2 min read

The NSA knew about Heartbleed bug for two years, claims report

Graham CLULEY

April 12, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
The NSA knew about Heartbleed bug for two years, claims report

Has the United States’ National Security Agency (NSA) really known about the Heartbleed bug (and presumably exploiting it for surveillance purposes) for two years? That’s the claim being made by a Bloomberg report, which claims to have had the revelation confirmed to them by “two people familiar with the matter”.

If the allegation is true then serious questions will be asked regarding the danger raised by a government agency choosing to keep the critical OpenSSL flaw secret so it could be exploited for national security purposes.

Because, imagine if this *is* what the NSA had done.

If the NSA knew about the Heartbleed bug, but had deliberately not told anybody about it in fear that the flaw would be fixed, then they have put *everyone* on the internet at risk.

Because a security hole in OpenSSL like the Heartbleed bug doesn’t just open the door for criminals, terrorists and enemy states to be spied upon – but could be abused by criminals to expose private information of everybody who uses the internet around the globe, whether law-abiding in the eyes of America or not.

The longer a flaw like Heartbleed was in existence, the greater opportunity there was for fraudsters, hackers and spies to exploit it to steal information and passwords, spy on others and cause incalculable harm to individuals, businesses and government agencies.

For its part, the NSA has denied that it had any knowledge of the flaw before private sector security experts published details earlier this week.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

The Bloomberg report doesn’t provide concrete evidence to dispute the NSA’s denial, only offering anonymous sources.

But perhaps the most tragic thing of all is that the news of possible NSA knowledge of the Heartbleed bug doesn’t actually leave me surprised. After all, it follows months of jaw-dropping revelations about state-sponsored spying by the US authorities that have been tumbling out ever since whistleblower Edward Snowden started leaking NSA documents.

What worries me is not so much what we have discovered was being done by the NSA, but what we haven’t been told yet, and might still be waiting to be revealed.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read