NSA denies report that it knew about, exploited Heartbleed bug
By Chris O’Brien | Los Angeles Times | Published: April 11, 2014
The National Security Agency has denied a report that it has exploited the “Heartbleed” bug to spy on consumers for the past two years.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report,” the agency said in a statement. “Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong.”
The statement came in response to a story by Bloomberg on Friday that claimed the NSA had known about the vulnerability in OpenSSL since it was first introduced two years ago.
OpenSSL is the open-source encryption software that 66 percent of all servers on the Internet use to provide additional security. Late last week, security researchers discovered a flaw that would allow hackers using a simple piece of software to easily access user IDs and passwords.
On Friday, Bloomberg, quoting “two people familiar with the matter,” published a report claiming the NSA has known for two years about Heartbleed and “regularly used it to gather critical intelligence.”
Not true, said the NSA statement. In fact, NSA said, it and many other agencies used OpenSSL and found out about the problem at the same time as everyone else.
“The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services,” the NSA statement said. “This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”