A Singapore press holdings portal

News, Science And Tech

Heartbleed bug: To change or not to change your computer password

The Straits Times, Reuters | Irene Tham | Saturday, Apr 12, 2014

But many of the highly popular websites reportedly affected by Heartbleed appear to have left users in the dark as to whether they need to take action.


Get the full story from The Straits Times.

Hackers may try to exploit 'Heartbleed' bug, warns US govt

REUTERS - The US government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the "Heartbleed" bug, as a German programmer took responsibility for the widespread security crisis.

On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks, adding that hackers were attempting to exploit the bug in widely used OpenSSL code by scanning targeted networks.

Federal regulators also advised financial institutions to patch and test their systems to make sure they are safe.

OpenSSL is technology used to encrypt communications, including access to email, as well as websites of big Internet companies like Facebook Inc, Google Inc and Yahoo Inc.

The bug, which surfaced Monday, allows hackers to steal data without a trace. No organization has identified itself as a victim, yet security firms say they have seen well-known hacking groups scanning the Web in search of vulnerable networks.

"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems," said Larry Zelvin, director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center, in a blog post on the White House website.

The German government released an advisory that echoed the one by Washington, describing the bug as "critical."

Technology companies spent the week searching for vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.

Companies including Cisco Systems Inc, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others are still in the works.

That means some networks are vulnerable to attack, said Kaspersky Lab researcher Kurt Baumgartner.

"I have seen multiple networks with large user bases still unpatched today," he said. "The problem is a difficult one to solve."

OpenSSL software helps encrypt traffic with digital certificates and "keys" that keep information secure while it is in transit over the Internet and corporate networks.

The vulnerability went undetected for several years, so experts worry that hackers have likely stolen some certificates and keys, leaving data vulnerable to spying.

No comments yet.
Be the first to post comment.