Little Internet users can do to thwart ‘Heartbleed’ bug

BOSTON (Reuters) – Security experts warn there is little Internet users can do to protect themselves from the recently uncovered “Heartbleed” bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday.

By Tuesday, Kaspersky had identified such scans coming from “tens” of actors, and the number increased yesterday after Rapid7 released a free tool for conducting such scans. “The problem is insidious,” he said. “Now it is amateur hour. Everybody is doing it.” OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

“There is nothing users can do to fix their computers,” said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook Inc, Google and Yahoo Inc told Reuters that have taken steps to mitigate the impact on users. Google spokeswoman Dorothy Chou told Reuters: “We fixed this bug early and Google users do not need to change their passwords.” Ty Rogers, a spokesman for online commerce giant Amazon.com Inc, said “Amazon.com is not affected.”  He declined to elaborate.

Kaspersky Lab’s Baumgartner noted that devices besides servers could be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco Systems Inc’s AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks. Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. “There’s going to be lots of chaotic mess,” he said. Symantec Corp and GoDaddy, two major providers of SSL technology, said they do not charge for re-keying their certificates. Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

Latest in World News

George Osborne

Brexit vote, UK political confusion rattles world markets for second day

LONDON (Reuters) – Britain’s vote last Thursday to leave the European Union continued to reverberate through financial markets yesterday, with the pound falling to its lowest level in 31 years, despite government attempts to relieve some of the confusion about the political and economic outlook.

default placeholder

Turkey mends fences with Israel, Russia in foreign policy reset

ISTANBUL/MOSCOW/JERUSALEM (Reuters) – Turkey announced the restoration of diplomatic ties with Israel yesterday after a six-year rupture and expressed regret to Russia over the downing of a warplane, seeking to mend strained alliances and ease a sense of isolation on the world stage.

default placeholder

Kerry raises harassment of US diplomats in Moscow with Putin

WASHINGTON (Reuters) – Russian harassment and surveillance of US diplomats in Moscow has increased significantly and US Secretary of State John Kerry raised the issue recently with Russian President Vladimir Putin, the State Department said yesterday.

Boris Johnson

British EU vote unnerves world leaders and markets

LONDON,  (Reuters) – Britain plunged deeper into political crisis yesterday after its vote to exit the European Union last Thursday, leaving world officials and financial markets confused about how to handle the political and economic fallout.

default placeholder

Spanish vote delivers more uncertainty for Europe after Brexit

MADRID,  (Reuters) – Spanish elections delivered a hung parliament for the second time in six months yesterday, adding to political uncertainty in Europe after last week’s shock Brexit vote and piling intense pressure on Spain’s warring politicians to form a government.

default placeholder

CIA weapons for Syrian rebels sold to arms black market -NYT

(Reuters) – Weapons shipped into Jordan for Syrian rebels by the Central Intelligence Agency and Saudi Arabia were stolen by Jordanian intelligence operatives and sold to arms merchants on the black market, the New York Times reported, citing American and Jordanian officials.

Jeremy Corbyn

EU vote triggers open conflict in Britain’s main parties

LONDON,  (Reuters) – Britain’s two main parties were in open conflict on Sunday after a vote to leave the EU triggered an attempted “coup” in the main opposition Labour Party and a bitter leadership contest in the ruling Conservatives.

default placeholder

Merkel sees no need to rush Britain into quick EU divorce

LONDON/BERLIN (Reuters) – German Chancellor Angela Merkel sought yesterday to temper pressure from Paris, Brussels and her own government to force Britain into negotiating a quick divorce from the EU, despite warnings that hesitation will let populism take hold.

Comments

About these comments

The comments section is intended to provide a forum for reasoned and reasonable debate on the newspaper's content and is an extension of the newspaper and what it has become well known for over its history: accuracy, balance and fairness. We reserve the right to edit or delete comments which contain attacks on other users, slander, coarse language and profanity, and gratuitous and incendiary references to race and ethnicity.

Stay updated! Follow Stabroek News on Facebook or Twitter.

Get the day's headlines from SN in your inbox every morning: