This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-26985818
The article has changed 2 times. There is an RSS feed of changes available.
Previous version
1
Next version
| Version 0 | Version 1 |
|---|---|
| US government warns of Heartbleed bug danger | US government warns of Heartbleed bug danger |
| (about 3 hours later) | |
| The US government has warned that it believes hackers are trying to make use of the Heartbleed bug. | The US government has warned that it believes hackers are trying to make use of the Heartbleed bug. |
| The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure. | The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure. |
| However, an official added that there had not been any reported attacks or malicious incidents. | However, an official added that there had not been any reported attacks or malicious incidents. |
| The alert comes as several makers of net hardware and software revealed some of their products had been compromised. | The alert comes as several makers of net hardware and software revealed some of their products had been compromised. |
| Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data. | Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data. |
| The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users. | The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users. |
| Browser alerts | Browser alerts |
| Experts say home kit is less at risk. | Experts say home kit is less at risk. |
| There had been reports that domestic home networking equipment - such as wi-fi routers - might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data. | There had been reports that domestic home networking equipment - such as wi-fi routers - might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data. |
| However, a security researcher at the University of Cambridge's Computer Laboratory said he thought this would be a relatively rare occurrence. | However, a security researcher at the University of Cambridge's Computer Laboratory said he thought this would be a relatively rare occurrence. |
| "You would have to be a semi-professional to have this sort of equipment at home," Dr Richard Clayton told the BBC. | "You would have to be a semi-professional to have this sort of equipment at home," Dr Richard Clayton told the BBC. |
| "It's unusual to find secure connections to a home router because you'd have to have a certificate in the device. | "It's unusual to find secure connections to a home router because you'd have to have a certificate in the device. |
| "If that certificate were self-signed it would generate browser warnings. Alternatively, you could be regularly updated but that would cost money." | "If that certificate were self-signed it would generate browser warnings. Alternatively, you could be regularly updated but that would cost money." |
| UK internet service providers (ISPs) Sky, TalkTalk and Virgin Media confirmed that their home router suppliers had told them their equipment did not use OpenSSL. | UK internet service providers (ISPs) Sky, TalkTalk and Virgin Media confirmed that their home router suppliers had told them their equipment did not use OpenSSL. |
| Password resets | Password resets |
| News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years. | News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years. |
| This had made it possible to impersonate services and users, and potentially eavesdrop on data communications. | This had made it possible to impersonate services and users, and potentially eavesdrop on data communications. |
| The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted. | The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted. |
| The website set up to publicise the danger noted that it was possible to carry out such an attack "without leaving a trace", making it impossible to know for sure if criminals or cyberspies had taken advantage of it. | The website set up to publicise the danger noted that it was possible to carry out such an attack "without leaving a trace", making it impossible to know for sure if criminals or cyberspies had taken advantage of it. |
| Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some - but not all - companies suggesting users should reset their passwords. | Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some - but not all - companies suggesting users should reset their passwords. |
| Risk to business | Risk to business |
| Warnings from companies including Cisco, Juniper, Fortinet, Red Hat and Watchguard Technologies that some of their internet products are compromised may now place the spotlight on the corporate sector. | Warnings from companies including Cisco, Juniper, Fortinet, Red Hat and Watchguard Technologies that some of their internet products are compromised may now place the spotlight on the corporate sector. |
| Dr Clayton explained how such a hacker could take advantage of the problem. | Dr Clayton explained how such a hacker could take advantage of the problem. |
| "If you managed to log into a router then the simplest thing you could do would be to change the DNS [domain name system] settings in there," he said. | "If you managed to log into a router then the simplest thing you could do would be to change the DNS [domain name system] settings in there," he said. |
| "Then you could arrange that everything on the internet resolves correctly apart from, for example, Barclays.com, which you could set to resolve to a malicious site that asks for the visitors' details." | "Then you could arrange that everything on the internet resolves correctly apart from, for example, Barclays.com, which you could set to resolve to a malicious site that asks for the visitors' details." |
| Prof Alan Woodward, a security expert at the University of Surrey, gave another scenario in which hackers could take advantage of flaws in virtual private network software used to let workers log into corporate networks when not in the office. | Prof Alan Woodward, a security expert at the University of Surrey, gave another scenario in which hackers could take advantage of flaws in virtual private network software used to let workers log into corporate networks when not in the office. |
| 'Closely monitor' | 'Closely monitor' |
| "The worst case would be that they could reach in and see the keys," he said. | "The worst case would be that they could reach in and see the keys," he said. |
| "Hence all the traffic going to and from remote workers that people thought was secure could potentially be decrypted. | "Hence all the traffic going to and from remote workers that people thought was secure could potentially be decrypted. |
| "But you would be working through quite a few layers of things to get to that because the way OpenSSL is used is quite complicated." | "But you would be working through quite a few layers of things to get to that because the way OpenSSL is used is quite complicated." |
| The US government has said that it was working with third-party organisations "to determine the potential vulnerabilities to computer systems that control essential systems - like critical infrastructure, user-facing and financial systems". | The US government has said that it was working with third-party organisations "to determine the potential vulnerabilities to computer systems that control essential systems - like critical infrastructure, user-facing and financial systems". |
| Meanwhile, officials suggested members of the public should "closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages". | Meanwhile, officials suggested members of the public should "closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages". |
| The UK has given similar advice. | |
| "People should take advice on changing passwords from the websites they use," said a Cabinet Office spokesman. | |
| "Most websites have corrected the bug and are best placed to advise what action, if any, people need to take." |
Previous version
1
Next version