WASHINGTON, April 21, 2014 – The Defense Department has dealt effectively with the Heartbleed computer vulnerability, but individuals must do their parts as well, DOD’s deputy chief information officer for cybersecurity said.
Richard A. Hale spoke about Heartbleed during an interview with American Forces Press Service and the Pentagon Channel.
Heartbleed is a vulnerability in the software used to scramble the interactions between a Web server and people using that server. People who do online banking or e-commerce are vulnerable to having passwords and logins stolen.
“The software is used in many Web servers on the Internet, but not all servers,” Hale said. “Some are vulnerable to this flaw.”
Heartbleed undermines the encryption process on secure websites, email, instant messaging and likely a variety of other programs and applications, officials said, potentially putting users’ sensitive personal data — such as usernames, passwords and credit card information — at risk of being intercepted by hackers. Hackers who intercept that information, they added, could then use it to access users’ personal accounts.
Cybersecurity specialists learned of Heartbleed on April 7. “The people who wrote this software immediately fixed the flaw,” he said.
New software is available to fix systems. “The flaw is starting to go away, but this is a massive undertaking,” Hale said. “It is a widely used software used on thousands of websites and thousands of different network products.
“The government is doing the same thing,” he continued. “It’s looking at all of its websites and ensuring that they are either not vulnerable or the vulnerability is fixed as quickly as possible.”
Heartbleed has no effect on DOD classified networks, and minimal effect on DOD unclassified sites, he said. “We have an aggressive process to find this vulnerability and eliminate it immediately,” Hale said. “Really, what the department did immediately was block the exploitation of this vulnerability at the boundary between the department’s network and the Internet.”
Common access cards and the PIN numbers associated with them are not affected by Heartbleed, he said, but service members and their families still need to take action.
“You should go to your bank’s website … and check whether the bank software has been fixed or whether it is vulnerable,” he said. “If it is fixed, then I recommend changing your password. It is best to assume that your password might have been compromised and change it.”
The Department of Homeland Security, through the National Protection and Programs Directorate, is leading a whole-of-government response to the threat posed by the Heartbleed security vulnerability by issuing guidance to the public and key stakeholders.
Officials recommend that people refrain from logging into a website and changing their password until they’ve confirmed that a patch is in place on the site to protect users from the Heartbleed vulnerability. If the Heartbleed patch is not yet in place, they explained, changing the password would be useless and could give an attacker the new password.
In addition, officials recommend starting with the sites that contain the most sensitive personal information, such as banking and credit card sites and email and social media accounts. It’s a good idea, they added, not to re-use passwords.
Over the next few weeks, officials said, people should closely monitor their accounts for suspicious activity — purchases they didn’t make or messages they didn’t send or post. They also should be aware that websites requiring the user to enter personal information such as credit card or bank account numbers should be secure — the URL, or Web address, should begin with https, officials added.
Phishing attacks via email could seek to exploit concerns about Heartbleed, officials warned. The attacker would send an email purporting to be from the user’s email provider, bank or another frequently used website and providing a link for the user to click on to change the password. To be safe, officials recommend, go directly to the websites to change passwords, and type the link yourself, rather than clicking on links embedded in emails.
The DHS website, http://www.dhs/gov, has up-to-date information on Internet security threats to include Heartbleed.