Heartbleed bug spreads to routers and other gear
The vulnerability that has online companies scrambling also affects the equipment that connects the Web.
The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.
Cisco Systems (CSCO) and Juniper Networks (JNPR), two of the largest manufacturers of network equipment, said Thursday that some of their products contain the "Heartbleed" bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet.
Many websites -- including those run by Yahoo (YHOO), Amazon.com (AMZN) and Netflix (NFLX) -- quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.
These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.
Bruce Schneier, a cybersecurity researcher and cryptographer, said, "The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy."
To be sure, the products available at retail stores now likely were shipped before the bug was revealed on Monday, and may also contain the defective software, from an encryption code known as OpenSSL.
Companies often use firewalls and virtual private networks to protect their computer systems. But if the machines that run the firewalls and virtual private networks are affected by the Heartbleed bug, attackers could use them to infiltrate a network, said Matthew Green, an encryption expert at Johns Hopkins University.
"It's pretty bad," Green said. "Lots and lots of people connect to these things."
Green and others said the bug likely affects some home-networking equipment, such as wireless routers.
In a customer bulletin updated Thursday, Cisco told clients that 66 products are "affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve" potentially sensitive information.
Cisco said it would update customers when it has software patches. In the meantime, its security researchers offered users software that it said would detect hackers exploiting the bug. A Cisco spokesman referred a query to the bulletin on its website.
Juniper said the process of updating its equipment might be lengthy. "It doesn't sound like a flip-the-switch sort of thing," said Corey Olfert, a Juniper spokesman. "I don't know how quickly they can be resolved."
To keep prying eyes out, websites and network equipment use encryption to turn sensitive information into a jumble or unreadable text. Since writing encryption code is complex, developers often use a free, open-source version called OpenSSL. It's a barebones project managed by four European coders.
The Heartbleed bug -- first introduced into OpenSSL two years ago -- allows hackers to grab bits of data from servers and equipment after it has been decrypted.
More from The Wall Street Journal
- If You Haven't Booked Your Summer Trip ...
- Companies Say No to Having an HR Department
- Where Have All the Workers Gone?
It is hard to even comprehend all of the unbelievable complications that have infected every facet of our lives in the 21st century. It is precisely at times like these that I wish I could just find a Time Machine, jump in, and push the button for 1967. I didn't realize then how good I had it ...and how incredibly simple life was on a daily basis. I smiled lot more back then...where in Hell did it all go?
Peace to all ~
someone broke the internet.
maybe we can all go outside and enjoy life again.
Open source takes a hit. Even big companies like Cisco prefer to let 4 coders in Europe manage/write their security base for them because it is free. Wow. Ever buy a Cisco router? Someone is getting a hefty profit margin! I would have expected the "big ones" to be above this. But I guess not.
And will they take the financial heat over this? I doubt it. The profits are all they care about. At least they can't blame Microsoft for this one.
Where can my clients get their refund on money wasted on empty security promises?
Use your power for good.
I'm an old school software developer. In my eyes the problem is young developers - these latest and greatest technology 'professionals' - are lazy. L.A.Z.Y. Write your own code rather than depending on all those free libraries that anyone can pick apart and exploit. ....it all starts with our poor education system - or indoctrination system - it just doesn't encourage creativity or thinking for yourself.
As far as I'm concerned the sheeple stood by and let it all go to hell. Go back to sleep, buy your new iPhone, Rebrand your Constitutional Republic as a Democracy until it finally collapses into socialism, depend on mainstream media for the truth, choose your side in the 2 party system, drink your fluoridated water, take your prescribed medication and wear those invisible chains to which you are shackled.
Why does no one ever get caught or sent to jail for this stuff. All these smart people who can fix it but can't track it down to where it came from. I'm beginning to think maybe you are right. It is from the government somewhere or the security companies to sell more products. Like the CEO's of big companies who cheat or inside trade to make big bucks and when caught the gov gives them a big fine paid for by the shareholders and he still get a bonus and goes back to work. They would put us little people under the jail. Money talks and buys the best, I guess never had any extra to try it with.
Why is no one found for this?????"?"????
Copyright © 2014 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.
Excitement is growing about the company's new iPhone, expected this fall.
VIDEO ON MSN MONEY
Top Stocks provides analysis about the most noteworthy stocks in the market each day, combining some of the best content from around the MSN Money site and the rest of the Web.
Contributors include professional investors and journalists affiliated with MSN Money.
Follow us on Twitter @topstocksmsn.