NSA denies exploiting Heartbleed bug
The NSA has – unsurprisingly – denied it knew about the Heartbleed bug before researchers revealed it last week, despite reports President Obama allows the spy agency to exploit such flaws.
Heartbleed is a critical flaw in OpenSSL, an open-source library of SSL/TLS encryption, used to keep email, instant messaging and some VPNs secure online.
The bug allows anyone to access encryption keys and therefore gain access to any of the data supposedly secured by OpenSSL in systems using vulnerable versions of the technology.
Reports that the NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong
The serious nature of the flaw led many to suggest the the NSA planted it, however German developer Robin Seggelmann has since claimed responsibility, saying it was “an honest mistake”.
Nevertheless, Seggelmann has said “it is always better to assume the worst than best case in security matters”, admitting it’s possible Heartbleed was used by security agencies to snoop on internet communications.
The NSA had initially refused to comment on the allegations, but has since issued a statement saying: “Reports that the NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”
However, that denial comes as reports suggest president Obama gave the NSA the go-ahead to use security flaws without alerting companies or the public to their existence in cases of “clear national security or law enforcement need”.
The NSA has been embroiled in security scandals for nine months now, following the release of classified documents by former contractor Edward Snowden.
Companies, including banks, cloud service providers, and ISPs have been scrambling to patch the Heartbleed vulnerability for the past week.
Following a challenge issued by content delivery network CloudFlare, software engineer Fedor Indutny managed to extract private SSL keys – something CloudFlare had claimed “may in fact be impossible” – within nine hours and the code he used to do so has subsequently been published.
In response to Indutny’s successful exploit of Heartbleed to collect this data, CloudFlare said: “Our recommendation based on this finding is that everyone reissue and revoke their private keys.”