NSA denies exploiting 'Heartbleed' vulnerability for intel

Last Updated 12 April 2014, 04:54 IST

The US National Security Agency has denied a report claiming the surveillance agency was aware of and even exploited the 'Heartbleed' vulnerability to gather critical intelligence on cyberspace.

The denial from the the White House came after Bloomberg citing anonymous sources claimed that the NSA exploited Heartbleed — a flaw in common Internet encryption that left passwords and other vital information visible to and obtainable by hackers.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report," White House national security spokesperson Caitlin Hayden, yesterday said.

Uncovered this week, the security bug affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords.

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong," the Office of the Director on National Intelligence (ODNI) said in another statement.

"This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Hayden said.

The White House has has said that it has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities "in response to the recommendations of the President's Review Group on Intelligence and Communications Technologies".

"This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities," Hayden said.

The MIT Technology Review said that the Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.

According to experts, the Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content, and that allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. 

(Published 12 April 2014, 04:40 IST)

Follow us on