Hackers trying to exploit Heartbleed bug, US warns banks and other businesses

Advertisement
By Reuters | Updated: 12 April 2014 11:00 IST
Hackers trying to exploit Heartbleed bug, US warns banks and other businesses
The U.S. government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the "Heartbleed" bug, as a German programmer took responsibility for the widespread security crisis.

On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed bug -related attacks, adding that hackers were attempting to exploit the bug in widely used OpenSSL code by scanning targeted networks.

(Also see: Heartbleed bug: What you need to know)

Federal regulators also advised financial institutions to patch and test their systems to make sure they are safe.

OpenSSL is technology used to encrypt communications, including access to email, as well as websites of big Internet companies like Facebook Inc, Google Inc and Yahoo Inc.

(Also see: Gmail, Facebook, Twitter, Yahoo, others: What passwords to change in Heartbleed aftermath?)

The bug, which surfaced Monday, allows hackers to steal data without a trace. No organization has identified itself as a victim, yet security firms say they have seen well-known hacking groups scanning the Web in search of vulnerable networks.

"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems," said Larry Zelvin, director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center, in a blog post on the White House website.

Advertisement

The German government released an advisory that echoed the one by Washington, describing the bug as "critical."

Technology companies spent the week searching for vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.

Advertisement

Companies including Cisco Systems Inc, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others are still in the works.

That means some networks are vulnerable to attack, said Kaspersky Lab researcher Kurt Baumgartner.

Advertisement

"I have seen multiple networks with large user bases still unpatched today," he said. "The problem is a difficult one to solve."

OpenSSL software helps encrypt traffic with digital certificates and "keys" that keep information secure while it is in transit over the Internet and corporate networks.

The vulnerability went undetected for several years, so experts worry that hackers have likely stolen some certificates and keys, leaving data vulnerable to spying.

(Also see: 'Heartbleed' computer bug threat spreads to firewalls and beyond)

In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.

"Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch," said the FFIEC, a consortium of regulators including the Federal Reserve and the Treasury Department.

Comodo Group, the No. 2 provider of SSL certificates, said customers have requested tens of thousands of replacements this week.

"We are very busy, but we are coping. My gut feeling is that we are going to be very busy all the way through next week," said Comodo Chief Technology Officer Robin Alden.

Taking responsibility
Robin Seggelmann, a German programmer who volunteers as a developer on the OpenSSL team, said in a blog post published on Friday that he had written the faulty code responsible for the vulnerability while working on a research project at the University of Munster.

"I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed," said Seggelmann, now an employee with German telecommunications provider Deutsche Telekom AG.

He said the developer who reviewed the code failed to notice the bug, which enables attackers to steal data without leaving a trace. "It is impossible to say whether the vulnerability, which has since been identified and removed, has been exploited by intelligence services or other parties," he said.

Seggelmann said such errors could be avoided in the future if OpenSSL were to get more support from developers around the world.

OpenSSL is an open source project, which means that it is supported by developers worldwide who volunteer to update and secure its code. It is not as well tended to as programs such as Linux, which is widely supported by a flourishing developer community around the globe and corporate backers.

"OpenSSL in particular still lacks the support it needs, despite being extremely widely available and used by millions. Although there are plenty of users, there are very few actively involved in the project," Seggelmann said in a post on a Deutsche Telekom website.

© Thomson Reuters 2014

 
Post your comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Bug, Codenomicon, Cyber Attack, Facebook, Gmail, Google, Hacking, Heartbleed, Heartbleed Bug, Internet, Malware, OpenSSL, Twitter, Virus, Yahoo
Amazon to unveil its smartphone in June: Report
US says NSA did not exploit Heartbleed bug
Advertisement

Related Stories

Google Chrome Fixes 23-Year-Old Bug That Let Sites See Your Previously Visited Links
14 April 2025
iOS 17.5.1 Update Released With 'Reappearing' Deleted Photos Bug Fix Alongside iPadOS 17.5.1: How to Download
22 May 2024
Apple ID Account Bug Locks Some Users Out of Accounts, Forces Password Reset
27 April 2024
Google’s Android 14 Storage Bug Gets Patched With New November Security Update, but There’s a Catch
9 November 2023
iPhone 15 NFC Bug Fix Rolling Out With iOS 17.1.1 Update, Apple Resolves Battery Drain With watchOS 10.1.1
8 November 2023
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. NASA Postpones Axiom Mission 4 Launch to Ensure Space Station Readiness After Repairs
  2. Doom: The Dark Ages Review: Rip and Tear, Medieval Style
#Latest Stories
  1. China’s Dragon Man Skull Found to Belong to Denisovan Lineage
  2. Is Mars Really Red? A Physicist Explains the Science Behind Its Colour and More
  3. Scientists Spotted the Largest Comet Lying in the Solar System’s Outskirts with Outbursting Gases
  4. SpaceX Starship Rocket Explodes During Ground Test at Texas Launch Pad
  5. NASA Postpones Axiom Mission 4 Launch to Ensure Space Station Readiness After Repairs
  6. Doom: The Dark Ages Review: Rip and Tear, Medieval Style
  7. Save Nalla Pasanga Now Streaming on Aha Tamil: Everything You Need to Know About Romantic Web Series
  8. Yugi Tamil Movie Now Streaming on Aha: A Gritty Tale of Crime, Surrogacy, and Revenge
  9. Lovely Now Available on Amazon Prime Video: What You Need to Know About Malayalam Fantasy Drama
  10. The Hunt- The Rajiv Gandhi Assassination Case OTT Release Date Revealed
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.