Published on April 12th, 2014 📆 | 2024 Views ⚑0
NSA Denies Report It Knew About And Exploited Heartbleed
NSA has issued a '94 character' statement today denying the claims that it has known about the Heartbleed bug since two years and that it has been using it silently for the purpose of surveillance.
"NSA was not aware of the recently identified Heartbleed vulnerability until it was made public," the U.S. intelligence agency said on its Twitter feed.
Heartbleed is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers.
The bug resides in the "Heartbeat" feature of the most secured open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data.
A team of researchers from Codenomicon and Google Security researcher revealed the vulnerability this week that is in the wild since the new version 1.0.1f was released in March 2012. And just after the revelation, OpenSSL released the security Fix for the bug in its version 1.0.1g, but until then the Heartbleed bug made websites, email, instant messaging (IM), including some virtual private networks, on about half a million of the world's widely trusted web servers, open to hackers.
The birth of the most critical bug Heartbleed was due to a mistake done by a German programmer Robin Seggelmann over two years ago while working on a new Heartbeat feature in the OpenSSL.
He submitted the code of OpenSSL with the heartbeat feature in an update on New Year's Eve, 2011, and an “oversight” led to an error that unintentionally created the “Heartbleed” vulnerability.
Yesterday he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years.
The fix was released just after, but the users’ data are vulnerable until the vulnerable websites didn’t implement it. You can only change your password immediately for those websites that are not affected, assuming that it was vulnerable before, just to make sure that you are now safe.