If the report is true both the White House and the NSA say it's not (see below) the NSA could have collected information like passwords and private communications from hundreds of thousands of websites, since Heartbleed is a bug in the popular open-source encryption software OpenSSL, used to secure data flowing from users' computers to hundreds of thousands of websites, including Gmail and Facebook. Almost two-thirds of all sites on the Internet use OpenSSL, according to estimates, making this bug possibly one of the most dangerous the Internet has ever seen and potentially allowing the NSA to access information on millions of users.
Roughly two hours after Bloomberg's report was published, the NSA and the White House denied the allegations in statements sent to Mashable.
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," an NSA spokesperson wrote in a statement to Mashable. "Reports that say otherwise are wrong."
The White House National Security Council Spokesperson Caitlin Hayden also said that neither the NSA nor any other federal agency knew about the Heartbleed bug.
"If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Hayden said in the statement.
By not alerting anyone to the bug, the NSA could have left the door open for other intelligence agencies across the world to exploit Heartbleed, provided they found the bug. This revelation also seems to contradict one of the NSA's core missions, which is protecting and defending American cybersecurity.
"Given the scale of Heartbleed, deciding to exploit this vulnerability rather than fix it, makes a mockery of any claims that the NSA defends the networks of the U.S.A.," an employee on the security team of a major Internet company, who asked not to be named, told Mashable.
Mashable asked an NSA spokesperson on Wednesday whether it had known about Heartbleed or whether it could comment on the bug. "We'll defer to DHS [Department of Homeland Security]," the spokesperson responded.
We also reached out to the Department of Homeland Security but haven't heard back yet. We will continue to update this story as we get more information.
The revelation shocked the security and civil liberties world.
"Utterly, indefensibly shameful," tweeted Kevin Bankston, the New America Foundation Policy Director. "Way to be evil, guys."
Matthew Prince, the CEO of security firm Cloudflare, tweeted that it's "hard as a tech company today to not feel like we're at war with our own government."
Despite the outrage, this revelation doesn't come as a complete surprise for many. Over the past few days, some have already speculated whether the NSA used Heartbleed to breach SSL, since documents leaked by Edward Snowden revealed the spy agency has been trying to breach it for years.
"It would not at all surprise me if the NSA had discovered this long before the rest of us had," Matt Blaze, a cryptographer and computer security professor at the University of Pennsylvania, told Wired. "It’s certainly something that the NSA would find extremely useful in their arsenal."
UPDATE, 4:48 p.m.: This story has been updated to include the NSA's statement refuting Bloomberg's report.
0 comments:
Post a Comment