Heartbleed denial reveals loophole for NSA spying

The NSA has denied it exploited the Heartbleed security flaw, but US officials have revealed a loophole that would allow such actions

The US National Security Agency has denied it knew about or exploited the Heartbleed security flaw, but government officials have revealed a loophole that would allow such actions.

Researchers have warned that the flaw affects two-thirds of internet sites and could allow attackers to monitor all data exchanged with users.

A White House official also denied that any part of the US government was aware of the bug before it was reported by security researchers at Google and Finnish security firm Codenomicon in April 2014.

The denial came after a Bloomberg News reported alleging the NSA used the flaw in OpenSSL to harvest data since the flaw was introduced two years ago.

But, senior US administration officials have revealed that President Obama has introduced a loophole that the NSA could exploit in future, according to a report in the New York Times.

While Obama has decided that the NSA should go public when it discovers major flaws in Internet security, it does not have to do so in the event of "a clear national security or law enforcement need".

The loophole is likely to allow the NSA to continue to exploit security flaws to crack encryption on the Internet and to design cyber weapons, the paper said.

Whistleblower Edward Snowden has alleged that the NSA deliberately introduced flaws in security software, but a German programmer has accepted responsibility for the Heartbleed bug.

Robin Seggelmann told The Sydney Morning Herald that he had introduced the flaw in OpenSSL through a programming error when contributing to the open source project in December 2011.

The bug exposes only 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted such as usernames and passwords.

Heartbleed has raised concern because of the large number of products and services that make use of vulnerable versions of OpenSSL and the fact that it can be exploited without a trace.

After casting doubt on the scale of the threat, security firm CloudFare set a challenge to see if anyone could exploit the flaw to obtain the secret SSL keys that would put data at risk.

In response, four researchers working separately demonstrated that a server’s private encryption key can be obtained using the Heartbleed bug, according to a CloudFare blog post.

“This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability,” the blog post said.

Several makers of internet hardware and software have warned that some of their products are affected, including network routers and switches, video conferencing equipment, phone call software, firewalls and remote working applications.

At the weekend, BlackBerry announced that it plans to release security updates for messaging software for Android and iOS devices to address vulnerabilities related to the OpenSSL flaw.

The company said that while most BlackBerry products do not use the vulnerable software, it does need to update its Secure Work Space corporate email and BBM messaging for Android and iOS.

BlackBerry Said these products would be vulnerable to attacks if hackers gain access to these apps through either WiFi connections or carrier networks.

But a company representative said the risk was “extremely small” because BlackBerry's security technology would make it difficult, report the Guardian.

Other suppliers that have rushed to respond to the threat include: Cisco Systems, Hewlett-Packard, International Business Machines, Intel, Juniper Networks, Oracle and Red Hat.

Read more on Privacy and data protection