Earlier this week, the Heartbleed bug made its way online and the fact that it had gone undiscovered for two years made everyone question just how many hackers have taken advantage of it over this period.Bloomberg has gone as far as to write that the NSA has had access to Heartbleed for the past two year and just kept it secret from everyone else.
The NSA has declined to comment on the allegations, simply stating that the agency was not previously aware of the OpenSSL vulnerability until it was made public.
Of course, this isn’t exactly a far-fetched idea or one that no one has thought of, but Bloomberg seems to be presenting it as fact, even though there’s little evidence in the article to this up.
As a matter of fact, the leaked documents from the Snowden stash have demonstrated thus far that a bug such as Heartbleed is exactly the type of vulnerability that the intelligence agency was trained to seek for and exploit for as long as possible.
It’s also been reported that one of the NSA’s goals was to minimize encryption standards everywhere, which makes OpenSSL a main target thanks to the fact that it is used by some two thirds of the world’s websites.
The “author” of Heartbleed has denied any connection to an intelligence service or that the bug ended up in OpenSSL on purpose. Instead, he explained that it was a programming error that happened to be in the worst section ever – security.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services,” reads a statement issued by the National Security Council.
They also say that had the bug been discovered by the intelligence community, it would have been disclosed publicly.
Furthermore, they say that it is of national interest to disclose the vulnerability rather than hold it hidden since it could be discovered by anyone.
Heartbleed is a particularly dangerous bug that could unveil huge amounts of unencrypted data. Attacks exploiting Heartbleed leave no traces, which means it’s impossible to know whether any have taken place and when.