Heartbleed: Hackers scanning Web for vulnerability

10 April 2014
By Edd Gent
Mobile version
Share |
Automated scans looking for servers vulnerable to the Heartbleed bug have risen steadily since the beginning of the week

Automated scans looking for servers vulnerable to the Heartbleed bug have risen steadily since the beginning of the week

Hacking groups have been detected running automated scans of the Internet in search of Web servers vulnerable to the ‘Heartbleed’ bug.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

The scans are looking for a widely used Web encryption program known as OpenSSL used on about two-thirds of all Web servers that researchers revealed earlier this week makes servers vulnerable to the theft sensitive in-memory data, including encryption keys, passwords, confidential communications and credit card numbers.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on yesterday after security software company Rapid7 released a free tool for conducting such scans.

"The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

Security experts warn there is little Internet users can do to protect themselves until vulnerable websites upgrade their software. OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook, Google and Yahoo told Reuters they have taken steps to mitigate the impact on users. Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords."

Ty Rogers, a spokesman for Amazon.com, said "Amazon.com is not affected."

In a blogpost dated Tuesday, the company said some of its Web cloud services, which provide the underlying infrastructure for apps such as online movie-streaming service Netflix and social network Pinterest, had been vulnerable.

While it said the problems had been fixed, the company urged users of those services, which are popular in particular among the tech startup community, to take extra steps such as updating software.

Kaspersky Lab's Baumgartner noted that devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them, including versions of Cisco Systems' AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs.

The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet companies to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net. "There's going to be lots of chaotic mess," he said.

Symantec and GoDaddy, two major providers of SSL technology, said they do not charge for reissuing keys.

Mark Maxey, a director with cyber security firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

"Due to the complexity and difficulty in upgrading many of the affected systems, this vulnerability will be on the radar for attackers for years to come," he said.

Hypponen of F-Secure said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

Latest Issue

E&T cover image 1607

"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."

E&T jobs

  • Digital Forensic Specialist (Audio)

    Met Police
    • London
    • Circa £37,305 plus £3,406 location allowance

    You’ll contribute to a wide range of research and development activities.

    • Recruiter: Met Police

    Apply for this job

  • MetOp-SG Receiver Project Manager

    Science and Technology Facilities Council (STFC)
    • STFC Rutherford Appleton Laboratory, Harwell, Oxfordshire
    • £37,213 - £50,926 (depending on experience)

    Project Manager to oversee the development, production and test of spaceflight components and integrated receiver systems

    • Recruiter: Science and Technology Facilities Council (STFC)

    Apply for this job

  • Systems Engineer

    Reaction Engines Ltd
    • Abingdon, Oxfordshire
    • Competitive + Benefits

    Perform general systems engineering tasks as necessary with specific focus on electronic systems and instrumentation.

    • Recruiter: Reaction Engines Ltd

    Apply for this job

  • Production Manager

    Reaction Engines Ltd
    • Abingdon, Oxfordshire
    • Competitive + Benefits

    An amazing opportunity to plan, direct and coordinate all manufacturing operations and activities in line with company strategy and business plan.

    • Recruiter: Reaction Engines Ltd

    Apply for this job

  • Navigation Sensors Principle Engineer

    MBDA
    • Stevenage
    • Competitive Salary & Benefits

    What?s the opportunity? An exciting opportunity has arisen in a rapidly evolving international team with increasing capabilities.  The Navigation Sensors Group is responsible for the...

    • Recruiter: MBDA

    Apply for this job

  • Technology Manager - External Communications

    BAE Systems
    • Frimley, England, Surrey
    • Negotiable

    Technology Manager - External Communications Would you like Lead the technical delivery of the External Communications System (ECS) capability sustainment & evolution projects within the common ECS (cECS) Baseline Design Management (BDM) programme? Th

    • Recruiter: BAE Systems

    Apply for this job

  • Graduate Process Engineer

    EFFECT Photonics
    • Brixham, Devon
    • £20,000 to £25,000

    Join our exciting journey to deliver new standards in the availability of data bandwidth.

    • Recruiter: EFFECT Photonics

    Apply for this job

  • Senior Principal Materials Engineer

    MBDA
    • Stevenage
    • Competitive salary & benefits

    What?s the opportunity? A fantastic opportunity has arisen for an experienced materials engineer/scientist specialising in non-metallic materials and processing. You will be given responsibility for...

    • Recruiter: MBDA

    Apply for this job

  • Postdoctoral Research Associate

    The University of Liverpool
    • Liverpool, Merseyside
    • £32,600 - £37,768 pa

    Applications are invited for a Postdoctoral Research Associate in a brand new area of communications.

    • Recruiter: The University of Liverpool

    Apply for this job

  • Test Engineering Opportunities

    HMGCC
    • Hanslope Park, Milton Keynes
    • Salary offered will depend on skills and experience

    Push incredible innovations beyond their limits. Opportunities for Software, Hardware, EMC, Test and Inspection Engineers!

    • Recruiter: HMGCC

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T