NSA Said to Exploit Heartbleed Bug for Intelligence for Years

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Related: Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Controversial Practice Vanee Vines, an NSA spokeswoman, declined to comment on the agency’s knowledge or use of the bug. Free Code Serious Flaws Flawed Protocol Ordinary Data

NSA denies report it exploited Heartbleed for years The Heartbleed security flaw that exposes a vulnerability in encryption has reportedly extended its reach well beyond Web services. According to Bloomberg, citing "two people familiar with the matter," the National Security Agency knew about Heartbleed for at least two years and used the hole in encryption technology to gather intelligence. However, the agency strongly denied the substance of Bloomberg's report. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,'' the agency said in a statement. This follows a separate Bloomberg report the security flaw impacts Android smartphones and tablets that run the 4.1.1 version of the Google operating system. In a statement on Google's online security blog, the company says patching information has been submitted to partners.

NSA denies report that it knew about Heartbleed from the start [Updated] Citing two anonymous sources “familiar with the matter,” Bloomberg News reports that the National Security Agency has known about Heartbleed, the security flaw in the OpenSSL encryption software used by a majority of websites and a multitude of other pieces of Internet infrastructure, for nearly the entire lifetime of the bug—“at least two years.” The sources told Bloomberg that the NSA regularly used the flaw to collect intelligence information, including obtaining usernames and passwords from targeted sites. “When Edward Snowden warned that the NSA is ‘setting fire to the future of the internet,’ this is presumably the kind of thing he was talking about," said Jameel Jaffer, deputy legal director at the American Civil Liberties Union, in a statement emailed to Ars. "If this report is true, then the NSA is making hundreds of millions of people around the world more vulnerable to hacking and identity theft, and it’s compromising the trust that allows the internet to function.

Heartbleed is a Sucking Chest Wound in the NSA's Reputation —Kevin Drum on Sat. April 12, 2014 8:01 AM PDT On Friday, Bloomberg's Michael Riley reported that the NSA was aware of the Heartbleed bug from nearly the day it was introduced: The U.S. Henry Farrell explains just how bad this is here. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. You know, I'm honestly not sure which would be worse.

Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA | Threa... Photo: Carolyn Kaster/AP After years of studied silence on the government’s secret and controversial use of security vulnerabilities, the White House has finally acknowledged that the NSA and other agencies exploit some of the software holes they uncover, rather than disclose them to vendors to be fixed. The acknowledgement comes in a news report indicating that President Obama decided in January that from now on any time the NSA discovers a major flaw in software, it must disclose the vulnerability to vendors and others so that it can be patched, according to the New York Times. But Obama included a major loophole in his decision, which falls far short of recommendations made by a presidential review board last December: According to Obama, any flaws that have “a clear national security or law enforcement” use can be kept secret and exploited. A so-called zero-day vulnerability is one that’s unknown to the software vendor and for which no patch therefore exists.