NSA and White House Deny Prior Knowledge of ‘Heartbleed’ Bug

The National Security Agency has denied that it knew about or took advantage of the Heartbleed online security flaw. The U.S. spy agency made the statement following this Bloomberg report that it took advantage of the OpenSSL exploit before it was made public by security researchers.

Bloomberg, citing two sources familiar with the matter, reported that the NSA secretly made Heartbleed part of its "arsenal", to obtain passwords and other data. It claimed the agency has more than 1,000 experts devoted to finding security holes in software. The publication goes on to claim that this group found the Heartbleed exploit shortly after its introduction.

"[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report," NSA spokeswoman Vanee Vines said in an email, adding that "reports that say otherwise are wrong."

A White House official also denied the US government was aware of the bug.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House national security spokeswoman Caitlin Hayden said in a statement.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," she insisted, adding: "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

A computer programmer from Oelde, Garmany has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald. 31-year old Robin Seggelman reportedly made the mistake while trying to improve the OpenSSL cryptographic library on December 31, 2011.

"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

The exploit allows hackers to steal chunks of data from systems protected by OpenSSL. It was discovered and revealed by researchers working for Google and a small Finnish security firm called Codenomicon earlier this month.

Source: BBC

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone


  1. 0
    Davvolun says:

    That's the point though, once upon a long, long time ago people would actually believe what their government told them. Now though, we need transparency, because otherwise this is just a statement they had to make, truthful or not, that doesn't give us any more real information than we had before.

  2. 0
    Neeneko says:

    I do not think there is a 'at this point'.  People tend to believe what already fits with thier views and discount things that do not.  In this case we have nothing firm either way, we have an anonymous person claiming they are from the inside saying the NSA knew, and the NSA saying they did not.

    Given how often people on the internet claim to have all sorts of knowledge and backgrounds they do not, it is plausible that the anonymous source is not being truthful, it is also possible the NSA's official statements are not either.

    As far as I am concerned, we do not know any more then we did before.

  3. 0
    Cyberdodo says:

    Really, did anyone expect the NSA and White House to not deny this?

    At this point, it doesn't matter if they are, for once, not lying.  It's just assumed they're lying.

Leave a Reply