Little Internet users can do to thwart ‘Heartbleed’ bug

BOSTON (Reuters) – Security experts warn there is little Internet users can do to protect themselves from the recently uncovered “Heartbleed” bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday.

By Tuesday, Kaspersky had identified such scans coming from “tens” of actors, and the number increased yesterday after Rapid7 released a free tool for conducting such scans. “The problem is insidious,” he said. “Now it is amateur hour. Everybody is doing it.” OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

“There is nothing users can do to fix their computers,” said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook Inc, Google and Yahoo Inc told Reuters that have taken steps to mitigate the impact on users. Google spokeswoman Dorothy Chou told Reuters: “We fixed this bug early and Google users do not need to change their passwords.” Ty Rogers, a spokesman for online commerce giant Amazon.com Inc, said “Amazon.com is not affected.”  He declined to elaborate.

Kaspersky Lab’s Baumgartner noted that devices besides servers could be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco Systems Inc’s AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks. Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. “There’s going to be lots of chaotic mess,” he said. Symantec Corp and GoDaddy, two major providers of SSL technology, said they do not charge for re-keying their certificates. Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

More in World News

default placeholder

Clinton gets down to campaign business with U.S. Rust Belt trip

HARRISBURG, Pa.,  (Reuters) – Democratic presidential candidate Hillary Clinton took her newly energized White House bid on the road on Friday for a tour of crucial “Rust Belt” states Pennsylvania and Ohio, but the campaign’s focus was clouded by a newly disclosed cyber attack.

default placeholder

Oil rout erodes 2nd-qtr profits for U.S. majors Exxon, Chevron

HOUSTON,  (Reuters) – Chevron Corp posted its worst quarterly loss since 2001 on Friday and Exxon Mobil Corp reported a 59 percent slide in profit, as the long crude price rout and tumbling refining income inflicted pain across the energy sector.

default placeholder

Turkey’s Erdogan slams West for failure to show solidarity over coup attempt

ANKARA/ISTANBUL, (Reuters) – President Tayyip Erdogan condemned Western countries yesterday for failing to show solidarity with Turkey over the recent failed coup, saying those who worried over the fate of coup supporters instead of Turkish democracy could not be friends of Ankara.

default placeholder

Brazil’s Lula to stand trial for obstruction of justice – court

SAO PAULO, (Reuters) – Brazil’s former President Luiz Inacio Lula da Silva and the former chief executive of investment bank Grupo BTG Pactual SA will stand trial for obstruction of justice, documents from a federal court in Brasilia showed yesterday.

John Magufuli

Tanzania’s president threatens crackdown on opposition protesters

DAR ES SALAAM, (Reuters) – Tanzania’s President John Magufuli said yesterday he would crack down on troublemakers “without mercy”, a day after the opposition called for anti-government demonstrations on Sept.

Democratic presidential nominee Hillary Clinton greets her daughter Chelsea Clinton at the Democratic National Convention in Philadelphia, Pennsylvania, U.S. July 28, 2016. (REUTERS/Scott Audette)

In speech of her life, Clinton promises a ‘clear-eyed’ vision

PHILADELPHIA, (Reuters) – U.S. presidential candidate Hillary Clinton said yesterday Americans faced challenges at home and abroad that demand steady leadership and a collective spirit, and attacked Republican Donald Trump for sowing fear and divisiveness.

Comments

About these comments

The comments section is intended to provide a forum for reasoned and reasonable debate on the newspaper's content and is an extension of the newspaper and what it has become well known for over its history: accuracy, balance and fairness. We reserve the right to edit or delete comments which contain attacks on other users, slander, coarse language and profanity, and gratuitous and incendiary references to race and ethnicity.

Stay updated! Follow Stabroek News on Facebook or Twitter.

Get the day's headlines from SN in your inbox every morning: