Security experts warn there is little internet users can
do to protect themselves from the recently uncovered
''Heartbleed'' bug that exposes data to hackers, at least not
until vulnerable websites upgrade their software.
InternetNZ chief executive Jordan Carter warned yesterday
website owners might find their sites had been breached and
private information, including log-ons and passwords, stolen
after the Heartbleed vulnerability was identified.
He advised website owners to check their sites and patch them
where required. Individual users should change their
passwords as a matter of course.
''Website owners shouldn't panic but quick action is required
by those using vulnerable versions of OpenSSL.''
Researchers have observed sophisticated hacking groups
conducting automated scans of the internet in search of web
servers running a widely used web encryption program known as
OpenSSL that makes them vulnerable to the theft of data,
including passwords, confidential communications and credit
OpenSSL is used on about two-thirds of all web servers, but
the issue has gone undetected for about two years.
Mr Carter said the vulnerability in OpenSSL software,
commonly used to secure websites, was easy to exploit and
virtually impossible to detect when it had been exploited.
Any website using a vulnerable version of OpenSSL might have
been attacked by criminals stealing data or eavesdropping on
communications to and from the site.
''Now this vulnerability is widely known, the likelihood of
criminals using this exploit are significantly higher.''
Kurt Baumgartner, a researcher with security software maker
Kaspersky Lab, said his firm uncovered evidence on Monday
that a few hacking groups believed to be involved in
state-sponsored cyber espionage were running such scans
shortly after news of the bug first surfaced the same day.
By Tuesday, Kaspersky had identified such scans coming from
''tens'' of actors, and the number increased on Wednesday
after security software company Rapid7 released a free tool
for conducting such scans.
''The problem is insidious,'' Mr Baumgartner told Reuters.
''Now it is amateur hour. Everybody is doing it.''
OpenSSL software is used on servers that host websites but
not PCs or mobile devices, so even though the bug exposes
passwords and other data entered on those devices to hackers,
it must be fixed by website operators.
''There is nothing users can do to fix their computers,''
said Mikko Hypponen, chief research officer with security
software maker F-Secure.
Representatives for Facebook, Google and Yahoo Inc told
Reuters they had taken steps to mitigate the impact on users.
Google spokeswoman Dorothy Chou told Reuters: ''We fixed this
bug early and Google users do not need to change their
Ty Rogers, a spokesman for Amazon.com, said ''Amazon.com is
Steve Marquess, president of the OpenSSL Software Foundation,
said he could not identify other computer programs that used
OpenSSL code that might make devices vulnerable to attack.
(1)Establish if your site's servers are vulnerable. This can
be done by visiting https://www.ssllabs.com/ssltest.
(2)Patch the vulnerable servers.
(3)Revoke/reissue certificates. This is an important step as
the servers might have been compromised for some time,