NSA never used Heartbleed to spy, White House says

The White House and U.S. intelligence agencies said on Friday neither the National Security Agency nor any other part of the government were aware before this month of the Heartbleed bug, denying a report that the spy agency exploited the glitch in widely used web encryption technology to gather intelligence.

The White House, the NSA and the Office of the Director of National Intelligence issued statements after Bloomberg reported that the NSA was aware of the bug for at least two years and exploited it in order to obtain passwords and other basic information used in hacking operations. The Bloomberg report cited two unnamed sources it said were familiar with the matter.

The Heartbleed bug is considered one of the most serious Internet security flaws to be uncovered in recent years.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House National Security Council spokeswoman Caitlin Hayden said in a statement.

Report claims NSA knew of vulnerability

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," Hayden added.

Bloomberg was not immediately available to comment.

Bloomberg reported Friday that according to "two people familiar with the matter," the U.S. National Security Agency used the Heartbleed flaw to collect passwords and gather critical intelligence. However, in doing so, the report noted, it left millions of ordinary internet users "vulnerable to attack from other nations intelligence arms and criminal hackers," raising questions about the agency's defence mandate.

• Heartbleed bug explained in comics, tweets

The revelations came the same daythe Department of Homeland Security publicly asked organizations to report any Heartbleed-related attacks on a website for advising critical infrastructure operators about emergingcyberthreats. The department saidthat hackers were attempting to exploit the bug in widely used OpenSSL code by scanning targeted networks.

• The Heartbleed dilemma: disclosing a web bug also means alerting hackers
• Hackers scanning for Heartbleed-affected sites

Federal regulators also advised financial institutions to patch and test their systems to make sure they are safe.

OpenSSLis technology used to encrypt communications, including access to email, as well as websites of big Internet companies like Facebook Inc, Google Inc and Yahoo Inc.

No victims identified so far

The bug, which surfaced Monday, allows hackers to steal data without a trace. No organization has identified itself as a victim, yet security firms say they have seen well-known hacking groups scanning the Web in search of vulnerable networks.

"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploitunpatchedsystems," said LarryZelvin, director of the Department of Homeland Security's NationalCybersecurityand Communications IntegrationCenter,in a blog post on the White House website Friday.

• Heartbleed bug: What's affected and howto protect yourself

The German government released an advisory that echoed the one by Washington, describing the bug as "critical."

Technology companies spent the week searching for vulnerableOpenSSLcode elsewhere, including email servers, ordinary PCs, phones and even security products.

Companies including Cisco Systems Inc, International Business Machines Corp, Intel Corp , Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others are still in the works.

That means some networks are vulnerable to attack, saidKasperskyLab researcher KurtBaumgartner.

"I have seen multiple networks with large user bases stillunpatchedtoday," he said. "The problem is a difficult one to solve."

OpenSSLsoftware helps encrypt traffic with digital certificates and "keys" that keep information secure while it is in transit over the Internet and corporate networks.

Programmer explains how bug came to be

Meanwhile, aGerman programmer took responsibility for the widespread security crisis.

RobinSeggelmann, a German programmer who volunteers as a developer on theOpenSSLteam, said in a blog post published on Friday that he had written the faulty code responsible for the vulnerability while working on a research project at the University ofMnster.

"I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, calledHeartbleed," saidSeggelmann, now an employee with German telecommunications providerDeutscheTelekomAG, which did not name him in the blog post.

He said the developer who reviewed the code failed to notice the bug, which enables attackers to steal data without leaving a trace. "It is impossible to say whether the vulnerability, which has since been identified and removed, has been exploited by intelligence services or other parties," he said.

Seggelmannsaid such errors could be avoided in the future ifOpenSSLwere to get more support from developers around the world.

OpenSSLis an open source project, which means that it is supported by developers worldwide who volunteer to update and secure its code. It is not as well tended to as programs such as Linux, which is widely supported by a flourishing developer community around the globe and corporate backers.