NSA Denies Reports that It Exploited Heartbleed Flaw to Gather Users’ Data
The National Security Agency (NSA) is again in the hot seat. It has denied reports that it had already known about the flaw of the Heartbleed bug two years ago. At the same time, the agency dismissed allegations that it used the flaw to pursue its supposed surveillance activities.
On its own Twitter account, the security agency said it became aware of the vulnerability only recently when the Heartbleed bug was made public. It was short of directly stating that it really had no knowledge of the flaw long before its discovery was made more open.
NSA was denying reports published by Bloomberg that cited two sources. Those sources claimed that the agency knew about the bug for at least the past two years. They even said that NSA regularly used that knowledge to gather more critical intelligence online. Bloomberg’s report even stated that NSA was actually able to gather data like passwords as well as other information like travels over the online media.
Affecting two-thirds of online sites
By now, you should already know that Heartbleed is a bug operating in OpenSSL, which leaves encrypted data open to potential scammers. Those data are supposed to be protected by a cryptographic software library. The existence of the flaw was revealed just this past week by a group of researchers from Codenomicon and Google Security.
According to Codenomicon, Heartbleed bug has been out in the open since its version 1.0.1 was purportedly or accidentally released in March 2012. A fix to the bug has already been rolled out but the flaw has already made content of about two-thirds of global servers now open to hackers. Made vulnerable to possible attacks are emails, virtual private networks, and instant messaging services.
The origin of the bug
How could consumers protect their selves against the impact of the Heartbleed bug? According to the experts, one should change his password particularly on affected Websites to prevent possible stealing of personal and important information by unscrupulous parties. But they reiterated that the password change should never be done until the online site has rolled out its own fix.
A German programmer named Robin Seggelmann mistakenly introduced the Heartbleed bug on New Year’s Eve of 2011. The code was submitted at 11:50 p.m. on December 31, 2011 to enable Heartbeat in the OpenSSL. However, Seggelmann said he missed the important validation by a necessary oversight.