OZ Retailers Facing ‘Heartbleed’ Bug Problems Networks At Risk
Also affected are retailers and solution providers who sell Cisco and Juniper routers to small medium businesses as well as home routers.
Cisco Systems and Juniper Networks are two of the largest manufacturers of network equipment and the affected equipment could allow hackers to capture user names, passwords and other sensitive information as it moves across retail networks, home networks and the Internet claims the Wall Street Journal.
Update: The German software developer, Robin Seggelmann, who first introduced the flaw over two years ago, said he did not do it deliberately, reports Techdirt.
Both himself and a reviewer missed the “quite trivial” vulnerability when it was first introduced into the open source OpenSSL encryption protocol, but now acknowledges its impact was “severe”.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said in a recent interview.
Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.
These devices likely will be more difficult to fix. The process involves more steps and retail businesses are less likely to check the status of network equipment, security experts said.
Some analysts claim that the only way to fix the problem is to replace the routers.
Another problem for Australian retailers selling routers is that the stock they are currently carrying for sale were shipped to stores before the bug was revealed on Monday, and may also contain the defective software, from an encryption code known as OpenSSL.
OpenSSL software is used on millions of Web servers now experts believe that the problem is much worse than originally expected.
OpenSSL is used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
Dubbed the Heartbleed bug, the virus poses a deadly serious threat to unpatched servers – and the multitudes of people they serve. Yahoo blogging platform Tumblr has advised the public to “change passwords everywhere – especially on high-security services like e-mail, file storage and banking”.
The vulnerability is in one of the most commonly used implementations of the SSL and TLS cryptographic protocols, allowing attackers to intercept secure communications and steal sensitive information such as log-in credentials, personal data, or even decryption keys.
Information at risk is said to include source codes, credit card numbers, passwords and keys that could be used to impersonate Web sites or unlock encrypted data. “These are the crown jewels, the encryption keys themselves,” said a heartbleed.com website devoted to details of the vulnerability.
The wonder is that Heartbleed wasn’t uncovered well before this. Fox-IT estimates the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.
Christopher Budd, Trend Micro’s global threat communications manager said: “The Heartbleed vulnerability is a problem that affects SSL, the technology that helps protect your information on the Internet.
“If this vulnerability is exploited, attackers can unravel Web sites’ security, enabling them to monitor all communication between a user and a Web site, as well as decrypt any traffic they have collected previously from the Web site. This means sensitive information like passwords, credit card information, or other personal information, could have been exposed to others without your knowing.”
According to Trend Micro: “Consumers should be aware that their data could have been seen by a third party and should monitor any notices from the vendors (they) use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.”
Yahoo has released a statement saying it has fixed the problem at its main online properties. Facebook also says it has taken steps to mitigate any impact to end users.
Some experts have called on Internet companies to revoke the certificates and keys used to encrypt Internet traffic using browsers such as Firefox, Internet Explorer and Google Chrome.
“There is nothing [end] users or retailers can do to fix their computers,” said Mikko Hypponen, chief research officer with security software maker F-Secure. “They have to rely on the administrators of the Web sites they use.”
Cisco said it would update customers when it has software patches. In the meantime, its security researchers offered user’s software that it said would detect hackers exploiting the bug. A Cisco spokesman referred a query to the bulletin on its website.