US' National Security Agency (NSA) has denied report that the agency had been using 'Heartbleed' security flaw for its own purposes and without alerting the affected websites. The NSA added it became aware about the vulnerability only after it was made public in a cybersecurity report.
“The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” says the security agency in a statement.
Earlier, a Bloomberg report citing unidentified sources alleged the NSA knew about the vulnerability for at least two years and used it regularly to gather critical information.
The Heartbleed security exploit has taken the Internet by storm, triggering a wide concern about the web security and impact on major websites. It is being dubbed as one of the biggest flaws in the Internet's history. Major services such as Google have already released security patches in this regard. While BlackBerry has plans to release a security patch for BBM, Twitter in an update says it is monitoring the situation.
The U.S. government has already issued a warning to banks and other businesses about possible attempts by cyber attackers to steal data using the "Heartbleed" bug. Kaspersky Lab claims it has uncovered evidence that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans.
"Shortly after news of the Heartbleed Bug first surfaced, Kaspersky Lab uncovered evidence that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans. Later, the Team at Kaspersky Lab identified such scans coming from 'tens' of actors. The numbers were gradually increasing and this was even more evident when security software company Rapid7 released a free tool for conducting such scans. This problem is insidious and devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them,” said Kurt Baumgartner, Researcher - Kaspersky Lab in a statement.