Heartbleed virus: NSA responsible for reporting security flaw

14 Apr 2014

With the Heartbleed bug causing havoc and Dropbox users abandoning the site, The New York Times has now revealed that it was the NSA's responsibility to report any vulnerabilities that it found, unless there was ''a clear national security or law enforcement need'' to keep it hidden.

The guidelines were put in place by the Obama administration back in January, but this part of the ruling came to light only in the wake of Heartbleed. There had been some concern that the NSA might have been quietly using Heartbleed for years to serve its own purposes, something that had been denied by the agency.

According to commentators, thanks to the The New York Times, people had more knowledge about the NSA's responsibilities when it came to any security holes that it came across.

A spokeswoman said the organisation was ''biased toward responsibly disclosing such vulnerabilities'', but commentators point out that that did not mean all bugs that the NSA dug up would be announced as a matter of course - discoveries could be kept hidden and utilised for purposes of national security, if deemed necessary.

Meanwhile, when a British computer consultant released OpenSSL version 1.0.1 in the public domain, he could not have known that the version could end up shaking the foundations of the internet two years down the line, Mail & Guardian said in a column.

OpenSSL is used by hundreds and thousands of websites to support online security, with  Transport Layer Security (TLS), which scrambles (encrypts) private communications one of the most popular security features it provides.

When users check their bank account or their webmail they see a green padlock in their browser's address bar, denoted they were using TLS, according to the columnist, Alistair Fairweather.

The encryption becomes necessary as without  it hackers and governments could easily intercept and read all the data passed around the internet.

TLS could be thought of as a system of armoured cars that securely transported user data across the public internet between secure locations user computer to the bank's servers, for example.

When Open SSL 1.0.1 was released a tiny bug in a new feature called Heartbeat was missed. Heartbeat allowed quicker traffic between connected computers by eliminating the need for lengthy security checks, called renegotiations, every time the connection needed to be tested.

It allowed one computer to ask the other to repeat a word to test if it was still connected.

Unfortunately, what was missed at the time was the fact that this check could be abused to trick the listening computer into replying with up to 64,000 characters of data directly from its memory. The asking computer simply lied about the length of the word it was sending ("cat is 64 000 letters long"), and the replying computer did not bother to check – it just spat the data out of its memory.