Yesterday we had reports from Bloomberg claiming that the NSA has exploited the bug ‘HeartBleed’ in OpenSSL for almost two years and kept it in dark for the sake of national security. But today NSA denied the very base of the news by making a statement against it. NSA said that they weren’t aware of this until security researchers brought it into day light.
NSA spokeswoman in an email said, “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report, Reports that say otherwise are wrong.”
HeatBleed is a bug in the OpenSSL, a cryptographic library used to encrypt the data transmission in between a server and a client, has proved to be the most devastating bug ever found. The vulnerability, when exploited, can allow an attacker to gain the access of the entire server, stored X.509 certificates, usernames and passwords or even worse.
In the denial, National Security Agency also stated that, ” When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”
We may want to believe what NSA has stated as none of the documents leaked by former NSA contractor, Edward Snowden, included a thing about ‘HeartBleed’. Although the security agency has numbers of secrets hiding beneath, the surveillance is only in the favor of national security.
Although the vulnerability can now be patched, there are more number of websites housing it. Larry Zelvin, director of the DHS National Cybersecurity and Communications Integration Center said, “While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it isA still possible that malicious actors in cyberspace could exploit unpatched systems. That is why everyone has a role to play to ensuring our nation’s cybersecurity.”