Heartbleed bug spreads to routers and other gear

The vulnerability that has online companies scrambling also affects the equipment that connects the Web.

By MSN Money Partner Apr 10, 2014 6:01PM
Image: Network cable © Epoxydude/Getty ImagesBy Danny Yadron, The Wall Street Journal

The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.


Cisco Systems (CSCO) and Juniper Networks (JNPR), two of the largest manufacturers of network equipment, said Thursday that some of their products contain the "Heartbleed" bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet.


Many websites -- including those run by Yahoo (YHOO), Amazon.com (AMZN) and Netflix (NFLX) -- quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.


These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.


Bruce Schneier, a cybersecurity researcher and cryptographer, said, "The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy."


To be sure, the products available at retail stores now likely were shipped before the bug was revealed on Monday, and may also contain the defective software, from an encryption code known as OpenSSL.


Companies often use firewalls and virtual private networks to protect their computer systems. But if the machines that run the firewalls and virtual private networks are affected by the Heartbleed bug, attackers could use them to infiltrate a network, said Matthew Green, an encryption expert at Johns Hopkins University.


"It's pretty bad," Green said. "Lots and lots of people connect to these things."


Green and others said the bug likely affects some home-networking equipment, such as wireless routers.


In a customer bulletin updated Thursday, Cisco told clients that 66 products are "affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve" potentially sensitive information.


Cisco said it would update customers when it has software patches. In the meantime, its security researchers offered users software that it said would detect hackers exploiting the bug. A Cisco spokesman referred a query to the bulletin on its website.


Juniper said the process of updating its equipment might be lengthy. "It doesn't sound like a flip-the-switch sort of thing," said Corey Olfert, a Juniper spokesman. "I don't know how quickly they can be resolved."


To keep prying eyes out, websites and network equipment use encryption to turn sensitive information into a jumble or unreadable text. Since writing encryption code is complex, developers often use a free, open-source version called OpenSSL. It's a barebones project managed by four European coders.


The Heartbleed bug -- first introduced into OpenSSL two years ago -- allows hackers to grab bits of data from servers and equipment after it has been decrypted.


More from The Wall Street Journal


137Comments
Apr 10, 2014 7:56PM
avatar
The little jerks that do this stuff made my life as a CIO miserable.  I spent ridiculous hours with my network staff and then they had to spend countless hours safeguarding our network.  Mind you, this has nothing to do with the business at hand.  Hackers are able to do this because they can purchase open systems architecture that's dirt cheap and work at home - round the clock.  Back in the earlier days when we were using Blue boxes - they couldn't get a virus into that stuff.  Hackers couldn't afford to purchase an MVS machine or have an AS 400 on hand to mess with.  It's a different world now that we're all networked on the Internet.  And, the U.S. wants to give up control - I can't even describe how stupid that is. 
Apr 10, 2014 11:02PM
avatar

Retrospect ....

It is hard to even comprehend all of the unbelievable complications that have infected every facet of our lives in the 21st century. It is precisely at times like these that I wish I could just find a Time Machine, jump in, and push the button for 1967. I didn't realize then how good I had it ...and how incredibly simple life was on a daily basis. I smiled lot more back then...where in Hell did it all go?


Peace to all ~

Apr 10, 2014 8:11PM
avatar

Finally...

someone broke the internet.


maybe we can all go outside and enjoy life again.

Apr 10, 2014 7:46PM
avatar

Open source takes a hit.  Even big companies like Cisco prefer to let 4 coders in Europe manage/write their security base for them because it is free.  Wow.  Ever buy a Cisco router?  Someone is getting a hefty profit margin!  I would have expected the "big ones" to be above this.  But I guess not.

 

And will they take the financial heat over this?  I doubt it.  The profits are all they care about.  At least they can't blame Microsoft for this one.

 

Where can my clients get their refund on money wasted on empty security promises?

Apr 10, 2014 7:44PM
avatar
It's all gonna be o.k.  The White House will hire the same firm that built the Obamacare website!  They'll solve all these problems!
Apr 11, 2014 3:02AM
avatar

Use your power for good.

 

I'm an old school software developer.  In my eyes the problem is young developers - these latest and greatest technology 'professionals' - are lazy. L.A.Z.Y.  Write your own code rather than depending on all those free libraries that anyone can pick apart and exploit. ....it all starts with our poor education system - or indoctrination system - it just doesn't encourage creativity or thinking for yourself.

 

As far as I'm concerned the sheeple stood by and let it all go to hell.  Go back to sleep, buy your new iPhone, Rebrand your Constitutional Republic as a Democracy until it finally collapses into socialism, depend on mainstream media for the truth, choose your side in the 2 party system, drink your fluoridated water, take your prescribed medication and wear those invisible chains to which you are shackled.

Apr 10, 2014 10:10PM
avatar
My neighbor is CIO at a major bank and told me years ago to not do any banking on line as nothing is secure.  guess he is right.  glad I took his advice.
Apr 10, 2014 6:16PM
avatar
So when are the manufacturers going to start replacing or fixing this equipment? On the other hand maybe they are going to assume liability for damages?
Apr 10, 2014 11:29PM
avatar
"The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy."

