Threat from Heartbleed grows as flaw found in some routers

Bug affects networking equipment from Cisco and Juniper Networks

The Heartbleed web security flaw has been found in the hardware connecting homes and businesses to the internet, underscoring the amount of time and effort that will be needed to defuse the threat.

Cisco Systems Inc. and Juniper Networks said some of their networking products are susceptible to the encryption bug, which was recently discovered by researchers at Googleand prompted companies and government agencies to seek fixes to block hackers from gaining access to user names, passwords and other sensitive information.

The Heartbleed warnings come at a time of mounting concern about the security of information following consumer data breaches at Target and Neiman Marcus Group, and the spying scandal involving the National Security Agency.

While security experts urged consumers to change their web passwords as soon as possible, it will take longer to fix networking equipment and software because Cisco and Juniper will have to rely on customers applying the patches they push out, according to Jaime Blasco, director of AlienVault Labs, part of AlienVault.


“It’s more painful to update these kinds of devices,” Blasco said. “You have to go one by one.”

The vulnerability affects several of the routers, switches and security firewalls sold by Cisco and Juniper, the two manufacturers said in statements yesterday.

Heartbleed is a flaw in the design of OpenSSL, an encryption tool that runs on as many as two-thirds of all active websites, though many large consumer sites aren’t vulnerable to being exploited because they use specialised encryption equipment and software, according to Google’s researchers.

Cisco said it would tell customers when software patches for its affected products are available. “We take the management of security vulnerabilities very seriously,” the company said in a statement. “We encourage our customers to visit our website for ongoing updates.”

Juniper said it issued a patch earlier this week for its most vulnerable products that feature virtual private network, or VPN, technology. VPNs offer a secure way to connect remotely to corporate networks.

“A subset of Juniper’s products were affected including certain versions of our SSL VPN software, which presents the most critical concern for customers,” Juniper said in an e- mailed statement. “The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products.”

Banks and other financial institutions should also take steps to patch their computer systems as soon as possible to prevent attacks that exploit the vulnerability, agencies said yesterday.

JPMorgan Chase and Co, the largest bank in the US, doesn't use the vulnerable software and user information hasn't been exposed, the New York-based company said in a statement this week. Tests on the home pages of other large technology, e- commerce and banking companies including Microsoft and Amazon. com indicated they weren't vulnerable.

"We should be grateful this was exposed before it caused any damage," Avivah Litan, vice president at researcher Gartner, said in a telephone interview. "Everybody's speculating on all the damage that could happen but we haven't seen it."

Beyond banks, the vast majority of large institutions whose networks were susceptible have applied the fix, according to Robert Hansen, a specialist in web application security who is vice president of the advanced technologies group of WhiteHat Security.

“Everybody has to patch in the ecosystem,” Hansen said. “Everybody that they rely on for business continuity, for security, needs to be as secure as they are.”

AlienVault has detected people scanning the internet looking for vulnerable servers, especially in traffic coming from China, though it’s difficult to know how many have been successful, Blasco said. Usually, after a major security bug is disclosed and patch issued, there is a race between hackers who try to quickly exploit the flaw and security professionals who try to fix it.

Sites that will be preyed upon with this vulnerability will be smaller and medium-sized businesses that didn’t update fast enough, Blasco said.

“Those companies are going to patch at some point, but they are going to be more vulnerable than the big guys - they don’t have the resources and expertise to deal with the issue,” Blasco said.(Bloomberg)