The Heartbleed security flaw that exposes a vulnerability in encryption has reportedly extended its reach well beyond Web services.
According to Bloomberg, citing "two people familiar with the matter," the National Security Agency knew about Heartbleed for at least two years and used the hole in encryption technology to gather intelligence.
However, the agency strongly denied the substance of Bloomberg's report.
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,'' the agency said in a statement. "Reports that say otherwise are wrong."
This follows a separate Bloomberg report the security flaw impacts Android smartphones and tablets that run the 4.1.1 version of the Google operating system.
In a statement on Google's online security blog, the company says patching information has been submitted to partners.
Meanwhile, The Wall Street Journal reports some network products created by Cisco and Juniper contain the flaw. The vulnerability affects products such as routers and firewalls.
In an update published Thursday, Cisco says multiple products incorporate OpenSSL, a variation of the Secure Sockets Layer (SSL) protocol used to encrypt sensitive data.
A spokesperson for Juniper tells the Journal updating equipment to patch up the security hole could take some time.
Heartbleed is a flaw that would allow anyone to read the memory of servers running OpenSSL, which leaves information such as usernames, passwords and credit card data exposed.
"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," says Codenomicon, a security firm that helped uncover Heartbleed and established a website to inform others.
Web services have scrambled since the revelation of Heartbleed to fix the bug. Several companies including Facebook, Google and Yahoo have confirmed they are clear. Most recently, Apple confirmed to Re/code its services like iOS and Mac OS X were not impacted.
The Department of Homeland Security has joined the chorus of impacted services urging consumers to change their passwords on updated sites. In a statement, the agency notes no attacks or incidents tied to Heartbleed have been confirmed.
"We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary," says the department in a statement.
Tech site Mashable has compiled a list of sites and services to determine whether passwords should be updated immediately.
Follow Brett Molina on Twitter: @bam923.
Source : http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/
