U.S. government says hackers trying to exploit Heartbleed bugReprints
(Reuters) — The U.S. government warned banks, infrastructure operators and other organizations on Friday to be on alert for hackers who may take advantage of the Heartbleed bug to steal data from vulnerable networks.
On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks.
Federal regulators advised financial institutions to identify any vulnerable systems, patch them and then test them to make sure they are safe.
The Department of Homeland Security was working with federal, state and local governments to uncover and mitigate potential threats, Larry Zelvin, director of the DHS' National Cybersecurity and Communications Integration Center, said separately in a blog post on the White House website Friday.
"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyber space could exploit unpatched systems," Mr. Zelvin said.
The German government released an advisory that echoed the one by Washington, describing the bug as "critical."
"An attacker can take advantage of the vulnerability and can read the memory contents of the OpenSSL server," said the notice posted by the German Federal Office for Information Security.
The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL left hundreds of thousands of websites open to data theft.
Now, technology companies are rushing to identify pieces of vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.
Companies including Cisco Systems Inc. and Intel Corp. have rushed to release updates to protect against the threat, warning customers they may be at risk.
OpenSSL software is used with SSL technology to encrypt traffic, using digital certificates and "keys" to keep information secure while it is in transit over the Internet and corporate networks.
The vulnerability went undetected for several years, so security experts have warned that hackers have likely stolen some of those certificates and keys, which means their data has long been vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.
"Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch," said the FFIEC, a consortium of regulators including the Fed and the Treasury Department.