Banks and other financial institutions should take steps to patch their computer systems as soon as possible to prevent attacks that exploit the Heartbleed Internet-security flaw, U.S. agencies said.
The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that operate a widely used encryption technology called OpenSSL are at risk of being hacked.
Heartbleed, which was recently discovered by researchers at Google Inc. (GOOG), prompted security experts to urge consumers to change their Web passwords, even as Google, Facebook Inc. and large banks said they weren’t affected. While OpenSSL runs on as many as two-thirds of all active websites, many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, according to Google’s researchers.
“The vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users,” the council said in a statement today. “Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e-mail, or gain access to internal networks.”
JPMorgan Chase & Co. (JPM), the largest U.S. bank, doesn’t use the vulnerable software and user information hasn’t been exposed, the New York-based company said in a statement yesterday. Tests on the home pages of other large technology, e-commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. (BAC) indicated they weren’t vulnerable.
Beyond banks, the vast majority of large institutions whose networks were susceptible have applied the fix, said Robert Hansen, a specialist in Web application security who is vice president of the advanced technologies group of WhiteHat Security Inc.
“Everybody has to patch in the ecosystem,” Hansen said in an interview. “Everybody that they rely on for business continuity, for security, needs to be as secure as they are.”
The Heartbleed revelation comes at a time of mounting concern about hackers’ capabilities following consumer data breaches at Target Corp. and Neiman Marcus Group Ltd. and the spying scandal involving the National Security Agency. The flaw involving a two-year-old programming mistake was discovered by researchers from Google and Codenomicon, a security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon.
It isn’t known whether malicious hackers knew about the bug and were exploiting it, the researchers wrote. Google and Facebook said they addressed the problem before it was made public and saw no signs of vulnerabilities. OpenSSL is used by Internet companies to secure traffic flowing between servers and users’ computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.
The FFIEC, an interagency group that coordinates practices and standards across the U.S. banking agencies, also includes the Federal Deposit Insurance Corp., National Credit Union Administration, Office of the Comptroller of the Currency and State Liaison Committee.
JPMorgan and other banks have been hit in the past with distributed denial-of-service, or DDoS, website attacks in which hackers flood systems with information to shut them down.
The threat of cyber attacks on the U.S. financial system is growing as new online products emerge and weapons for hackers become more accessible, Comptroller of the Currency Thomas Curry said in a Sept. 18 speech in Washington.
“The growing sophistication and frequency of cyber attacks is a cause for concern, not only because of the potential for disruption, but also because of the potential for destruction of the systems and information that support our banks,” Curry said.
The Fed itself last year found a minor security breach on a website it uses to stay in touch with banks during emergencies. While the U.S. central bank’s critical operations weren’t affected, officials said they were working with law enforcement authorities to investigate the posting of employee data online.
To contact the reporter on this story: Jordan Robertson in San Francisco at firstname.lastname@example.org
To contact the editors responsible for this story: Pui-Wing Tam at email@example.com Reed Stevenson, Ben Livesey