BEIRUT

International

Thousands at risk of hacking after Heartbled virus: U.S.

BOSTON: The U.S. government Friday warned banks, infrastructure operators and other organizations to be on alert for hackers seeking to take advantage of the “Heartbleed” bug to steal data from vulnerable networks.

On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks.

Federal regulators advised financial institutions to identify vulnerable systems, patch them, and then test them to ensure they were safe.

The Department of Homeland Security is working with federal, state and local governments to uncover and mitigate potential threats, Larry Zelvin, director of the DHS’s National Cybersecurity and Communications Integration Center, said separately in a blog post on the White House website Friday.

“While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems,” Zelvin said.

The widespread bug surfaced late Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL left hundreds of thousands of websites open to data theft.

The German government released an advisory that echoed Washington’s, describing the bug as “critical.”

“An attacker can take advantage of the vulnerability and can read the memory contents of the OpenSSL server,” said the notice posted by the German Federal Office for Information Security.

Now, technology companies are rushing to identify pieces of vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.

Companies including Cisco Systems Inc. and Intel Corp. have rushed to release updates to protect against the threat, warning customers that they may be at risk.

OpenSSL software is used with SSL technology to encrypt traffic, using digital certificates and “keys” to keep information secure while it is in transit over the Internet and corporate networks.

The vulnerability went undetected for several years, leading security experts to warn that hackers had likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.

In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing their encryption tools.

“Institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch,” said the FFIEC, a consortium of regulators including the Fed and the Treasury Department.

 
A version of this article appeared in the print edition of The Daily Star on April 12, 2014, on page 5.

Recommended

Advertisement

Comments

Your feedback is important to us!

We invite all our readers to share with us their views and comments about this article.

Disclaimer: Comments submitted by third parties on this site are the sole responsibility of the individual(s) whose content is submitted. The Daily Star accepts no responsibility for the content of comment(s), including, without limitation, any error, omission or inaccuracy therein. Please note that your email address will NOT appear on the site.

Alert: If you are facing problems with posting comments, please note that you must verify your email with Disqus prior to posting a comment. follow this link to make sure your account meets the requirements. (http://bit.ly/vDisqus)

comments powered by Disqus
Summary

The U.S. government Friday warned banks, infrastructure operators and other organizations to be on alert for hackers seeking to take advantage of the "Heartbleed" bug to steal data from vulnerable networks.

On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks.

The Department of Homeland Security is working with federal, state and local governments to uncover and mitigate potential threats, Larry Zelvin, director of the DHS's National Cybersecurity and Communications Integration Center, said separately in a blog post on the White House website Friday.

OpenSSL software is used with SSL technology to encrypt traffic, using digital certificates and "keys" to keep information secure while it is in transit over the Internet and corporate networks.

The vulnerability went undetected for several years, leading security experts to warn that hackers had likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.


Advertisement

FOLLOW THIS ARTICLE

Interested in knowing more about this story?

Click here