NSA knew about Heartbleed for two years and exploited it

The Heartbleed security flaw makes many popular sites vulnerable to hacking your information. Source: AP

 

THE National Security Agency knew for at least two years about the software flaw that has left countless individuals vulnerable to hackers, but the agency failed to alert the public and instead used the weakness to gather intelligence, Bloomberg News reported Friday. 

The flaw involves the so-called Heartbleed bug, a flaw in the OpenSSL encryption tool that is believed to be used on about two-thirds of all websites. Because of the glitch, security experts say, hackers had the chance to steal countless passwords used to access websites and other sensitive information.

While the Bloomberg report cited two unnamed sources, described as “people familiar with the matter,” the NSA denied the allegations late Friday in a post on the official Twitter account of the agency's public affairs office. The agency said: “Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.” Bloomberg reported that the NSA exploited the Heartbleed bug to obtain vital data used by cyber-crooks. It said the clandestine agency discovered the flaw shortly after it was accidentally created in 2012 by an adjustment in the OpenSSL software, according to an unnamed source.

After that, Bloomberg said, the bug “became a basic part of the agency's tool kit for stealing account passwords” and other information, while most internet users and security experts remained unaware of the flaw.

news.com.au 12 Apr 2014