US government warns of Heartbleed bug danger

  • Published
Homeland security signImage source, Getty Images
Image caption,

The US government suggests users should change the passwords of patched online services

The US government has warned that it believes hackers are trying to make use of the Heartbleed bug.

The Department of Homeland Security advised the public to change passwords, external for sites affected by the flaw once they had confirmed they were secure.

However, an official added that there had not been any reported attacks or malicious incidents.

The alert comes as several makers of net hardware and software revealed some of their products had been compromised.

Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data.

The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users.

Browser alerts

Experts say home kit is less at risk.

There had been reports, external that domestic home networking equipment - such as wi-fi routers - might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data.

However, a security researcher at the University of Cambridge's Computer Laboratory said he thought this would be a relatively rare occurrence.

"You would have to be a semi-professional to have this sort of equipment at home," Dr Richard Clayton told the BBC.

Image source, codenomicon
Image caption,

News of the bug was made public on Monday

"It's unusual to find secure connections to a home router because you'd have to have a certificate in the device.

"If that certificate were self-signed it would generate browser warnings. Alternatively, you could be regularly updated but that would cost money."

UK internet service providers (ISPs) Sky, TalkTalk and Virgin Media confirmed that their home router suppliers had told them their equipment did not use OpenSSL.

Password resets

News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years.

This had made it possible to impersonate services and users, and potentially eavesdrop on data communications.

The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted.

The website set up to publicise the danger, external noted that it was possible to carry out such an attack "without leaving a trace", making it impossible to know for sure if criminals or cyberspies had taken advantage of it.

Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some - but not all - companies suggesting users should reset their passwords.

Risk to business

Warnings from companies including Cisco, external, Juniper, external, Fortinet, external, Red Hat, external and Watchguard Technologies, external that some of their internet products are compromised may now place the spotlight on the corporate sector.

Dr Clayton explained how such a hacker could take advantage of the problem.

"If you managed to log into a router then the simplest thing you could do would be to change the DNS [domain name system] settings in there," he said.

"Then you could arrange that everything on the internet resolves correctly apart from, for example, Barclays.com, which you could set to resolve to a malicious site that asks for the visitors' details."

Image source, Juniper
Image caption,

Junos Pulse - an app used to allow remote access to networks - is one of the compromised products

Prof Alan Woodward, a security expert at the University of Surrey, gave another scenario in which hackers could take advantage of flaws in virtual private network software used to let workers log into corporate networks when not in the office.

'Closely monitor'

"The worst case would be that they could reach in and see the keys," he said.

"Hence all the traffic going to and from remote workers that people thought was secure could potentially be decrypted.

"But you would be working through quite a few layers of things to get to that because the way OpenSSL is used is quite complicated."

The US government has said that it was working with third-party organisations "to determine the potential vulnerabilities to computer systems that control essential systems - like critical infrastructure, user-facing and financial systems".

Meanwhile, officials suggested members of the public should "closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages".

Media caption,

Rory Cellan-Jones looks at ways to manage strong online passwords

The UK has given similar advice.

"People should take advice on changing passwords from the websites they use," said a Cabinet Office spokesman.

"Most websites have corrected the bug and are best placed to advise what action, if any, people need to take."

Related internet links

The BBC is not responsible for the content of external sites.