Reuters
The US government warned banks, infrastructure operators and other organisations yesterday to be on alert for hackers who may take advantage of the “Heartbleed” bug to steal data from vulnerable networks.
On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland asked organisations to report any Heartbleed-related attacks.
Federal regulators advised financial institutions to identify any vulnerable systems, patch them, and then test them to make sure they are safe.
The Department of Homeland Security was working with federal, state and local governments to uncover and mitigate potential threats, Larry Zelvin, director of the DHS’s National Cybersecurity and Communications Integration Centre, said separately in a blog post on the White House website yesterday.
“While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems,” Zelvin said.
The German government released an advisory that echoed the one by Washington, describing the bug as “critical.”
“An attacker can take advantage of the vulnerability and can read the memory contents of the OpenSSL server,” said the notice posted by the German Federal Office for Information Security.
Canada’s government ordered all federal department websites vulnerable to the bug to be shut down.
“The chief information officer for the government of Canada issued a directive to all federal government departments to immediately disable public websites that are running unpatched OpenSSL software,” Treasury Board President Tony Clement said in a statement.
“This action is being taken as a precautionary measure until the appropriate security patches are in place and tested.”
The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely used web encryption program known as OpenSSL left hundreds of thousands of websites open to data theft.
Now, technology companies are rushing to identify pieces of vulnerable OpenSSL code elsewhere, including e-mail servers, ordinary PCs, phones and even security products.
Companies including Cisco Systems Inc and Intel Corp have rushed to release updates to protect against the threat, warning customers they may be at risk.
OpenSSL software is used with SSL technology to encrypt traffic, using digital certificates and “keys” to keep information secure while it is in transit over the Internet and corporate networks.
The vulnerability went undetected for several years, so security experts have warned that hackers have likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.