The most recent critical bug found on OpenSSL, Heartbleed, was believed to be exploited by the NSA to siphon out data. Unnamed sources report that the NSA had known about the bug years prior, and have been using it to steal sensitive information.
The critical OpenSSL bug that just came to light known as Heartbleed, has caused a public outcry. Heartbleed allows for attackers to steal cryptographic keys, and funnel data out of websites with no special tools. The Heartbleed bug is acclaimed to be one of the worst bugs of all time. Cryptographer Bruce Schneier noted the flaws severity to be an 11 out of 10.
Recent speculation has overcome the NSA, wanting to know if the agency abused this bug before its most recent publications. Two unnamed sources told Bloomberg that the NSA has known about the Heartbleed bug for over two years, and had accidentally stumbled upon the flaw.
Sources report the flaw “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks”. The flaw did not reamain in the encryption itself, but instead how the encrypted connection contacted the website and users computer.
The OpenSSL flaw was critical. It allowed hackers, cyber criminals, or just about anyone to gain unauthorized access to emails, bank accounts, ecommerce websites, and decrypt any data, as the encryption keys could be extracted.
If the reports about encryption keys begin stolen, and used to decrypt data remain true, the NSA could have access to numerous sensitive files across the world. The NSA would have to impersonate the website, and conduct man-in-the-middle attacks to trick users into giving up data.
Numerous hackers and government agencies around the world have longed for a solution to decrypt SSL traffic. Just last year the Guardian reported that the NSA and British intelligence agency (GCHQ), had been developing tools to decrypt traffic in real time from numerous corporations including Google, Yahoo, Facebook, Hotmail, and others. There is speculation that the NSA may have succeeded on multiple accounts.
Reports from Bloomberg do not state if the NSA or other agencies succeeded in extracting private keys from the vulnerability. The report only mentions it was used to steal passwords and “critical intelligence”.
Since the report has gone live, the NSA has issued a statement regarding recent allegations. Of course, the NSA has again denied any knowledge of this, just as the agency has done with leaked Edward Snowden documents. The NSA stated on Twitter “Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.”. Also stated, “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson noted. “Reports that say otherwise are wrong.”
“The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. ‘If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,’ Caitlin Hayden said in a statement”, Wired reported.