Sign In | Sign Up
BOSTON, April 10 (Reuters) - Hackers could crack email systems, security firewalls and possibly mobile phones through the "Heartbleed" computer bug, according to security experts who warned on Thursday that the risks extended beyond just Internet Web servers.
The widespread bug surfaced late on Monday, when it was disclosed that a pernicious flaw in a widely used Web encryption program known as OpenSSL opened hundreds of thousands of websites to data theft. Developers rushed out patches to fix affected web servers when they disclosed the problem, which affected companies from Amazon.com Inc and Google Inc to Yahoo Inc.
Yet pieces of vulnerable OpenSSL code can be found inside plenty of other places, including email servers, ordinary PCs, phones and even security products such as firewalls. Developers of those products are scrambling to figure out whether they are vulnerable and patch them to keep their users safe.
"I am waiting for a patch," said Jeff Moss, a security adviser to the U.S. Department of Homeland Security and founder of the Def Con hacking conference. Def Con's network uses an enterprise firewall from McAfee, which is owned by Intel Corp's security division.
He said he was frustrated because people had figured out that his email and Web traffic is vulnerable and posted about it on the Internet - but he can't take steps to remedy the problem until Intel releases a patch.
"Everybody is going through the exact same thing I'm going through, if you are going through a vendor fix," he said.
It did not say when they would be released.An Intel spokesman declined comment, referring Reuters to a company blog that said: "We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated."
The Heartbleed vulnerability went undetected for about two years and can be exploited without leaving a trace, so experts and consumers fear attackers may have compromised large numbers of networks without their knowledge.
Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the Internet this week in search of vulnerable servers .
"Every security person is talking about this," said Chris Morales, practice manager with the cybersecurity services firm NSS Labs.
Cisco Systems Inc, the world's biggest telecommunications equipment provider, said on its website that it is reviewing dozens of products to see if they are safe. It uncovered about a dozen that are vulnerable, including a TelePresence video conferencing server, a version of the IOS software for managing routers. A company spokesman declined to comment on how those issues might affect users, saying Cisco would provide more information as it became available.
Oracle Corp has not posted such an advisory on its support site. Company spokeswoman Deborah Hellinger declined to comment on Heartbleed.
Microsoft Corp, which runs a cloud computing and storage service, the Xbox platform and has hundreds of millions of Windows and Officer users, said in a statement that "a few services continue to be reviewed and updated with further protections." It did not identify them.
Officials with technology giants IBM and Hewlett-Packard Co could not be reached. EMC Corp and Dell said they had no immediate comment.
Security experts said the vulnerable code is also found in some widely used email server software, the online browser anonymizing tool Tor and OpenVPN, as well as some online games and software that runs Internet-connected devices such as webcams and mobile phones.
Jeff Forristal, chief technology officer of Bluebox Security, said that version 4.1.1 of Google's Android operating system, known as Jelly Bean, is also vulnerable. Google officials declined comment on his finding.
Other security experts said that they would avoid using any device with the vulnerable software in it, but that it would take a lot of effort for a hacker to extract useful data from a vulnerable Android phone. (Editing by Edwin Chan and Eric Walsh)
It's like Revenge of the Nerds, 21st Century style. I knew I shouldn't have made fun of those people in HS school, j/k.
This is a major violation against others as I have been experiencing this for couple yrs. and it has really hurt me. We need much many stricter laws if caught a 15yr sentence does follow. Then whom ever can not have any access with computers and if they must have a phone there must be strict regulation such as murders and sex offenders. This is way out of hand the hand of thieves. We must have a tracking law for the internet highway if they can figure this out I know u have plenty in Washington that can ( maybe involved)?. This must stop and they must get caught because has really affected my LIFE. This is murder and we need Justice! Do don't just ice say scoppe. Sincerely Yours? Donna G Francis
15yrs isn't long enough
No matter what the wizards of security come up with there continue to be people that are smarter and come up with ways to violate out privacy. Even using tokens have flaws. The options are to continually make better security software; maybe figure out how to make software that backfires in the bad guy's face by reinvading the source and blow up their disk drives! Is that possible? Why does the world have to be so ugly?
the world did not just suddenly turn ugly, it has been ugly from the time the first man walked opon the earth
you are correct. the good the bad the ugly
Well Eve and The Snake, anyway :-) j/k
It hardly seems appropriate to consider turning over control of the internet at a time in history when some of our enemies have already penetrated our power grids and even government computer systems. It would seem stupid to most with common sense but that doesn't appear to be one of Washington DC's prominent attributes. BWB
Common sense left when Adam and Eve ate the apple.
I am sooooo pissed, I received a call from someone who ID themselves as "WINDOWS SUPPORT C Corporation" who had me do several "tests" to see if my computer was infected ... Repeatedly I asked what this was for, he said his name was "REX" from Windows Recovery .... I asked are you with Microsoft? his answer was 'sure' .... he used a very heavy accent, and after several attempts to "FIX" my system that really wasn't broke .... he informed me he could repair my problem with a one time $139.00 charge .... I blew up I had been conned, I am sooooo timid in accepting anything over the phone ... this sort of sounded like it was correct, Hey Microsoft is the most trusted name associated with computers. since this call the 'REX" said he gave me a toll free number to call him the area code was something like 206-203-5658 ... Rex informed me this was the toll free number to get in touch with him. All I know is Facebook comes up but all the games tell me to install an advanced copy of adobe flash drive .... I am sooooo upset, has anyone else had a problem like this?
Hacking and Viruses MAY be. . . . the next World War that no one can talk about yet.Pitting China, North Korea, Iran, Russa and others against the Modern Civilized World.Maybe the NSA spying thing is just a US Government coverup for what IS. . . . World War III.Therefore a Giant computer facility to battle the forces of the Evil.If the Internet becomes corrupted beyond use and repair. . . . the economy will collapse.Im guessing that over 90% of the economy now is electronic Internet based.All of your Credit Card info, Internet sales, banking and even when you buy in a store, its the Internet that connects all banks and ATM's.Almost no one MAILS a written check any more for payment for things.Transactions are done thru the Internet.99% of all parts, car parts, parts for your washer and dryer are ordered and availabilty checked THRU. . . the Internet. No one CALLS every parts place in the US for that special part for whatever you need. Cant be done any more.Im afraid that . . . WWIII . . . is here and it's Internet based.
Sometimes it's just not worth it, using the internet. People's lives get ruined, money stolen out of their banking account and etc. I never use my debit card number, credit card number or bank account number on the internet. But just buying something like virus protection or some buying something like off EBay, the first thing they want is a credit or debit card number or you bank info. The only way around it is buy calling them on your phone, and them not putting in on a internet file. But that is too much to ask of them. They all claimed they got a secure connection when retrieving that info, but it still get hacked into and your info as well as others stolen.
The countries that provide safe haven for Virus makers should be CUT OFF from the Internet. Just CUT the damn cord. Block them out from the rest of the world.
Technology has a HUGE downside.What happened to just talking, smiling, listening and reacting with a genuine interest in what is being said, and the person saying it...lets reevaluate what is happening!Yep, you are right.Technology must be tempered with common sense.Warmly,Doc Sunshine ( as my clients call me)
I know that Bank of America Master Card is on the ball. I was notified about it and a new card will be on its way. Boom, done.