BOSTON: The U.S. government Friday warned banks, infrastructure operators and other organizations to be on alert for hackers seeking to take advantage of the “Heartbleed” bug to steal data from vulnerable networks.
On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks.
Federal regulators advised financial institutions to identify vulnerable systems, patch them, and then test them to ensure they were safe.
The Department of Homeland Security is working with federal, state and local governments to uncover and mitigate potential threats, Larry Zelvin, director of the DHS’s National Cybersecurity and Communications Integration Center, said separately in a blog post on the White House website Friday.
“While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems,” Zelvin said.
The widespread bug surfaced late Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL left hundreds of thousands of websites open to data theft.
The German government released an advisory that echoed Washington’s, describing the bug as “critical.”
“An attacker can take advantage of the vulnerability and can read the memory contents of the OpenSSL server,” said the notice posted by the German Federal Office for Information Security.
Now, technology companies are rushing to identify pieces of vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.
Companies including Cisco Systems Inc. and Intel Corp. have rushed to release updates to protect against the threat, warning customers that they may be at risk.
OpenSSL software is used with SSL technology to encrypt traffic, using digital certificates and “keys” to keep information secure while it is in transit over the Internet and corporate networks.
The vulnerability went undetected for several years, leading security experts to warn that hackers had likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing their encryption tools.
“Institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch,” said the FFIEC, a consortium of regulators including the Fed and the Treasury Department.