Internet Users Warned: You Can Do Little to Thwart 'Heartbleed' Bug

Wednesday, 09 Apr 2014 05:48 PM

 

  Comment  |
   Contact  |
  Print  
|  A   A  
  Copy Shortlink
Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers — at least not until exploitable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after Rapid7 released a free tool for conducting such scans.

"The problem is insidious," he said. "Now it is amateur hour. Everybody is doing it."

OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook, Google and Yahoo told Reuters that have taken steps to mitigate the impact on users.

Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords."

Ty Rogers, a spokesman for online commerce giant Amazon, said "Amazon.com is not affected." He declined to elaborate.

Kaspersky Lab's Baumgartner noted that devices besides servers could be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco System's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net. "There's going to be lots of chaotic mess," he said.

Symantec and GoDaddy, two major providers of SSL technology, said they do not charge for re-keying their certificates.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

"Due to the complexity and difficulty in upgrading many of the affected systems, this vulnerability will be on the radar for attackers for years to come," he said.

Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

© 2014 Thomson/Reuters. All rights reserved.

  Comment  |
   Contact  |
  Print  
  Copy Shortlink
Around the Web
Join the Newsmax Community
Please review Community Guidelines before posting a comment.
>> Register to share your comments with the community.
>> Login if you are already a member.
blog comments powered by Disqus
 
Email:
Country
Zip Code:
Privacy: We never share your email.
 
Hot Topics
Follow Newsmax
Like us
on Facebook
Follow us
on Twitter
Add us
on Google Plus
Around the Web
Top Stories
You May Also Like

EU Presses Google for Global 'Right to Be Forgotten'

Wednesday, 26 Nov 2014 21:36 PM

The European Union is pressing tech giant Google to expand the right to be forgotten to all its search tools.
A r . . .

Robot Submarine Finds Antarctic Ice Thicker Than Believed

Wednesday, 26 Nov 2014 16:52 PM

Global warming theories just took a major hit with a surprising discovery by British, U.S. and Australian researchers wh . . .

FAA: Pilot Close Calls With Drones Growing Rapidly

Wednesday, 26 Nov 2014 14:15 PM

Close calls of drones flying near airplanes and crowds in the U.S. have surged this year to more than 40 a month, accord . . .

Most Commented

Newsmax, Moneynews, Newsmax Health, and Independent. American. are registered trademarks of Newsmax Media, Inc. Newsmax TV, and Newsmax World are trademarks of Newsmax Media, Inc.

 
NEWSMAX.COM
America's News Page
©  Newsmax Media, Inc.
All Rights Reserved