Science & technology
Internet users vulnerable to 'Heartbleed' bug
Publish Date: Apr 10, 2014
Internet users vulnerable to 'Heartbleed' bug
Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers. Reuters Photo
  • mail
  • img
newvision

SECURITY experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all Web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.

"The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook Inc, Google and Yahoo Inc told Reuters they have taken steps to mitigate the impact on users.

Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords."

Ty Rogers, a spokesman for Amazon.com Inc, said "Amazon.com is not affected."

In a blogpost dated Tuesday, the company said some of its Web cloud services, which provide the underlying infrastructure for apps such as online movie-streaming service Netflix and social network Pinterest, had been vulnerable. While it said the problems had been fixed, the company urged users of those services, which are popular in particular among the tech startup community, to take extra steps such as updating software.

Kaspersky Lab's Baumgartner noted that devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

Cleaning up mess

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet companies to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. "There's going to be lots of chaotic mess," he said.

Symantec Corp and GoDaddy, two major providers of SSL technology, said they do not charge for reissuing keys.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

"Due to the complexity and difficulty in upgrading many of the affected systems, this vulnerability will be on the radar for attackers for years to come," he said.

Hypponen of F-Secure said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

Reuters

The statements, comments, or opinions expressed through the use of New Vision Online are those of their respective authors, who are solely responsible for them, and do not necessarily represent the views held by the staff and management of New Vision Online.

New Vision Online reserves the right to moderate, publish or delete a post without warning or consultation with the author.Find out why we moderate comments. For any questions please contact digital@newvision.co.ug

  • mail
  • img
blog comments powered by Disqus
Also In This Section
Number of websites explodes past a billion
The number of websites has burst above one billion and is growing apace, according to figures updated in real time Tuesday by online tracker Internet Live Stats....
New Apple mobile software arrives
New-generation Apple software for powering its coveted mobile devices is set for release on Wednesday, two days ahead of the arrival of its latest iPhones....
Sony warns of $2.14 bn annual loss, blames mobile unit
Sony on Wednesday said it would lose $2.14 billion this fiscal year, more than four times its earlier forecast as the Japanese electronics giant blamed a downturn in its mobile phone business....
Highway Africa 2014 discusses social media
The time is now. Yes it’s time. In the new era of digital and convergence in journalism, social media can no longer be on the margins. Where should it be now? This crucial question was answered at a recent 18th edition of Highway Africa conference....
Orange makes 3.4-bln euro bid for Spanish operator Jazztel
French telecom giant Orange on Monday said it was set to make a 3.4-billion-euro offer ($4.4 billion) to acquire Spanish fixed-line operator Jazztel....
Microsoft to spotlight new Windows software September 30
Microsoft on Monday sent out invitations to a September 30 event at which it is expected to provide a glimpse at the next version of its Windows operating system....
Will early retirement solve Uganda’s unemployment problem?
Yes
No
Can't Say
follow us
subscribe to our news letter