The "Heartbleed" exploit found in OpenSSL earlier this week has been the subject of a ton of discussion on the Internet, along with a lot of fear about its ramifications. Now the National Security Agency, which is already dealing with its own PR problems in explaining its Internet spying activities, is denying a report that it knew about the "Heartbleed" issue before it went public.
The claim was first made by Bloomberg, which reported, via unnamed sources, that the NSA not only knew about "Heartbleed" for two years and used it to obtain intelligence data without informing any other agency of the vulnerability in the OpenSSL system. However, the NSA has since sent out an official statement on Bloomberg's report, saying simply, "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong."
In addition, the U.S. Office of the Director of National Intelligence sent out its own statement saying, "Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."
The discovery of the issue in OpenSSL, which is used as the main encryption for over two-thirds of all websites, has caused many security experts to inform consumers to change their passwords. Security firm CloudFire issued a challenge to hackers to use the OpenSSL exploit to get access to a website's private security keys. So far, four people have been confirmed as doing just that.
Source: Bloomberg | Image via NSA
43 Comments - Add comment