Bloomberg released a report today accusing the United States National Security Agency of exploiting the Heartbleed bug for years. If true, the NSA’s bulk data collection program could have been enabled by the Heartbleed bug.
Two anonymous people “familiar with the matter” told Bloomberg that the NSA has been exploiting Heartbleed for years. The bug is found in the OpenSSL cryptography protocol that keeps connections to websites secure. Heartbleed allows hackers to listen in on the connection to find the private keys exchanged between users and websites.
Heartbleed is turning out to be one of the biggest internet security holes ever discovered. Initial reports say that 66% of all websites are affect by Heartbleed, but those numbers may be exaggerated.
“It flies in the face of the agency’s comments that defense comes first,” said director of the cyber statecraft initiative at the Atlantic Council Jason Healey. By keeping the Heartbleed bug vulnerable, the NSA could exploit it to collect more user data but at the expense of its citizens. Hackers and the NSA alike could have been using Heartbleed to steal user information since 2012 when the bug was first released.
The NSA denies knowing about the Heartbleed bug until news broke about it this Monday. “Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public,” writes the NSA from its official Twitter account.
The NSA’s official policy is to “disclose vulnerabilities in products and systems used by the US and its allies.” If Bloomberg’s report is true, it will fly in the face of the organization’s previous statements.
Via: Ars Technica