View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NSA denies prior knowledge of Heartbleed bug

Agency rejects Bloomberg claim that it exploited security flaw to obtain passwords.

By Jimmy Nicholls

The NSA has issued a statement denying that it exploited the Heartbleed bug to obtain confidential data as part of its surveillance activities.

A report from Bloomberg last week claimed that "two people familiar with the matter" said the agency was aware of the bug for two years and had used it to collect "critical intelligence".

Describing the search for security flaws as "central to NSA’s mission", the piece said the agency had "1,000 experts" dedicated to seeking vulnerabilities similar to Heartbleed.

The Office of the Director of National Intelligence (ODNI) rebuffed the allegations, saying: "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong."

Heartbleed was a result of inept coding which allowed hackers to view sensitive information and even access data on previous transactions without leaving a trace.

Sites affected include Yahoo, Imgur, Flickr, Steam and OkCupid.

Thought to have been known to hackers since March 2012, it was discovered by Google engineer Neel Mehta and Finnish security firm Codenomicon independently, and has existed since December 2011.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

American spy agencies have been under increasing scrutiny since whistleblower Edward Snowden reported widespread internet surveillance by the NSA, leading many to treat assurances by security officials with scepticism.

The ODNI insisted that the US government took seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.

"When federal agencies discover a new vulnerability in commercial and open source software – a so-called "zero day" vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," the office’s statement added.

Users of compromised websites have been advised to change their passwords once systems have been patched, despite early advice telling users to immediately alter their details.

In a blog post on his website, British security expert Graham Cluley said: "If you change your passwords *before* a website has been fixed, you might actually be exposing your credentials to *greater* risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU