Lucene search

thnSwati KhandelwalTHN:EBCB003D7DB7BD8BF73239F9718C6126
HistoryApr 11, 2014 - 11:21 p.m.

NSA denies Report that Agency knew and exploited Heartbleed Vulnerability

Swati Khandelwal

0.975 High




NSA denies reports that Agency knew and exploited Heartbleed Vulnerability

The Bloomberg claimed that the U.S. National Security Agency (NSA) knew about the most critical Heartbleed flaw and has been using it on a regular basis to gather “critical intelligence” and sensitive information for at least past two years and decided to keep the bug secret, citing two sources ‘familiar with the matter’.

In response to the above report, NSA has issued a '94 character’ statement today denying the claims that it has known about the Heartbleed bug since two years and that it has been using it silently for the purpose of surveillance.

NSA was not aware of the recently identified Heartbleed vulnerability until it was made public,” the U.S. intelligence agency said on its Twitter feed.

Heartbleed is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers.

The bug resides in the “Heartbeat” feature of the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data.

A team of researchers from Codenomicon and Google Security researcher revealed the vulnerability this week that is in the wild since the new version 1.0.1f was released in March 2012. And just after the revelation, OpenSSL released the security Fix for the bug in its version 1.0.1g, but until then the Heartbleed bug made websites, email, instant messaging (IM), including some virtual private networks, on about half a million of the world’s widely trusted web servers, open to hackers.

The birth of the most critical bug Heartbleed was due to a mistake done by a German programmer Robin Seggelmann over two years ago while working on a new Heartbeat feature in the OpenSSL.

He submitted the code of OpenSSL with the heartbeat feature in an update on New Year’s Eve, 2011, and an “oversight” led to an error that unintentionally created the “Heartbleed” vulnerability.

Yesterday he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.

The fix was released just after, but the users’ data are vulnerable until the vulnerable websites didn’t implement it. You can only change your password immediately for those websites that are not affected, assuming that it was vulnerable before, just to make sure that you are now safe.

Related Important Articles: