Heartbleed virus: NSA responsible for reporting security flaw

14 Apr 2014

1

With the Heartbleed bug causing havoc and Dropbox users abandoning the site, The New York Times has now revealed that it was the NSA's responsibility to report any vulnerabilities that it found, unless there was ''a clear national security or law enforcement need'' to keep it hidden.

The guidelines were put in place by the Obama administration back in January, but this part of the ruling came to light only in the wake of Heartbleed. There had been some concern that the NSA might have been quietly using Heartbleed for years to serve its own purposes, something that had been denied by the agency.

According to commentators, thanks to the The New York Times, people had more knowledge about the NSA's responsibilities when it came to any security holes that it came across.

A spokeswoman said the organisation was ''biased toward responsibly disclosing such vulnerabilities'', but commentators point out that that did not mean all bugs that the NSA dug up would be announced as a matter of course - discoveries could be kept hidden and utilised for purposes of national security, if deemed necessary.

Meanwhile, when a British computer consultant released OpenSSL version 1.0.1 in the public domain, he could not have known that the version could end up shaking the foundations of the internet two years down the line, Mail & Guardian said in a column.

OpenSSL is used by hundreds and thousands of websites to support online security, with  Transport Layer Security (TLS), which scrambles (encrypts) private communications one of the most popular security features it provides.

When users check their bank account or their webmail they see a green padlock in their browser's address bar, denoted they were using TLS, according to the columnist, Alistair Fairweather.

The encryption becomes necessary as without  it hackers and governments could easily intercept and read all the data passed around the internet.

TLS could be thought of as a system of armoured cars that securely transported user data across the public internet between secure locations user computer to the bank's servers, for example.

When Open SSL 1.0.1 was released a tiny bug in a new feature called Heartbeat was missed. Heartbeat allowed quicker traffic between connected computers by eliminating the need for lengthy security checks, called renegotiations, every time the connection needed to be tested.

It allowed one computer to ask the other to repeat a word to test if it was still connected.

Unfortunately, what was missed at the time was the fact that this check could be abused to trick the listening computer into replying with up to 64,000 characters of data directly from its memory. The asking computer simply lied about the length of the word it was sending ("cat is 64 000 letters long"), and the replying computer did not bother to check – it just spat the data out of its memory.

Latest articles

IIT Ropar team develops mechanical device for post-surgical knee rehabilitation

IIT Ropar team develops mechanical device for post-surgical knee rehabilitation

Sebi study finds irregularities in royalty payouts by listed Indian companies

Sebi study finds irregularities in royalty payouts by listed Indian companies

Indian business should take part in large numbers in economic events held  in Russia to increase trade

Indian business should take part in large numbers in economic events held  in Russia to increase trade

IBM launches world’s fastest quantum computer, Heron2

IBM launches world’s fastest quantum computer, Heron2

Musk’s Starlink will undermine India’s strategic and technological independence, says think tank

Musk’s Starlink will undermine India’s strategic and technological independence, says think tank

India adds $27.14 bn to its FY25 trade deficit in October to take it to $164.65 bn

India adds $27.14 bn to its FY25 trade deficit in October to take it to $164.65 bn

Indian general insurance sector logs 27.53% growth in Oct. Four insurers log three digit growth

Indian general insurance  sector logs 27.53% growth in Oct. Four insurers log three digit growth

CMA CGM seeks data compliance under EU’s new import control system

CMA CGM seeks data compliance under EU’s new import control system

BSNL launches satellite-to-device service

BSNL launches satellite-to-device service

Business History Videos

History of hovercraft Part 3 | Industry study | Business History

History of hovercraft Part 3...

Today I shall talk a bit more about the military plans for ...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of hovercraft Part 2 | Industry study | Business History

History of hovercraft Part 2...

In this episode of our history of hovercraft, we shall exam...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Hovercraft Part 1 | Industry study | Business History

History of Hovercraft Part 1...

If you’ve been a James Bond movie fan, you may recall seein...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Trams in India | Industry study | Business History

History of Trams in India | ...

The video I am presenting to you is based on a script writt...

By Aniket Gupta | Presenter: Sheetal Gaikwad

view more
View details about the software product Informachine News Trackers