The NSA has denied knowledge of the Heartbleed bug, following allegations that not only did the security agency discover the exploit two years ago, but that it opted to keep it secret so as to use it in its spy tool arsenal. Anonymous insiders claimed earlier that the National Security Agency had identified Heartbleed – which left as many as two-thirds of websites vulnerable to password and data theft – as part of its regular efforts at hunting down potentially useful bugs and hacks.
However, a swiftly issued – and terse – statement issued by the agency insists those accusations are not true.
“[The] NSA was not aware of the recently identified Heartbleed vulnerability until it was made public,” the NSA tweeted.
In a longer statement, the NSA points out that the Federal government was just as reliant on OpenSSL for its websites and services. It also cites the “Vulnerabilities Equities Process” which demands that, unless a “clear national security or law enforcement need” is identified, the NSA and other agencies are “biased toward responsibly disclosing such vulnerabilities.”
“When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fit it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose” NSA statement
If the NSA had known two years ago, in effect, it would have disclosed two years ago. Instead, Heartbleed was identified by Google security researchers, among others.
That happened just days ago, when security researchers spotted a chunk of bad code in OpenSSL that, the original author insists, was the result of an accident rather than malicious intent.
Either way, the results have been significant. Websites large and small have been forced to update their security systems, reseting user passwords along the way, and leaving users with a long list of credentials to renew.
Actually protecting yourself is relatively straightforward, however, with just a few steps to checking whether your online life is affected and, if so, fixing it.
Whether the NSA’s outright denial of any awareness of Heartbreak will be believed remains to be seen. The agency has little in the way of public trust left, given high-profile revelations about mass surveillance that were made public following the Wikileaks disclosures.