2 min read

The NSA knew about Heartbleed bug for two years, claims report

Graham CLULEY

April 12, 2014

The NSA knew about Heartbleed bug for two years, claims report

Has the United States’ National Security Agency (NSA) really known about the Heartbleed bug (and presumably exploiting it for surveillance purposes) for two years? That’s the claim being made by a Bloomberg report, which claims to have had the revelation confirmed to them by “two people familiar with the matter”.

If the allegation is true then serious questions will be asked regarding the danger raised by a government agency choosing to keep the critical OpenSSL flaw secret so it could be exploited for national security purposes.

Because, imagine if this *is* what the NSA had done.

If the NSA knew about the Heartbleed bug, but had deliberately not told anybody about it in fear that the flaw would be fixed, then they have put *everyone* on the internet at risk.

Because a security hole in OpenSSL like the Heartbleed bug doesn’t just open the door for criminals, terrorists and enemy states to be spied upon – but could be abused by criminals to expose private information of everybody who uses the internet around the globe, whether law-abiding in the eyes of America or not.

The longer a flaw like Heartbleed was in existence, the greater opportunity there was for fraudsters, hackers and spies to exploit it to steal information and passwords, spy on others and cause incalculable harm to individuals, businesses and government agencies.

For its part, the NSA has denied that it had any knowledge of the flaw before private sector security experts published details earlier this week.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

The Bloomberg report doesn’t provide concrete evidence to dispute the NSA’s denial, only offering anonymous sources.

But perhaps the most tragic thing of all is that the news of possible NSA knowledge of the Heartbleed bug doesn’t actually leave me surprised. After all, it follows months of jaw-dropping revelations about state-sponsored spying by the US authorities that have been tumbling out ever since whistleblower Edward Snowden started leaking NSA documents.

What worries me is not so much what we have discovered was being done by the NSA, but what we haven’t been told yet, and might still be waiting to be revealed.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read