The bug ‘HeartBleed’, which was discovered by some of the security researchers a few days ago, is now getting much of concern by every Internet giant and the governments around the world. U.S. government issued a warning stating that the malicious hackers are exploiting this bug in OpenSSL to steal credentials stored at the server side.
In the warning issued to the banks and financial organizations, U.S. government stated about hackers are trying to exploit this bug in OpenSSL, a cryptography library for securing data transmission in between the client and the server.
Larry Zelvin, director of the DHS’s National Cybersecurity and Communications Integration Center said, “”While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems.”
Not only U.S. government, the German Federal Office for Information Security also stated, “An attacker can take advantage of the vulnerability and can read the memory contents of the OpenSSL server.”
For ensuring the integrity, banks are being asked to replace the certificates and request the customers to change their passwords for the bank accounts. ‘HeartBleed’ can easily steal X.509 certificates and other credentials stored at the server without leaving a trace.
“Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch,” said the FFIEC, a consortium of regulators including the Fed and the Treasury Department.
The bug is not in the OpenSSL but the way its implemented at the servers, also the patch for it is now available at the OpenSSL website. Earlier we also reported that almost an year ago, a few more security researchers demonstrated how an attacker can break the SSL/TLS layer. One was called as ‘BREACH’ and another was known as ‘CRIME’.