Warning over website bug 'heartbleed'Friday 11 April 2014 17.36
The US government has warned banks, infrastructure operators and other organisations to be on alert for hackers who may take advantage of the "Heartbleed" bug to steal data from vulnerable networks.
On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland asked organisations to report any Heartbleed-related attacks.
Federal regulators advised financial institutions to identify any vulnerable systems, patch them, and then test them to make sure they are safe.
Director of the DHS's National Cyber security and Communications Integration Center Larry Zelvinr said in a White House blog:"The Department of Homeland Security was working with federal, state and local governments to uncover and mitigate potential threats"
"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time,it is still possible that malicious actors in cyberspace could exploit unpatched systems," Mr Zelvin said.
The German government released an advisory that echoed the one by Washington, describing the bug as "critical."
"An attacker can take advantage of the vulnerability and can read the memory contents of the Open SSL server," said the notice posted by the German Federal Office for Information Security.
The widespread bug surfaced late last Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption programme known as Open SSL left hundreds of thousands of websites open to data theft.
Now, technology companies are rushing to identify pieces of vulnerable Open SSL code elsewhere, including email servers,ordinary PCs, phones and even security products.
Companies including Cisco Systems Inc and Inte lCorp have rushed to release updates to protect against the threat, warning customers they may be at risk.
Open SSL software is used with SSL technology to encrypt traffic, using digital certificates and "keys" to keep information secure while it is in transit over the Internet and corporate networks.
The vulnerability went undetected for several years, so security experts have warned that hackers have likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.
"Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the Open SSL patch," said the FFIEC, a consortium of regulators including the Fed and the Treasury Department.