Did NSA know about Heartbleed Web bug?

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

SEATTLE — At Caffe Vita on Capitol Hill, Rachel Wright is hanging out with her friend Edward Finkler. He’s been a Web developer for 15 years and says the Heartbleed bug is nothing to take lightly.

“This is the single worst security flaw I’ve seen on the Internet in the entire time I’ve been working,” said Finkler.

The Heartbleed bug is one of the biggest vulnerabilities in Web history, based in OpenSSL software used on more than two-thirds of the world’s websites to encrypt personal data. That allows potential hackers to access your most precious information.

“It could be credit cards, it could be passwords, company information you don’t want to get out,” said Robert Zigweid with IoActive, a cybersecurity assessment company in Seattle.


A recently discovered bug called “Heartbleed” in OpenSSL, a technology used by many online services, may have left user data across the Internet vulnerable to hackers. (Heartbleed.com)

Experts say the flaw has existed for at least two years.

“It would not surprise me if this was used for espionage purposes,” said Finkler.

The National Security Agency denied a report that it has exploited the “Heartbleed” bug to spy on consumers for the past two years.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report,” the agency said in a statement. “Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong.”

The statement came in response to a story by Bloomberg on Friday that claimed the NSA had known about the vulnerability in OpenSSL since it was first introduced two years ago.

“This is exactly the kind of stuff the U.S. government and NSA pay people to find and don’t tell anybody about it because it allows them to spy on people,” said Finkler.

OpenSSL created a fix to the problem this week but it’s now up to each individual company to update their servers. That is why it’s important to change all your passwords now and continue to do so regularly for the next couple months.

“It does add a level of protection in that if an attacker got your previous password, it won’t work anymore but it doesn’t necessarily stop them from getting it again,” said Zigweid.

Zigweid says people should try using a phrase or part of a sentence incorporating numbers rather than a traditional password.

To read more about which passwords you should change and on which sites, click here.







Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s