Did NSA know about Heartbleed Web bug?



SEATTLE -- At Caffe Vita on Capitol Hill, Rachel Wright is hanging out with her friend Edward Finkler. He’s been a Web developer for 15 years and says the Heartbleed bug is nothing to take lightly.

“This is the single worst security flaw I’ve seen on the Internet in the entire time I’ve been working,” said Finkler.

The Heartbleed bug is one of the biggest vulnerabilities in Web history, based in OpenSSL software used on more than two-thirds of the world's websites to encrypt personal data. That allows potential hackers to access your most precious information.

“It could be credit cards, it could be passwords, company information you don’t want to get out,” said Robert Zigweid with IoActive, a cybersecurity assessment company in Seattle.



Experts say the flaw has existed for at least two years.

“It would not surprise me if this was used for espionage purposes,” said Finkler.

The National Security Agency denied a report that it has exploited the "Heartbleed" bug to spy on consumers for the past two years.

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report," the agency said in a statement. "Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong."

The statement came in response to a story by Bloomberg on Friday that claimed the NSA had known about the vulnerability in OpenSSL since it was first introduced two years ago.

“This is exactly the kind of stuff the U.S. government and NSA pay people to find and don’t tell anybody about it because it allows them to spy on people,” said Finkler.

OpenSSL created a fix to the problem this week but it's now up to each individual company to update their servers. That is why it's important to change all your passwords now and continue to do so regularly for the next couple months.

“It does add a level of protection in that if an attacker got your previous password, it won’t work anymore but it doesn't necessarily stop them from getting it again,” said Zigweid.

Zigweid says people should try using a phrase or part of a sentence incorporating numbers rather than a traditional password.

To read more about which passwords you should change and on which sites, click here.