SAN FRANCISCO - The Heartbleed Web-security flaw has been found in the hardware connecting homes and businesses to the Internet, underscoring the amount of time and effort that will be needed to defuse the threat.
Cisco Systems Inc. and Juniper Networks Inc. said some of their networking products are susceptible to the encryption bug, which was recently discovered by researchers at Google and prompted companies and government agencies to seek fixes to block hackers from gaining access to user names, passwords and other sensitive information.
The Heartbleed warnings come at a time of mounting concern about the security of information after consumer data breaches at Target and Neiman Marcus and the spying scandal involving the National Security Agency.
While security experts urged consumers to change their Web passwords as soon as possible, it will take longer to fix networking equipment and software as Cisco and Juniper will have to rely on customers applying the patches they push out, said Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC.
“It’s more painful to update these kinds of devices,” Blasco said. “You have to go one by one.”
The vulnerability affects several of the routers, switches and security firewalls sold by Cisco and Juniper, the two manufacturers said in statements Thursday.
Heartbleed is a flaw in the design of OpenSSL, an encryption tool that runs on as many as two-thirds of all active websites, although many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, according to Google’s researchers.
A programmer named Robin Seggelmann said he accidentally introduced the bug two years ago while working on a research project at the University of Muenster in Germany. He “failed to check” that a certain variable “contained a realistic value,” according to a blog post on the website of his current employer, Deutsche Telekom.
That error was overlooked by a reviewer and introduced into the official release, “turning a simple mistake into one with massive consequences,” he was quoted in the post.
Seggelmann, who works at Deutsche Telekom’s corporate-client unit T-Systems, said the mistake showed that OpenSSL lacks support, with too few people involved in coding and checking.
Cisco said it would tell customers when software patches for its affected products are available.
“We take the management of security vulnerabilities very seriously,” the company said in a statement. “We encourage our customers to visit our website for ongoing updates.”
Juniper said it issued a patch last week for its most vulnerable products that feature virtual private network, or VPN, technology. VPNs offer a secure way to connect remotely to corporate networks.
“A subset of Juniper’s products were affected including certain versions of our SSL VPN software, which presents the most critical concern for customers,” Juniper said in an emailed statement. “The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products.”
Banks and other financial institutions should also take steps to patch their computer systems as soon as possible to prevent attacks that exploit the vulnerability, U.S. agencies said.
The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that operate a widely used encryption technology called OpenSSL are at risk of being hacked.
“The vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users,” the council said in a statement Thursday. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks.”
JPMorgan Chase, the largest U.S. bank, doesn’t use the vulnerable software and user information hasn’t been exposed, the New York-based company said in a statement last week. Tests on the home pages of other large technology, e-commerce and banking companies including Microsoft, Amazon.com and Bank of America indicated they weren’t vulnerable.
“We should be grateful this was exposed before it caused any damage,” Avivah Litan, vice president at researcher Gartner Inc., said. “Everybody’s speculating on all the damage that could happen but we haven’t seen it.”
Beyond banks, the vast majority of large institutions whose networks were susceptible have applied the fix, said Robert Hansen, a specialist in Web application security who is vice president of the advanced technologies group of WhiteHat Security Inc.
“Everybody has to patch in the ecosystem,” Hansen said. “Everybody that they rely on for business continuity, for security, needs to be as secure as they are.” Information for this article was contributed by Jeff Kearns of Bloomberg News.
Business, Pages 19 on 04/14/2014