The Homeland Security Department is working with federal agencies and companies to determine potential impacts of a newly discovered security flaw, which experts say could expose online passwords and encrypted Internet traffic to hackers.
The security flaw, known as Heartbleed, is a vulnerability in the OpenSSL crytographic software library. A wide range of software products, applications and web servers use this library for cryptographic services to ensure communications over the Internet are secure.
Heartbleed has been around for two years but was discovered and publicly released April 7. The bug could allow attackers to retrieve sensitive information stored on web servers that is normally protected using encryption, including passwords, usernames and the private keys used for encrypted website transactions, said Will Dormann, vulnerability analyst in the CERT Division of the Software Engineering Institute at Carnegie Mellon University.
The U.S.-Computer Emergency Readiness Team (US-CERT), which is part of DHS, teamed with the Software Engineering Institute to publish an alert on April 8 with actionable information regarding Heartbleed and suggested mitigation steps, DHS spokesman S.Y. Lee said in an email.
“DHS continues to work with federal departments and agencies and the private sector to determine any potential impacts and help implement mitigation strategies, if necessary,” Lee said. “At this time, there are no reported compromises of these networks in relation to this potential vulnerability.”
Dormann recommends IT professionals ensure they are running the latest version of any software that would be affected, listed here. It is also important to regenerate the digital keys used for securing Internet traffic to and from web servers or any application, he said.
For Internet users, the panic over Heartbleed is another reminder of why people should change passwords periodically and not use the same password for multiple sites, he said.
“It’s an information leak,” Dormann said. Heartbleed won’t allow an attacker to immediately target an application, which makes it challenging to pinpoint the total impact, he said.
The General Services Administration, which runs several government websites and acquisition systems, is not impacted by the vulnerability, said GSA spokeswoman Mafara Hobson.
GSA’s Integrated Award Environment, which helps facilitate agency acquisitions, reported its 10 systems have been tested and appear to be unaffected by the Heartbleed Bug. Those systems include FBO.gov, the System for Award Management (SAM) and the Federal Awardee Performance and Integrity Information System (FAPIIS), a database that tracks contractor performance and misconduct.
The notice was posted on the Integrated Award Environment landing page and included a link to heartbleed.com for more information. System users were encouraged to take appropriate precautions if they use the same password for other Internet sites.
Some federal contractors have identified which of their products are affected by Heartbleed.
“We are working around the clock to provide fixed versions of code for our affected products,” Juniper Networks said on its website.
A list of vulnerable products, those under investigation and products that are not vulnerable are also available on the site. Meantime, the company provided potential workarounds to remediate the issue. Google and Open Source firm Red Hat also have notices posted on their websites.
“It’s one of those situations where you are preparing for the worst,” Dormann said.