NSA denies knowledge of 'Heartbleed'

After a report on Friday alleged the National Security Agency had previous knowledge of the "Heartbleed" bug — an Internet hack that has potentially affected the majority of Web servers — the agency denied it knew about the vulnerability. A spokeswoman said that allegations the NSA knew about the bug for two years are “wrong.”

The security agency’s statement comes just days after news of the flaw was first reported. Heartbleed affects the OpenSSL security program, an encryption technology that is supposed to secure passwords, credit card numbers and other sensitive information on an estimated two-thirds of Web servers, leaving users vulnerable to hackers.

Bloomberg, which reported on the alleged issue, also said the NSA used the Heartbleed bug to “obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission,” citing “two people familiar with the matter.”

On Saturday, the National Security Council said in a release that the federal government, including intelligence agencies such as the NSA, must disclose vulnerabilities in commercial and open source software to the public — except in the case of a clear national security or law enforcement need.

A full statement from the NSA on Friday noted that “the federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.

"The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

The statement went on: “When federal agencies discover a new vulnerability in commercial and open source software — a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it — it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”

While websites are expected to implement a fix for Heartbleed in the coming days and weeks, experts say this type of security flaw will almost certainly come up again.

“I think it’s extremely unlikely that it’s the only vulnerability of its kind in OpenSSL,” said Yan Zhu, staff technologist at the Electronic Frontier Foundation, a San Francisco-based digital civil liberties advocacy group. “It affects so many things on the Internet, and it’s very hard to completely fix, we think. This is not the first or last vulnerability."

She said EFF has come across evidence of what appears to be a Heartbleed attack that took place in 2013, coming from an IP address associated with bots that had previously been blacklisted for spying on IRC networks, which are open source chat rooms.

Zhu said that while EFF is trying to get more information about the attack, which it described in a blog post, the practice of recording chatroom conversations on IRC networks is behavior more typical of an intelligence agency than an average user.

She added that she wouldn’t put it past the NSA to be aware of certain types of security flaws that would help it to gather intelligence — whether it’s Heartbleed or some other bug of which the world is not yet aware.

“I would assume that NSA knows more about these than the public, and knows several that are much easier to exploit than Heartbleed," she said.