Monday, 14 April 2014

Heartbleed bug denial by NSA and White House

The US National Security Agency has denied it knew about or exploited the Heartbleed online security flaw.
The denial came after a Bloomberg News report alleging the NSA used the flaw in OpenSSL to harvest data.
OpenSSL is online-data scrambling software used to protect data such as passwords sent online.
Last year, NSA leaker Edward Snowden claimed the organisationdeliberately introduced vulnerabilities to security software.

'A mistake'

A German computer programmer has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald.
Robin Seggelman, a 31 year old from Oelde - 120 miles (193km) north of Frankfurt - is reported to have made the mistake while trying to improve the OpenSSL cryptographic library on 31 December 2011.
"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media.
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
The bug, which allows hackers to snatch chunks of data from systems protected by OpenSSL, was revealed by researchers working for Google and a small Finnish security firm, Codenomicon, earlier this month.
OpenSSL is used by roughly two-thirds of all websites and the glitch existed for more than two years, making it one of the most serious internet security flaws to be uncovered in years.
"[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report," NSA spokeswoman Vanee Vines said in an email, adding that "reports that say otherwise are wrong."
A White House official also denied the US government was aware of the bug.
Heartbleed logo
"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House national security spokeswoman Caitlin Hayden said in a statement.
"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," she insisted, adding: "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
Bloomberg, citing two people it said were familiar with the matter, said the NSA secretly made Heartbleed part of its "arsenal", to obtain passwords and other data.
It claimed the agency has more than 1,000 experts devoted to finding such flaws - who found the Heartbleed glitch shortly after its introduction.
The claim has unsettled many.
"If the NSA really knew about Heartbleed, they have some *serious* explaining to do," cryptographer Matthew Green said on Twitter.
The agency was already in the spotlight after months of revelations about its huge data-gathering capabilities.
Documents leaked by former NSA contractor Edward Snowden indicated the organisation was routinely collecting vast amounts of phone and internet data, together with partner intelligence agencies abroad.
President Barack Obama has ordered reforms that would halt government bulk collection of US telephone records, but critics argue this does not go far enough.