Heartbleed denial reveals loophole for NSA spying

The US National Security Agency has denied it knew about or exploited the Heartbleed security flaw, but government officials have revealed a loophole that would allow such actions.

Researchers have warned that the flaw affects two-thirds of internet sites and could allow attackers to monitor all data exchanged with users.

A White House official also denied that any part of the US government was aware of the bug before it was reported by security researchers at Google and Finnish security firm Codenomicon in April 2014.

The denial came after a Bloomberg News reported alleging the NSA used the flaw in OpenSSL to harvest data since the flaw was introduced two years ago.

But, senior US administration officials have revealed that President Obama has introduced a loophole that the NSA could exploit in future, according to a report in the New York Times.

While Obama has decided that the NSA should go public when it discovers major flaws in Internet security, it does not have to do so in the event of "a clear national security or law enforcement need".

The loophole is likely to allow the NSA to continue to exploit security flaws to crack encryption on the Internet and to design cyber weapons, the paper said.

Whistleblower Edward Snowden has alleged that the NSA deliberately introduced flaws in security software, but a German programmer has accepted responsibility for the Heartbleed bug.

Robin Seggelmann told The Sydney Morning Herald that he had introduced the flaw in OpenSSL through a programming error when contributing to the open source project in December 2011.

The bug exposes only 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted such as usernames and passwords.

Read the original here:
Heartbleed denial reveals loophole for NSA spying