Quantcast
Channel: Business Insider
Viewing all articles
Browse latest Browse all 70894

The NSA Flat-Out Denies It Knew Anything About The Heartbleed Bug Before It Was Made Public

$
0
0

Heartbleed

Earlier today, Bloomberg reported that the NSA has been using the Heartbleed bug to gather information about Internet users for years. 

But the NSA quickly denied the report in a tweet, saying that the "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."

The Heartbleed bug is a security flaw in OpenSSL, a popular data encryption standard. This bug allows hackers to see passwords and encrypted information on hundreds of websites.

Sources familiar with the matter told Bloomberg that the bug quickly became "a basic part of the agency’s tool kit for stealing account passwords and other common tasks."

Here's the tweet from the NSA:

Here's the official statement from the NSA: 

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.

In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities.  This process is called the Vulnerabilities Equities Process.  Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.

The National Security Council, a policy-making group that's chaired by President Obama, also sent a statement to NBC News:

"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services," the statement read in part. "If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

SEE ALSO: Report: NSA has been using the Heartbleed bug for years

Join the conversation about this story »


Viewing all articles
Browse latest Browse all 70894

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>