TMCnet News
'Heartbleed' risk goes beyond Web servers [ITWeb](ITWeb Via Acquire Media NewsEdge) Pieces of vulnerable OpenSSL code can be found inside e-mail servers, PCs, cellphones and even security products such as firewalls. Hackers could crack e-mail systems, security firewalls and possibly mobile phones through the "Heartbleed" computer bug, according to security experts who warned yesterday that the risks extended beyond just Internet Web servers. The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL opened hundreds of thousands of Web sites to data theft. Developers rushed out patches to fix affected Web servers when they disclosed the problem, which affected companies from Amazon.com and Google to Yahoo. Yet pieces of vulnerable OpenSSL code can be found inside plenty of other places, including e-mail servers, ordinary PCs, phones and even security products such as firewalls. Developers of those products are scrambling to figure out whether they are vulnerable and patch them to keep their users safe. "I am waiting for a patch," said Jeff Moss, a security adviser to the US Department of Homeland Security and founder of the Def Con hacking conference. Def Con's network uses an enterprise firewall from McAfee, which is owned by Intel's security division. He said he was frustrated because people had figured out that his e-mail and Web traffic is vulnerable and posted about it on the Internet - but he can't take steps to remedy the problem until Intel releases a patch. "Everybody is going through the exact same thing I'm going through, if you are going through a vendor fix," he said. An Intel spokesman declined comment, referring Reuters to a company blog that said: "We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated." It did not say when they would be released. The Heartbleed vulnerability went undetected for about two years and can be exploited without leaving a trace, so experts and consumers fear attackers may have compromised large numbers of networks without their knowledge. Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the Internet this week in search of vulnerable servers. "Every security person is talking about this," said Chris Morales, practice manager with the cyber security services firm NSS Labs. Quick action Cisco Systems, the world's biggest telecommunications equipment provider, said on its Web site that it is reviewing dozens of products to see if they are safe. It uncovered about a dozen that are vulnerable, including a TelePresence video conferencing server, a version of the IOS software for managing routers. A company spokesman declined to comment on how those issues might affect users, saying Cisco would provide more information as it became available. Oracle has not posted such an advisory on its support site. Company spokeswoman Deborah Hellinger declined to comment on Heartbleed. Microsoft, which runs a cloud computing and storage service, the Xbox platform and has hundreds of millions of Windows and Office users, said in a statement that "a few services continue to be reviewed and updated with further protections". It did not identify them. Officials with technology giants IBM and Hewlett-Packard could not be reached. EMC and Dell said they had no immediate comment. Security experts said the vulnerable code is also found in some widely used e-mail server software, the online browser anonymising tool Tor and OpenVPN, as well as some online games and software that run Internet-connected devices such as Web cams and mobile phones. Jeff Forristal, chief technology officer of Bluebox Security, said version 4.1.1 of Google's Android operating system, known as Jelly Bean, is also vulnerable. Google officials declined to comment on his finding. Other security experts said that they would avoid using any device with the vulnerable software in it, but that it would take a lot of effort for a hacker to extract useful data from a vulnerable Android phone. US banks told to address risk Meanwhile, US financial regulators have told banks to upgrade their systems as soon as possible if they are vulnerable to the Heartbleed bug. The Federal Financial Institutions Examination Council, an interagency group that includes the Federal Reserve and the Federal Deposit Insurance, said banks should also set up temporary patches for any systems using the OpenSSL Web encryption program, and warn their outside service providers to take action. Researchers said this week they found evidence of hackers scanning the Internet in search of Web servers running the widely used encryption program. The bug, which apparently has existed since 2011 but was only recently discovered, means many Web sites could be vulnerable to theft of data including passwords and credit card numbers. "Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e-mail, or gain access to internal networks," the Federal Financial Institutions Examination Council said in its warning to banks. The group said after banks patch their systems, they should consider telling customers and administrators to change their passwords. (c) 2014 ITWeb Limited. All rights reserved. Provided by Syndigate.info, an Albawaba.com company |