NSA and White House Deny Prior Knowledge of ‘Heartbleed’ Bug

The National Security Agency has denied that it knew about or took advantage of the Heartbleed online security flaw. The U.S. spy agency made the statement following this Bloomberg report that it took advantage of the OpenSSL exploit before it was made public by security researchers.

Bloomberg, citing two sources familiar with the matter, reported that the NSA secretly made Heartbleed part of its "arsenal", to obtain passwords and other data. It claimed the agency has more than 1,000 experts devoted to finding security holes in software. The publication goes on to claim that this group found the Heartbleed exploit shortly after its introduction.

"[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report," NSA spokeswoman Vanee Vines said in an email, adding that "reports that say otherwise are wrong."

A White House official also denied the US government was aware of the bug.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House national security spokeswoman Caitlin Hayden said in a statement.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," she insisted, adding: "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

A computer programmer from Oelde, Garmany has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald. 31-year old Robin Seggelman reportedly made the mistake while trying to improve the OpenSSL cryptographic library on December 31, 2011.

"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

The exploit allows hackers to steal chunks of data from systems protected by OpenSSL. It was discovered and revealed by researchers working for Google and a small Finnish security firm called Codenomicon earlier this month.

Source: BBC

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone

Leave a Reply