Heartbleed bug not leveraged for surveillance, NSA says

Share this article:
Heartbleed bug not leveraged for surveillance, NSA says
The NSA denied claims that it had previously known about the Heartbleed bug.

The National Security Agency (NSA) has dismissed reports that it has been exploiting the Heartbleed vulnerability to carry out internet surveillance.

Only two hours after Bloomberg broke the story late last week, which cited “two people familiar with the matter” proclaiming that the U.S. surveillance agency has been aware of the bug for two years, and has been exploiting it ever since to gather ‘critical intelligence' from websites, White House and NSA representatives quickly released statements to counter the allegations.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” said White House National Security Council spokeswoman Caitlin Hayden in a statement.

Former director of the NSA General Michael Hayden also added, “This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.”

The Bloomberg report also stated that the Heartbleed bug, which exploits a flaw in the Secure Sockets Layer (SSL) and Transport Layer Security protocol (TLS) designed to stop prying eyes viewing internet activity, has been used by NSA officers to obtain passwords and other basic data to act as the “building blocks of the sophisticated hacking operations at the core of its mission.” This means ordinary users' would be vulnerable to attack from other nations' intelligence arms and criminal hackers, according to the report.

Despite both the NSA's and White House's quick denials of spying claims leveraging Heartbleed included in the Bloomberg report, privacy advocates and other IT security experts were just as fast to lash out at the government agency for these reported questionable activities.

More immediate reactions to the news shared on Twitter last Friday by other security professionals' can be found here.

Indeed this is not the first time the NSA's practices have been questioned. The Verge reports that the agency is spending just under $1.6 billion a year on data processing and exploitation, while The New York Times added over the weekend that President Barack Obama himself has decided that the agency should reveal internet flaws to the general public, but only if it's “a clear national security or law enforcement need.”

Nick Pickles, director of civil liberties group Big Brother Watch, told SCMagazineUK.com in an email correspondence that – if the rumors are true – it goes against what is supposed to be the NSA's mission.

“There is a fundamental contradiction in having the NSA be responsible to cyber security and exploiting vulnerabilities in software,” Pickles said.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Study: Canada C-Suite execs say companies prepared for threats

A survey of Canadian business execs found that just over a quarter had experienced a cyber attack.

PHP vulnerabilities patched

Developers patched multiple vulnerabilities in PHP that would have allowed remote code execution.

Pennyslvania man sentenced after 'swatting' prank

Pennyslvania man sentenced after 'swatting' prank

David Barnhouse was sentenced to 18 months in prison after he hacked into a neighbor's Verizon FiOS router to post a bomb threat on a Pennsylvania mall's website.