The Heartbleed Web-security flaw has been found in the hardware connecting homes and businesses to the Internet, underscoring the amount of time and effort that will be needed to defuse the threat.
Cisco Systems Inc. (CSCO:US) and Juniper Networks Inc. (JNPR:US) said some of their networking products are susceptible to the encryption bug, which was recently discovered by researchers at Google Inc. (GOOG:US) and prompted companies and government agencies to seek fixes to block hackers from gaining access to user names, passwords and other sensitive information.
The Heartbleed warnings come at a time of mounting concern about the security of information following consumer-data breaches at Target Corp. and Neiman Marcus Group Ltd. and the spying scandal involving the National Security Agency. While security experts urged consumers to change their Web passwords as soon as possible, it will take longer to fix networking equipment and software as Cisco and Juniper will have to rely on customers applying the patches they push out, according to Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC.
“It’s more painful to update these kinds of devices,” Blasco said. “You have to go one by one.”
The vulnerability affects several of the routers, switches and security firewalls sold by Cisco and Juniper, the two manufacturers said in statements yesterday.
Heartbleed is a flaw in the design of OpenSSL, an encryption tool that runs on as many as two-thirds of all active websites, though many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, according to Google’s researchers.
A programmer named Robin Seggelmann said he accidentally introduced the bug two years ago while working on a research project at the University of Muenster in Germany. He "failed to check" that a certain variable “contained a realistic value,” according to a blog post on the website of his current employer, Deutsche Telekom AG. (DTE)
That error was overlooked by a reviewer and introduced into the official release, “turning a simple mistake into one with massive consequences,” he was quoted in the post.
Seggelmann, who works at Deutsche Telekom’s corporate-client unit T-Systems, said the mistake showed that OpenSSL lacks support, with too few people involved in coding and checking.
Cisco said it would tell customers when software patches for its affected products are available.
“We take the management of security vulnerabilities very seriously,” the company said in a statement. “We encourage our customers to visit our website for ongoing updates.”
Juniper said it issued a patch earlier this week for its most vulnerable products that feature virtual private network, or VPN, technology. VPNs offer a secure way to connect remotely to corporate networks.
“A subset of Juniper’s products were affected including certain versions of our SSL VPN software, which presents the most critical concern for customers,” Juniper said in an e-mailed statement. “The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products.”
Banks and other financial institutions should also take steps to patch their computer systems as soon as possible to prevent attacks that exploit the vulnerability, U.S. agencies said yesterday.
The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that operate a widely used encryption technology called OpenSSL are at risk of being hacked.
“The vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users,” the council said in a statement today. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e-mail, or gain access to internal networks.”
JPMorgan Chase & Co. (JPM:US), the largest U.S. bank, doesn’t use the vulnerable software and user information hasn’t been exposed, the New York-based company said in a statement this week. Tests on the home pages of other large technology, e-commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. (BAC:US) indicated they weren’t vulnerable.
“We should be grateful this was exposed before it caused any damage,” Avivah Litan, vice president at researcher Gartner Inc., said in a telephone interview. “Everybody’s speculating on all the damage that could happen but we haven’t seen it.”
Beyond banks, the vast majority of large institutions whose networks were susceptible have applied the fix, according to Robert Hansen, a specialist in Web application security who is vice president of the advanced technologies group of WhiteHat Security Inc.
“Everybody has to patch in the ecosystem,” Hansen said. “Everybody that they rely on for business continuity, for security, needs to be as secure as they are.”
AlienVault has detected people scanning the Internet looking for vulnerable servers, especially in traffic coming from China, though it’s difficult to know how many have been successful, Blasco said.
Usually, after a major security bug is disclosed and patch issued, there is a race between hackers who try to quickly exploit the flaw and security professionals who try to fix it. Sites that will be preyed upon with this vulnerability will be smaller and medium-sized businesses that didn’t update fast enough, Blasco said.
“Those companies are going to patch at some point, but they are going to be more vulnerable than the big guys -- they don’t have the resources and expertise to deal with the issue,” Blasco said.
To contact the reporters on this story: Jordan Robertson in San Francisco at email@example.com; Cornelius Rahn in Berlin at firstname.lastname@example.org
To contact the editors responsible for this story: Pui-Wing Tam at email@example.com; Kenneth Wong at firstname.lastname@example.org Reed Stevenson, Jillian Ward