Latest in Flaw

Image credit:

Bloomberg: NSA used Heartbleed exploit for 'years' without alerting affected websites, the public (update: NSA response)

82 Shares
Share
Tweet
Share
Save

Sponsored Links

The United States National Security Security Agency reportedly used the recently uncovered "Heartbleed" security exploit to access information, Bloomberg reports. According to two unnamed sources, the NSA exploited the flawed security standard for the past two years without alerting affected companies and the public at large. It's unclear what the exploit was used to access, but the flaw affects a huge portion of the web: something like two-thirds.

Major services like Google are already acting, updating services and patching the issue. For those services, we suggest updating your passwords ASAP. For the still affected sites? Sadly, your best option is to wait it out.

Update: The NSA insists that it only became aware of Heartbleed at the same time as everyone else. This answer isn't going to satisfy everyone given the many contradictory claims about the agency's activities, but hey -- at least it's on top of the situation.

Regarding the alleged NSA action -- if true -- the security community has yet another reason to mistrust the US government agency most well-known as of late for massively overreaching surveillance tactics. It's also far from the first accusation that the NSA intentionally overlooked security flaws affecting millions of people: late last year, documents revealed that the NSA intentionally inserted a security "backdoor" into a widely used data encryption system (RSA).

Heartbleed affects a similarly huge group of people, and works (at a high level, at least) in a similar way. One of the internet's most widely used security systems -- OpenSSL -- has a flaw in it that enables hackers (and allegedly the NSA) to access private information. Worse, the flaw exposes security keys that enable continued access for the illicit user in question. The good news is that there's an update to the OpenSSL system which patches the flaw. The bad news is that many websites still haven't updated (Mashable has a list here).

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
82 Shares
Share
Tweet
Share
Save

Popular on Engadget

'Red Dead Redemption 2' photo and story modes come to PS4

'Red Dead Redemption 2' photo and story modes come to PS4

View
TiVo's iPhone app finally streams shows using cellular data

TiVo's iPhone app finally streams shows using cellular data

View
'Fortnite' adds lightsabers following Star Wars event

'Fortnite' adds lightsabers following Star Wars event

View
A 'Snow Crash' TV series is coming to HBO Max

A 'Snow Crash' TV series is coming to HBO Max

View
New Orleans declares state of emergency following cyberattack

New Orleans declares state of emergency following cyberattack

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr