The US National Security Agency (NSA) has denied any prior knowledge of the recently discovered OpenSSL encryption flaw, codenamed Heartbleed.
The NSA said it was not aware of the flaw before its public disclosure, denying suggestions it was ever aware of the flaw or responsible for its creation in a message on Twitter.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.— NSA/CSS (@NSA_PAO) April 11, 2014
The NSA is believed to have exploited similar flaws in other encryption technologies during its mass-surveillance operations such as PRISM. Reports broke that the NSA was using a flaw in the RSA's widely used BSafe encryption libraries to mount spy operations earlier in April.
The GCHQ is also believed to have used the flaws to mount espionage operations, though it has constantly denied these allegations. The GCHQ declined V3's request for comment on whether it was aware of the Heartbleed flaw before it was publicly disclosed.
Heartbleed, as discussed below, was uncovered by Finnish security experts earlier in April, and relates to a critical flaw in the OpenSSL implementation of the transport layer security (TLS) protocol. The Heartbleed flaw is believed to have affected millions of web users around the world as the OpenSSL encryption protocol is used by open-source web servers that host 66 percent of all sites.
The OpenSSL Project has since released a fix for Heartbleed. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has urged companies to install the update as soon as possible, arguing that Heartbleed could be exploited by hackers hoping to gather information that could be used to mount a follow-up attack on critical infrastructure systems.
"An attacker could harvest enough data from the 64KB segments to piece together larger groupings of information, which could help an attacker develop a broader understanding of the information being acquired," read the advisory.
"OpenSSL Version 1.0.1g has addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates. Any system that may be affected by this vulnerability should regenerate any credential information (secret keys, passwords, etc) with the assumption that an attacker has already used this vulnerability to obtain those items."
Data theft is a growing problem facing businesses across multiple industries. Security firm Symantec reported earlier in April that hackers have compromised more than 552 million web users' identities over the past year.
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws