The Office of the Director of National Intelligence says disclosing the vulnerability would be “in the national interest”
The US National Security Agency (NSA) has categorically denied allegations that it knew about the existence of the Heartbleed bug for at least two years.
Last week, Bloomberg accused the agency of secretly using the vulnerability in open source OpenSSL protocol to gather intelligence, while leaving millions of ordinary users at risk.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” said a statement from the Office of the Director of National Intelligence (ODNI).
“The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet.”
Heartbleed (official designation CVE-2014-0160), was discovered last week by researchers from Finnish security firm Codenomicon and Neel Mehta from Google Security. It allows the attacker to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services and to impersonate those services at will.
To make matters worse, any attack that uses Heartbleed is virtually undetectable, and security experts are still not sure whether the bug was widely known among cyber criminals. It is estimated that the vulnerability affects the security of as many as two-thirds of websites, including those of social networks and banks.
Heartbleed was introduced into OpenSSL code as a programming error with version 1.01, which was released publicly in March 2012. OpenSSL version 1.01g, released on Monday, removes the error.
Besides patching the vulnerability, fixing Heartbleed requires revoking the compromised keys and issuing and redistributing new keys. Users of compromised websites are also advised to change their passwords.
The statement from ODNI claims that the US intelligence agencies do not hide the existence of ‘zero-day’ flaws in commercial and open source software when their disclosure is “in the national interest”.
However, the same statement notes that vulnerabilities would only be disclosed “unless there is a clear national security or law enforcement need” – which essentially means that the NSA can disclose vulnerabilities however and whenever it sees fit.
What do you know about Edward Snowden and the NSA? Take our quiz!