Heartbleed bug not leveraged for surveillance, NSA says
The NSA denied claims that it had previously known about the Heartbleed bug.
The National Security Agency (NSA) has dismissed reports that it has been exploiting the Heartbleed vulnerability to carry out internet surveillance.
Only two hours after Bloomberg broke the story late last week, which cited “two people familiar with the matter” proclaiming that the U.S. surveillance agency has been aware of the bug for two years, and has been exploiting it ever since to gather ‘critical intelligence' from websites, White House and NSA representatives quickly released statements to counter the allegations.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” said White House National Security Council spokeswoman Caitlin Hayden in a statement.
Former director of the NSA General Michael Hayden also added, “This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.”
The Bloomberg report also stated that the Heartbleed bug, which exploits a flaw in the Secure Sockets Layer (SSL) and Transport Layer Security protocol (TLS) designed to stop prying eyes viewing internet activity, has been used by NSA officers to obtain passwords and other basic data to act as the “building blocks of the sophisticated hacking operations at the core of its mission.” This means ordinary users' would be vulnerable to attack from other nations' intelligence arms and criminal hackers, according to the report.
Despite both the NSA's and White House's quick denials of spying claims leveraging Heartbleed included in the Bloomberg report, privacy advocates and other IT security experts were just as fast to lash out at the government agency for these reported questionable activities.
NSA knowing about #Heartbleed and not saying anything is the number one reason I'm proud to be an independent security programmer.— Nadim Kobeissi (@kaepora) April 11, 2014
NSC statement denying NSA knowledge of Heartbleed hints at law enforcement use of 0-days, not just intel agencies. pic.twitter.com/4Ic1j5eaPc— Christopher Soghoian (@csoghoian) April 11, 2014
More immediate reactions to the news shared on Twitter last Friday by other security professionals' can be found here.
Indeed this is not the first time the NSA's practices have been questioned. The Verge reports that the agency is spending just under $1.6 billion a year on data processing and exploitation, while The New York Times added over the weekend that President Barack Obama himself has decided that the agency should reveal internet flaws to the general public, but only if it's “a clear national security or law enforcement need.”
Nick Pickles, director of civil liberties group Big Brother Watch, told SCMagazineUK.com in an email correspondence that – if the rumors are true – it goes against what is supposed to be the NSA's mission.
“There is a fundamental contradiction in having the NSA be responsible to cyber security and exploiting vulnerabilities in software,” Pickles said.