2 min read

The NSA knew about Heartbleed bug for two years, claims report

Graham CLULEY

April 12, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
The NSA knew about Heartbleed bug for two years, claims report

Has the United States’ National Security Agency (NSA) really known about the Heartbleed bug (and presumably exploiting it for surveillance purposes) for two years? That’s the claim being made by a Bloomberg report, which claims to have had the revelation confirmed to them by “two people familiar with the matter”.

If the allegation is true then serious questions will be asked regarding the danger raised by a government agency choosing to keep the critical OpenSSL flaw secret so it could be exploited for national security purposes.

Because, imagine if this *is* what the NSA had done.

If the NSA knew about the Heartbleed bug, but had deliberately not told anybody about it in fear that the flaw would be fixed, then they have put *everyone* on the internet at risk.

Because a security hole in OpenSSL like the Heartbleed bug doesn’t just open the door for criminals, terrorists and enemy states to be spied upon – but could be abused by criminals to expose private information of everybody who uses the internet around the globe, whether law-abiding in the eyes of America or not.

The longer a flaw like Heartbleed was in existence, the greater opportunity there was for fraudsters, hackers and spies to exploit it to steal information and passwords, spy on others and cause incalculable harm to individuals, businesses and government agencies.

For its part, the NSA has denied that it had any knowledge of the flaw before private sector security experts published details earlier this week.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

The Bloomberg report doesn’t provide concrete evidence to dispute the NSA’s denial, only offering anonymous sources.

But perhaps the most tragic thing of all is that the news of possible NSA knowledge of the Heartbleed bug doesn’t actually leave me surprised. After all, it follows months of jaw-dropping revelations about state-sponsored spying by the US authorities that have been tumbling out ever since whistleblower Edward Snowden started leaking NSA documents.

What worries me is not so much what we have discovered was being done by the NSA, but what we haven’t been told yet, and might still be waiting to be revealed.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read