The US National Security Agency (NSA) has denied any prior knowledge of the recently discovered OpenSSL encryption flaw, codenamed Heartbleed.
The NSA said it was not aware of the flaw before its public disclosure, denying suggestions it was ever aware of the flaw or responsible for its creation in a message on Twitter.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.— NSA/CSS (@NSA_PAO) April 11, 2014
The NSA is believed to have exploited similar flaws in other encryption technologies during its mass-surveillance operations such as PRISM. Reports broke that the NSA was using a flaw in the RSA's widely used BSafe encryption libraries to mount spy operations earlier in April.
The GCHQ is also believed to have used the flaws to mount espionage operations, though it has constantly denied these allegations. The GCHQ declined V3's request for comment on whether it was aware of the Heartbleed flaw before it was publicly disclosed.
Heartbleed, as discussed below, was uncovered by Finnish security experts earlier in April, and relates to a critical flaw in the OpenSSL implementation of the transport layer security (TLS) protocol. The Heartbleed flaw is believed to have affected millions of web users around the world as the OpenSSL encryption protocol is used by open-source web servers that host 66 percent of all sites.
The OpenSSL Project has since released a fix for Heartbleed. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has urged companies to install the update as soon as possible, arguing that Heartbleed could be exploited by hackers hoping to gather information that could be used to mount a follow-up attack on critical infrastructure systems.
"An attacker could harvest enough data from the 64KB segments to piece together larger groupings of information, which could help an attacker develop a broader understanding of the information being acquired," read the advisory.
"OpenSSL Version 1.0.1g has addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates. Any system that may be affected by this vulnerability should regenerate any credential information (secret keys, passwords, etc) with the assumption that an attacker has already used this vulnerability to obtain those items."
Data theft is a growing problem facing businesses across multiple industries. Security firm Symantec reported earlier in April that hackers have compromised more than 552 million web users' identities over the past year.
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago