Allegations that the NSA could’ve known about the Heartbleed secure software flaw has made for an unsettling thought. The NSA has been facing accusation after accusation ever since the Snowden leak. Many of those accusations claimed the the NSA introduced vulnerabilities in security software.
The NSA and the White House have denied the claims. “[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report,” NSA spokeswoman Vanee Vines said in an email, adding that “reports that say otherwise are wrong.” Cryptographer Mattew Green captured sentiments well with his tweet, saying “If the NSA really knew about Heartbleed, they have some *serious* explaining to do.”
So what has caused the accusation against NSA? Bloomberg claimed the NSA used the bug to collect data. In their argument they cited the fact that NSA has more than 1,000 experts devoted to finding security flaws. With such high numbers focused on online NSA security, it does seem unlikely that two years could pass with Heartbleed being undetected. Also noted were multiple “in the loop” sources saying that the NSA exploited the security flaw.
It’s a security blunder that has affected a significant part of the public. Roughly two thirds of all websites use OpenSSL to protect user information. The Heartbleed bug, if taken advantage of by hackers, could be used to obtain usernames and passwords, as well as any information passed between user and website. It’s existed for two years without being detected.
White House national security spokeswoman Caitlin Hayden released a statement to weigh in on the NSA issue. “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong… This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet,” she added: “If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
Everyone has been encouraged to change their passwords “once the websites resolve the error”. The tricky part comes in not knowing if Heartbleed was used by hackers. Working through the flaw to snatch user info would be like listening in and taking notes, not leaving a trace. As for the NSA, no action has been taken against the agency, and no official complaint or investigations into the NSA have been made. Yet.