Heartbleed bug not leveraged for surveillance, NSA says

Share this article:
Heartbleed bug not leveraged for surveillance, NSA says
The NSA denied claims that it had previously known about the Heartbleed bug.

The National Security Agency (NSA) has dismissed reports that it has been exploiting the Heartbleed vulnerability to carry out internet surveillance.

Only two hours after Bloomberg broke the story late last week, which cited “two people familiar with the matter” proclaiming that the U.S. surveillance agency has been aware of the bug for two years, and has been exploiting it ever since to gather ‘critical intelligence' from websites, White House and NSA representatives quickly released statements to counter the allegations.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” said White House National Security Council spokeswoman Caitlin Hayden in a statement.

Former director of the NSA General Michael Hayden also added, “This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.”

The Bloomberg report also stated that the Heartbleed bug, which exploits a flaw in the Secure Sockets Layer (SSL) and Transport Layer Security protocol (TLS) designed to stop prying eyes viewing internet activity, has been used by NSA officers to obtain passwords and other basic data to act as the “building blocks of the sophisticated hacking operations at the core of its mission.” This means ordinary users' would be vulnerable to attack from other nations' intelligence arms and criminal hackers, according to the report.

Despite both the NSA's and White House's quick denials of spying claims leveraging Heartbleed included in the Bloomberg report, privacy advocates and other IT security experts were just as fast to lash out at the government agency for these reported questionable activities.

More immediate reactions to the news shared on Twitter last Friday by other security professionals' can be found here.

Indeed this is not the first time the NSA's practices have been questioned. The Verge reports that the agency is spending just under $1.6 billion a year on data processing and exploitation, while The New York Times added over the weekend that President Barack Obama himself has decided that the agency should reveal internet flaws to the general public, but only if it's “a clear national security or law enforcement need.”

Nick Pickles, director of civil liberties group Big Brother Watch, told SCMagazineUK.com in an email correspondence that – if the rumors are true – it goes against what is supposed to be the NSA's mission.

“There is a fundamental contradiction in having the NSA be responsible to cyber security and exploiting vulnerabilities in software,” Pickles said.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.