bit-tech.net

NSA denies prior knowledge of Heartbleed vuln

NSA denies prior knowledge of Heartbleed vuln

The US National Security Agency has denied any knowledge of the OpenSSL Heartbleed vulnerability prior to it going public, stating it is biased towards responsible disclosure.

The US National Security Agency (NSA) has denied claims that it knew about the Heartbleed vulnerability in OpenSSL before it was made public, claiming that it is biased towards seeing such flaws fixed for the greater good than keeping its knowledge a secret to further its intelligence gathering programmes.

The NSA has been in the limelight of late thanks to revelations by former contractor turned whistleblower Edward Snowden, the source of evidence showing the NSA has been overreaching its charter with massive surveillance programmes against both US and foreign nationals. Documents leaked by Snowden included claims that the NSA works closely with major companies to gain back-door access to code and data, and even works to weaken commercial security products by recommending known-weak ciphers and random number generators.

When news of the Heartbleed vulnerability in popular cryptography library OpenSSL broke last week, many wondered if the NSA was aware of the flaw. Present in the OpenSSL codebase since 2011 and in the wild since 2012, the Heartbleed vulnerability has been proven to leak private keys - allowing the decryption of encrypted traffic, something the NSA captures and stores for several years as part of its intelligence activities.

Many in the industry had wondered why the NSA captured and stored encrypted traffic with no known way to decrypt it, but the Heartbleed bug means that the NSA - or any other attacker - could easily retrieve the private keys required to unlock the encrypted traffic. Suddenly, the NSA's trove of scrambled data made a lot of sense - leading many to claim on sites like Bloomberg that the NSA knew of Heartbleed and had been exploiting the vulnerability for years.

The NSA has, naturally, denied this. 'Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,' the Office of the Director of National Intelligence has stated. The denial has been followed by claims made to The New York Times that the NSA and other US intelligence agencies follow a process 'biased toward responsibly disclosing such vulnerabilities.'

The same article, however, quotes officials as admitting that while President Barack Obama has instructed the NSA and other agencies to follow responsible disclosure practices when flaws are found, there exists a loophole which allows vulnerabilities to be withheld for future exploitation if there is a 'clear national security or law enforcement need' - something critics claim could well have applied to knowledge of the Heartbleed vulnerability, given the NSA's corpus of encrypted data.

The Heartbleed vulnerability is still being patched, with sites affected by the flaw having to upgrade to a newer release of OpenSSL and revoke and replace their certificates before users can safely change their passwords and, where available, enable two-factor authentication.

5 Comments

Discuss in the forums Reply
theshadow2001 14th April 2014, 12:18 Quote
Of course a bias towards disclosure of security flaws is another way of saying they don't disclose all flaws or even most flaws. It's such a vacuous statement.
Corky42 14th April 2014, 12:48 Quote
That's not the only vacuous part of their statement, they go on to say.
'A clear process exists among agencies for deciding when to share vulnerabilities, the office said in a statement.'

Then you have the Obama convened panel that reviewed surveillance activities saying.
Quote:
Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.
Does fixing software flaws equal disclosure ? It's no good fixing something for a select few.

How short is a short periods of time ? It may only take seconds to use a software flaw.

How rare are “rare instances” ? If we only use a particular software flaw one in a thousand times, is that rare.
kosch 14th April 2014, 13:24 Quote
That is the first thing that popped into my head when I heard the breaking news of heartbleed.
r3loaded 14th April 2014, 15:56 Quote
Problem is that they could be telling the truth (I'm slightly inclined to believe so given the hidden nature of the bug and the difficulty involved in exploiting it) but they've destroyed so much trust that people won't accept anything they say.
Dave Lister 14th April 2014, 18:25 Quote
Quote:
Originally Posted by r3loaded
Problem is that they could be telling the truth (I'm slightly inclined to believe so given the hidden nature of the bug and the difficulty involved in exploiting it) but they've destroyed so much trust that people won't accept anything they say.

Count me as one of the few (or many) who don't trust. The U.S government's (PAUSE: Just for clarity, many western nations B&B is telling lies, although the US seems to be the ring leader)bread and butter is made, lying to the public and keeping secrets. True Fact !
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums