Heartbleed Bug: Homeland Security advises public to change passwords for sites affected by flaw
The US Department of Homeland Security has warned that it believes hackers are trying to make use of the Heartbleed bug.
It advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.
However, an official added that there had not been any reported attacks or malicious incidents.
The alert comes as several makers of net hardware and software revealed some of their products had been compromised.
Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data.
The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users.
Experts say home kit is less at risk.
There had been reports that domestic home networking equipment – such as Wi-Fi routers – might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data.
However, a security researcher at the University of Cambridge’s Computer Laboratory said he thought this would be a relatively rare occurrence.
News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon – a Finnish security company – revealed that a flaw had existed in OpenSSL for more than two years.
This had made it possible to impersonate services and users, and potentially eavesdrop on data communications.
The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted.
The website set up to publicize the danger noted that it was possible to carry out such an attack “without leaving a trace”, making it impossible to know for sure if criminals or cyberspies had taken advantage of it.
Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some – but not all – companies suggesting users should reset their passwords.
Warnings from companies including Cisco, Juniper, Fortinet, Red Hat and Watchguard Technologies that some of their internet products are compromised may now place the spotlight on the corporate sector.
The US government has said that it was working with third-party organizations “to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing and financial systems”.
Meanwhile, officials suggested members of the public should “closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages”.