• News
  • SAN DIEGO
  • Technology

U.S. Agencies Urge Banks to Fix Heartbleed Web-Security Flaw

April 10 (Bloomberg) -- Banks and other financial institutions should take steps to patch their computer systems as soon as possible to prevent attacks that exploit the Heartbleed We-security flaw, U.S. agencies said.

The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that use a widely used encryption technology called OpenSSL are at risk of being hacked.

Heartbleed, which was recently discovered by researchers at Google Inc., prompted security experts to urge consumers to change their Web passwords, even as Google, Facebook Inc. and large banks said they weren’t affected. While OpenSSL runs on as many as two-thirds of all active websites, many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, according to the researchers.

“Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e-mail, or gain access to internal networks,” the council said in a statement today.

JPMorgan Chase & Co., the largest U.S. bank, doesn’t use the vulnerable software and user information hasn’t been exposed, the New York-based company said in a statement yesterday. Tests on the home pages of other large technology, e- commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. indicated they weren’t vulnerable.

Mounting Concern

The Heartbleed revelation comes at a time of mounting concern about hackers’ capabilities following consumer data breaches at Target Corp. and Neiman Marcus Group Ltd. and the spying scandal involving the National Security Agency. The flaw involving a two-year-old programming mistake was discovered by researchers from Google and Codenomicon, a security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon.

It isn’t known whether malicious hackers knew about the bug and were exploiting it, the researchers wrote. Google and Facebook said they addressed the problem before it was made public and saw no signs of vulnerabilities. OpenSSL is used by Internet companies to secure traffic flowing between servers and users’ computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.

Leave Your Comment

Comments are moderated by SDDT, in accordance with the SDDT Comment Policy, and may not appear on this commentary until they have been reviewed and deemed appropriate for posting. Also, due to the volume of comments we receive, not all comments will be posted.

SDDT Comment Policy: SDDT encourages you to add a comment to this discussion. You may not post any unlawful, threatening, defamatory, obscene, pornographic or other material that would violate the law. All comments should be relevant to the topic and remain respectful of other authors and commenters. You are solely responsible for your own comments, the consequences of posting those comments, and the consequences of any reliance by you on the comments of others. By submitting your comment, you hereby give SDDT the right, but not the obligation, to post, air, edit, exhibit, telecast, cablecast, webcast, re-use, publish, reproduce, use, license, print, distribute or otherwise use your comment(s) and accompanying personal identifying and other information you provide via all forms of media now known or hereafter devised, worldwide, in perpetuity. SDDT Privacy Statement.

User Response
0 UserComments

Leave Your Comment

Comments are moderated by SDDT, in accordance with the SDDT Comment Policy, and may not appear on this commentary until they have been reviewed and deemed appropriate for posting. Also, due to the volume of comments we receive, not all comments will be posted.

SDDT Comment Policy: SDDT encourages you to add a comment to this discussion. You may not post any unlawful, threatening, defamatory, obscene, pornographic or other material that would violate the law. All comments should be relevant to the topic and remain respectful of other authors and commenters. You are solely responsible for your own comments, the consequences of posting those comments, and the consequences of any reliance by you on the comments of others. By submitting your comment, you hereby give SDDT the right, but not the obligation, to post, air, edit, exhibit, telecast, cablecast, webcast, re-use, publish, reproduce, use, license, print, distribute or otherwise use your comment(s) and accompanying personal identifying and other information you provide via all forms of media now known or hereafter devised, worldwide, in perpetuity. SDDT Privacy Statement.