The National Security Agency denied a report that it has exploited the “Heartbleed” bug to spy on consumers for the past two years.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report,” the agency said in a statement. “Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong.”
The statement came in response to a story by Bloomberg on Friday that claimed the NSA had known about the vulnerability in OpenSSL since it was first introduced two years ago.
OpenSSL is the open-source encryption software that 66% of all servers on the Internet use to provide additional security. Late last week, security researchers discovered a flaw that would allow hackers using a simple piece of software to easily access user IDs and passwords.
On Friday, Bloomberg published a report that claimed:
“The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.”
Not true, said the NSA statement. In fact, NSA noted it and many other agencies used OpenSSL and found out about the problem at the same time as everyone else.
“The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services,” the NSA statement said. “This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”