San Francisco: The Heartbleed Web-security flaw has been found in the hardware connecting homes and businesses to the Web, underscoring the widespread nature of the threat.
Cisco Systems Inc. and Juniper Networks Inc. said some of their networking products are susceptible to the encryption bug, which was recently discovered by researchers at Google Inc. and prompted companies and government agencies to seek fixes to block hackers from gaining access to user names, passwords and other sensitive information.
The Heartbleed warnings come at a time of mounting concern about the security of information following consumer-data breaches at Target Corp. and Neiman Marcus Group Ltd and the spying scandal involving the National Security Agency. Security experts urged consumers to change their Web passwords as soon as possible to protect their information.
“We should be grateful this was exposed before it caused any damage,” Avivah Litan, vice president at researcher Gartner Inc., said in a telephone interview. “Everybody’s speculating on all the damage that could happen but we haven’t seen it.”
“The vulnerability affects some of the routers, switches and security firewalls sold by Cisco and Juniper,” the two manufacturers said in statements on Friday.
Heartbleed is a flaw in the design of OpenSSL, an encryption tool that runs on as many as two-thirds of all active websites, though many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, according to Google’s researchers.
Software patches
Cisco said it would tell customers when software patches for its affected products are available.
“We take the management of security vulnerabilities very seriously,” the company said in a statement. “We encourage our customers to visit our website for ongoing updates.”
Juniper said it issued a patch earlier this week for its most vulnerable products that feature virtual private network, or VPN, technology. VPNs offer a secure way to connect remotely to corporate networks.
A subset of Juniper’s products were affected including certain versions of our SSL VPN software, which presents the most critical concern for customers, Juniper said in an e- mailed statement. The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products.
Financial risks
Banks and other financial institutions should also take steps to patch their computer systems as soon as possible to prevent attacks that exploit the vulnerability, US agencies said on Friday.
The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that operate a widely used encryption technology called OpenSSL are at risk of being hacked.
The vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users, the council said in a statement today. Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e- mail, or gain access to internal networks.
Secure fixes
JPMorgan Chase and Co., the largest US bank, doesn’t use the vulnerable software and user information hasn’t been exposed, the New York-based company said in a statement on Thursday. Tests on the home pages of other large technology, e- commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. indicated they weren’t vulnerable.
Beyond banks, the vast majority of large institutions whose networks were susceptible have applied the fix, according to Robert Hansen, a specialist in Web application security who is vice president of the advanced technologies group of WhiteHat Security Inc.
“Everybody has to patch in the ecosystem,” Hansen said. “Everybody that they rely on for business continuity, for security, needs to be as secure as they are.” Bloomberg
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.