Banks urged to act over 'Heartbleed' bug - Financial Times ~ Electronic Gadgets

A US regulator has warned that cyber criminals could be impersonating bank services or stealing users' online banking passwords after the "Heartbleed" bug, called one of the most significant breaches of internet security ever, was discovered in the software used to secure two-thirds of the web.

The Federal Financial Institutions Examination Council said on Thursday that banks using the Open SSL software should take steps to protect themselves by upgrading the software as soon as possible to address the vulnerability.

The regulator also suggested that financial institutions should consider replacing all the private keys for each service, which hackers could have stolen and used to access confidential information. Banks relying on third parties should also ensure their providers took action, it said.

"A significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption," it said in a statement.

"Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email or gain access to internal networks. Potential attacks are made feasible by the public availability of exploitation tools."

The "Heartbleed" bug may have allowed cyber criminals to access anything stored in a computer's short-term memory, from user passwords to intellectual property.

It is not known if hackers exploited the vulnerability before it was discovered by a group of security researchers last week. But since it was announced on Monday, experts have said cyber criminals will be racing to find which sites are still vulnerable because they have not updated their software.

The potential damage continues to spread, with Juniper Networks confirming on Thursday that some of its products used to create a virtual private network also relied on the software. The company said it had repaired one product on Tuesday and was "working round the clock" to repair others.

The Federal Deposit Insurance Corp said there had been no reports of the vulnerability being exploited at financial institutions. Major banks do not appear on lists of companies that use the security software, possibly because they use their own secure language for their online banking systems.

But large technology companies including Google, Facebook and Yahoo do use the software and have had to rush to update and repair their systems. Amazon Web Services, whose customers include big brands and small businesses, was also affected. The Canada Revenue Agency shut down public access to online services amid fears that the flaw could be used to access sensitive taxpayer information.

Copyright The Financial Times Limited 2014. You may share using our article tools.

Please don't cut articles from FT.com and redistribute by email or post to the web.

via Technology - Google News http://ift.tt/1kaCg6H