By Jim Garamone
American Forces Press Service
WASHINGTON, April 19, 2014 – The Defense Department has
dealt effectively with the Heartbleed computer vulnerability, but individuals
must do their parts as well, DOD’s deputy chief information officer for
cybersecurity said.
Richard A. Hale spoke about Heartbleed during an interview
with American Forces Press Service and the Pentagon Channel.
Heartbleed is a vulnerability in the software used to
scramble the interactions between a Web server and people using that server.
People who do online banking or e-commerce are vulnerable to having passwords
and logins stolen.
“The software is used in many Web servers on the Internet,
but not all servers,” Hale said. “Some are vulnerable to this flaw.”
Heartbleed undermines the encryption process on secure
websites, email, instant messaging and likely a variety of other programs and
applications, officials said, potentially putting users’ sensitive personal
data -- such as usernames, passwords and credit card information -- at risk of
being intercepted by hackers. Hackers who intercept that information, they
added, could then use it to access users’ personal accounts.
Cybersecurity specialists learned of Heartbleed on April 7.
“The people who wrote this software immediately fixed the flaw,” he said.
New software is available to fix systems. “The flaw is
starting to go away, but this is a massive undertaking,” Hale said. “It is a
widely used software used on thousands of websites and thousands of different
network products.
“The government is doing the same thing,” he continued.
“It’s looking at all of its websites and ensuring that they are either not
vulnerable or the vulnerability is fixed as quickly as possible.”
Heartbleed has no effect on DOD classified networks, and
minimal effect on DOD unclassified sites, he said. “We have an aggressive
process to find this vulnerability and eliminate it immediately,” Hale said.
“Really, what the department did immediately was block the exploitation of this
vulnerability at the boundary between the department’s network and the
Internet.”
Common access cards and the PIN numbers associated with them
are not affected by Heartbleed, he said, but service members and their families
still need to take action.
“You should go to your bank’s website … and check whether
the bank software has been fixed or whether it is vulnerable,” he said. “If it
is fixed, then I recommend changing your password. It is best to assume that
your password might have been compromised and change it.”
The Department of Homeland Security, through the National
Protection and Programs Directorate, is leading a whole-of-government response
to the threat posed by the Heartbleed security vulnerability by issuing
guidance to the public and key stakeholders.
Officials recommend that people refrain from logging into a
website and changing their password until they’ve confirmed that a patch is in
place on the site to protect users from the Heartbleed vulnerability. If the
Heartbleed patch is not yet in place, they explained, changing the password
would be useless and could give an attacker the new password.
In addition, officials recommend starting with the sites
that contain the most sensitive personal information, such as banking and
credit card sites and email and social media accounts. It’s a good idea, they
added, not to re-use passwords.
Over the next few weeks, officials said, people should
closely monitor their accounts for suspicious activity -- purchases they didn’t
make or messages they didn’t send or post. They also should be aware that
websites requiring the user to enter personal information such as credit card
or bank account numbers should be secure -- the URL, or Web address, should
begin with https, officials added.
Phishing attacks via email could seek to exploit concerns
about Heartbleed, officials warned. The attacker would send an email purporting
to be from the user’s email provider, bank or another frequently used website
and providing a link for the user to click on to change the password. To be
safe, officials recommend, go directly to the websites to change passwords, and
type the link yourself, rather than clicking on links embedded in emails.
The DHS website, http://www.dhs/gov, has up-to-date
information on Internet security threats to include Heartbleed.
Posts
No comments:
Post a Comment