http://www.darkreading.com/author.asp?section_id=314&doc_id=1204483
By Mathew J. Schwartz
Dark Reading
4/15/2014
NSA denies prior knowledge of the Heartbleed vulnerability, but the White
House reserves the right to withhold zero-day exploit information is some
cases involving security or law enforcement.
The White House and National Security Agency have strongly denied reports
that the NSA had known about the Heartbleed vulnerability in OpenSSL for
years and was actively exploiting it for intelligence-gathering purposes.
Those allegations appeared Friday in a Bloomberg News report -- citing
unnamed sources -- claiming the NSA kept secret details about the
Heartbleed vulnerability for at least two years. The vulnerability (a.k.a.
CVE-2014-0160), which can be used to spoof and steal encrypted information
from millions of vulnerable websites, was recently discovered and made
public by Google engineer Neel Mehta and Finnish security firm
Codenomicon.
But the NSA -- via Twitter -- and the Obama administration quickly
disputed the Bloomberg report. "NSA was not aware of the recently
identified vulnerability in OpenSSL, the so-called Heartbleed
vulnerability, until it was made public in a private sector cybersecurity
report," read a statement released Friday by the Office of the Director of
National Intelligence (ODNI). "Reports that say otherwise are wrong." The
ODNI also noted that the federal government relies on OpenSSL to secure
government websites, and claimed that if any agency -- including the NSA
-- had previously discovered the vulnerability, "it would have been
disclosed to the community responsible for OpenSSL."
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
