't be surprised to find that NSA is one of many agencies/corporations/individuals exploiting OpenSSL/Java/etc. codeflaws.
Pejico
Apr 12, 2014
This comment has been removed by a moderator.
TheGhostofOtto1923
1 / 5 (1) Apr 12, 2014
Director of National Intelligence JAMES CLAPPER: "No, sir."
This is called 'plausible deniability'.
Pejico
Apr 14, 2014
This comment has been removed by a moderator.