- Texas police officer fatally shoots Black woman in her own home Today 3:44 PM
- Milo Yiannopoulos’ website dangerous.com was sold Today 1:42 PM
- First YouTube comment to hit 1 million likes is on Billie Eilish’s ‘bad guy’ music video Today 12:36 PM
- Girl says she was fired over exposing how Panera makes its mac and cheese on TikTok Today 11:34 AM
- David Harbour teased fans about Hopper’s ‘Stranger Things’ fate on ‘SNL’ Today 10:24 AM
- Kacey Musgraves accused of cultural appropriation–and botching it Today 9:19 AM
- Rihanna defends Vogue writer who received backlash for ‘winging’ interview Today 8:36 AM
- Here are the best PC games to add to your list Today 8:20 AM
- How to stream ‘Power’ season 6, episode 8 Today 6:00 AM
- How to stream Steelers vs. Chargers on Sunday Night Football Saturday 7:20 PM
- Popular TikTok teens accused of pretending to be gay for clout Saturday 6:38 PM
- Scott Walker’s ‘$26 haircut’ dig at Alexandria Ocasio-Cortez backfires Saturday 4:46 PM
- Halle synagogue shooter allegedly posted manifesto on anime message board Saturday 4:06 PM
- How to stream Cowboys vs. Jets in NFL Week 6 Saturday 3:25 PM
- How to stream Rams vs. 49ers in NFL Week 6 action Saturday 3:05 PM
NSA denies it had early knowledge of Heartbleed
“Reports that say otherwise are wrong.”
The National Security Agency quickly denied a report that claimed the surveillance agency knew about the Heartbleed bug for years prior to its public disclosure this week.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson told the Daily Dot. “Reports that say otherwise are wrong.”
The NSA further denied that it had early knowledge of Heartbleed in a post on Twitter published roughly two hours after Bloomberg reported that, according to two unnamed sources, the spy agency has known about and exploited the Heartbleed vunlnerability since 2012.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
White House National Security Council Spokesperson Caitlin Hayden echoed the NSA in a statement to the press, adding that no federal government agency knew of Heartbleed before it was exposed Monday by security researchers:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosded to the community responsible for OpenSSL.
If the Bloomberg report is true, the NSA would have had the ability to access wide swaths of private information on the Web, including the usernames, passwords, private encryption keys, and more, from virtually every Web user on globe.
On Monday, security firm Codenomicon and Neel Mehta of Google Security announced they’d discovered Heartbleed, a serious flaw in the OpenSSL encryption protocol used to protect an estimated two-thirds of the Internet’s browsing activity.
According to the Bloomberg report, the NSA kept its knowledge of Heartbleed a secret for purposes of national secuirty—presumably to use the bug to easily and cheaply gain access to otherwise encrypted data.
The NSA’s alleged hidden knowledge of Heartbleed would be especially egregious, as the flaw left virtually every Web user vulnerable to attacks from cybercriminals and surviellance from world governments.
Thanks to some of the leaks provided by former NSA contractor Edward Snowden, the world already knew that the agency was fond of using encryption exploits, apparently in order to see what potential targets would do online if they assumed their communications were secret.
Some of the most damning of the Snowden leaks indicate that the agency engineered encryption flaws into products made by security firm RSA, possibly in exchange for million-dollar contracts with the security firm.
Updated with statement from the White House.
Andrew Couts contributed to this report.
Photo by Jason Reed
A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.