2 min read

The NSA knew about Heartbleed bug for two years, claims report

Graham CLULEY

April 12, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
The NSA knew about Heartbleed bug for two years, claims report

Has the United States’ National Security Agency (NSA) really known about the Heartbleed bug (and presumably exploiting it for surveillance purposes) for two years? That’s the claim being made by a Bloomberg report, which claims to have had the revelation confirmed to them by “two people familiar with the matter”.

If the allegation is true then serious questions will be asked regarding the danger raised by a government agency choosing to keep the critical OpenSSL flaw secret so it could be exploited for national security purposes.

Because, imagine if this *is* what the NSA had done.

If the NSA knew about the Heartbleed bug, but had deliberately not told anybody about it in fear that the flaw would be fixed, then they have put *everyone* on the internet at risk.

Because a security hole in OpenSSL like the Heartbleed bug doesn’t just open the door for criminals, terrorists and enemy states to be spied upon – but could be abused by criminals to expose private information of everybody who uses the internet around the globe, whether law-abiding in the eyes of America or not.

The longer a flaw like Heartbleed was in existence, the greater opportunity there was for fraudsters, hackers and spies to exploit it to steal information and passwords, spy on others and cause incalculable harm to individuals, businesses and government agencies.

For its part, the NSA has denied that it had any knowledge of the flaw before private sector security experts published details earlier this week.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

The Bloomberg report doesn’t provide concrete evidence to dispute the NSA’s denial, only offering anonymous sources.

But perhaps the most tragic thing of all is that the news of possible NSA knowledge of the Heartbleed bug doesn’t actually leave me surprised. After all, it follows months of jaw-dropping revelations about state-sponsored spying by the US authorities that have been tumbling out ever since whistleblower Edward Snowden started leaking NSA documents.

What worries me is not so much what we have discovered was being done by the NSA, but what we haven’t been told yet, and might still be waiting to be revealed.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Crypto Exchange Finds Location Data on Hacker, Recovers Some Stolen Funds Crypto Exchange Finds Location Data on Hacker, Recovers Some Stolen Funds
Silviu STAHIE

October 04, 2022

2 min read
German Police Arrest Three People Accused of Running Massive Phishing Campaign German Police Arrest Three People Accused of Running Massive Phishing Campaign
Silviu STAHIE

October 03, 2022

1 min read
Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read