Little Internet users can do to thwart 'Heartbleed' bug

Update (6:03pm, April 10):  Several financial institutions contacted by AsiaOne - including UOB and Citibank - said that they are aware of the issue and are conducting investigations. A DBS spokesperson said that it is "not affected by this vulnerability and [has] multiple layers of security in place".

BOSTON - Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used Web encryption programme known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all Web servers, but the issue has gone undetected for about two years.

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.

"The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

"There is nothing users can do to fix their computers," said Mikko Hypponen, chief research officer with security software maker F-Secure.

Representatives for Facebook Inc, Google and Yahoo Inc told Reuters they have taken steps to mitigate the impact on users.

Google spokeswoman Dorothy Chou told Reuters: "We fixed this bug early and Google users do not need to change their passwords."

Ty Rogers, a spokesman for Amazon.com Inc, said "Amazon.com is not affected."

In a blogpost dated Tuesday, the company said some of its Web cloud services, which provide the underlying infrastructure for apps such as online movie-streaming service Netflix and social network Pinterest, had been vulnerable. While it said the problems had been fixed, the company urged users of those services, which are popular in particular among the tech startup community, to take extra steps such as updating software.

Kaspersky Lab's Baumgartner noted that devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

CLEANING UP MESS

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet companies to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

That will be time-consuming, said Barrett Lyon, chief technology officer of cybersecurity firm Defence.Net Inc. "There's going to be lots of chaotic mess," he said.

Symantec Corp and GoDaddy, two major providers of SSL technology, said they do not charge for reissuing keys.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organisations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so.

"Due to the complexity and difficulty in upgrading many of the affected systems, this vulnerability will be on the radar for attackers for years to come," he said.

Hypponen of F-Secure said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.

"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely."

Below is the official statement from DBS:

We are not affected by this vulnerability and have multiple layers of security in place to protect our customers. Some of our security measures include the encryption of iBanking usernames and passwords as well as the use of 2FA for online banking transactions.

We understand that security is a key concern for internet banking users, and DBS is committed to providing our customers with a safe and secure online banking environment. Other than having the right authentication and security in place, we also offer a Money Safe guarantee to protect customers from unauthorized online transactions for both internet and mobile banking.

As a best practice, we encourage customers to change their passwords regularly for all types of online accounts. If the customer suspects that his Internet Banking User Identifier, PIN or token has been compromised or any suspicious activities on his account, he should contact DBS immediately at 1800-111-1111.

Here is a media statement from global network security company FireEye on the Heartbleed Bug:

Heartbleed is a fairly severe vulnerability with proof of concept code being distributed on the internet. If exploited, this vulnerability is capable of leaking sensitive information such as credentials, key material, and other content from the targeted server 64 kilobytes at a time.

FireEye has observed several different lists being posted to github and pastebin monitoring what sites are vulnerable, not vulnerable, and not running SSL on their web servers. Organizations are encouraged to apply the patch as their earliest opportunity. Organizations should identify their own strategy for deployment based on their own needs and testing requirements, however we recommend:

- All externally facing servers be patched first to reduce the potential number individuals who could connect to a vulnerable system.

- Patch any servers providing authentication which could leak legitimate credentials to a hacker.

- Then patch any servers that containing sensitive data including personally identifiable information (PII), customer data, critical intellectual property, or those conducting financial transactions.

- Then pursue a strategy to patch all other internal systems. Identify partner organizations websites that employees may use, and ensure that these other websites have been secured as well.

- Create, install / deploy new certificate(s). Organizations who suspect being attacked already, should also consider revocation of the old keypairs that were just superseded, and also invalidating all session keys and cookies.

In addition, organizations should perform network scans as soon as possible. Organizations need to identify if any of other devices may be running OpenSSL as well. This could include appliances, wireless access points, routers, or pretty much anything else that may use SSL. As an example, several different types of voice over IP (VOIP) phones used in the corporate environment run SSL. For these other devices, organizations may need to work with their vendors to apply a patch, firmware, or solution to ensure that all equipment.

Finally, organizations will want to ensure appropriate logging is enabled on their servers, and conduct increased auditing to determine if any unauthorized users are leveraging compromised credentials that may have already been leaked. As the credentials are legitimate, auditing serves as one of the best ways to identify anomalous activity. Auditors should be on the lookout for anything outside of the normal including logins for different geographic regions, extreme off hour activity, increase in outbound bandwidth usage, and other similar activity.