How convenient. It was probably written by the companies that sell routers. LOL
Apr 10, 2014 9:54PM
avatar
Hello there hackies, we will find you, and we will kill you. Give it up now boys you cannot run far enough.
Apr 11, 2014 1:43AM
avatar

Why does no one ever get caught or sent to jail for this stuff.  All these smart people who can fix it but can't track it down to where it came from. I'm beginning to think maybe you are right. It is from the government somewhere or the security companies to sell more products. Like the CEO's of big companies who cheat or inside trade to make big bucks and when caught the gov gives them a big fine paid for by the shareholders and he still get a bonus and goes back to work. They would put us little people under the jail. Money talks and buys the best, I guess never had any extra to try it with.

Why is no one found for this?????"?"????

Apr 11, 2014 3:17AM
avatar
Am I the only one who finds it entirely too coincidental that this "super virus" shows up a day before microsoft abandons the super popular XP operating system, recommending we buy their crappy new OS to beta test it for them on our dime, or benjamins.
Apr 11, 2014 12:03AM
avatar
Two years? Why should everybody jump out a window now? The world should have come crashing down long ago? This smells to me.
Apr 11, 2014 8:24AM
avatar
Seems like, no matter what you do now a days, someone is out to wreck you, steal from you, their greedy little trouble making mitts into your pocket, your stuff, no matter where you shop or what you use.
Apr 11, 2014 7:49AM
avatar
Why aren't the SSL coders and the corporate inculcaters stepping up to provide remedies for their flawed software/machines? If these were cars, their would be a recall. Why not with faulty electronics? Software? Perhaps we all should have waited until to tomorrow to buy gadgets.

Why should consumers have to go buy new devices when they were sold ones that were supposed to be secure? It seems the providers are the ones who should make the correction move. All the way back to the fat designers and inventors.

We are talking billions of devices headed to landfill because overly greedy device manufactures are like lemmings in their design process. It is not like hacking was a secret for the last decade. The time has come to hold digital manufacturers and their decision makers responsible for their poor decisions. If this were the norm, maybe winME, winVista and win(H)8 would never have have been foisted on the public. 

The endless stream of up-dates and unnecessary new versions (that aren't really new at all) is a pox on the digital market. These companies have made billions and billions, why should they enjoy the benefit of everyone having to re-purchase equipment because of their lazy attitudes?

Finally, please, please, please don't let the nimrods in the District of Criminals have worthless, do nothing hearings over this matter that they don't comprehend it at all. For all the talk of intelligence in Washington, there is damned little to be found. They maybe smart at fleecing taxpayers, but they don't know anything about life in USSA [sic].

©2014 All rights reserved. No use without written permission. All statutory exemptions specifically revoked by author. One license to display here. Protected by federal law and international treaty.
Apr 11, 2014 4:35AM
avatar
when the  hacker  is found the government  hires  them to work for the FBI
Apr 11, 2014 2:36AM
avatar
see this is why you do not use open source. open SSL is open source and not maintained as much. this bug has been around for 2 years before the openSSL project fixed it.
Apr 10, 2014 10:39PM
avatar
The government hopes we all get lazy with this news so when the economy hits the fan they can blame hackers when you check your accounts and you have nothing and the government will laugh and laugh knowing you elected that idiot in chief not once but twice!!!
Apr 11, 2014 10:06AM
avatar
The author obviously doesn't know WTF they are talking about. "Heartbleed bug spreads...". Guess what folks, bugs don't "spread. It's not a virus. It's a pre-existing flaw in the software that was recently discovered. The hackers didn't create the bug in the software, they just figured out it was there. In a way whoever exposed this security flaw did everyone a favor. After the temporary inconvenience of patching the systems, things will be a little more secure in the future. And before you people go getting your panties in a bunch, you need to realize that all software of any degree of complexity has bugs in it. It's pretty much impossible to write perfect software. This is just a side effect of living in a technological world.
Apr 11, 2014 9:35AM
avatar
If they would execute the hackers when they are found, this would soon stop. The courts are way to easy on these people. Make the punishment for this crime as severe as possible and you would have fewer people trying it.
Report
Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
Categories
100 character limit
Are you sure you want to delete this comment?

DATA PROVIDERS

Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.

STOCK SCOUTER

StockScouter rates stocks from 1 to 10, with 10 being the best, using a system of advanced mathematics to determine a stock's expected risk and return. Ratings are displayed on a bell curve, meaning there will be fewer ratings of 1 and 10 and far more of 4 through 7.

114
114 rated 1
278
278 rated 2
474
474 rated 3
641
641 rated 4
639
639 rated 5
663
663 rated 6
640
640 rated 7
499
499 rated 8
284
284 rated 9
122
122 rated 10
12345678910

Top Picks

SYMBOLNAMERATING
COPCONOCOPHILLIPS9
TAT&T Inc9
VZVERIZON COMMUNICATIONS9
KOGKODIAK OIL & GAS Corp9
CVXCHEVRON CORPORATION8
More

VIDEO ON MSN MONEY

ABOUT

Top Stocks provides analysis about the most noteworthy stocks in the market each day, combining some of the best content from around the MSN Money site and the rest of the Web.

Contributors include professional investors and journalists affiliated with MSN Money.

Follow us on Twitter @topstocksmsn.