Homeland Security Statement On 'Heartbleed' Bug Tries To Be Reassuring, Fails

HAMBURG, GERMANY - JUNE 07: A 'Mistral' supercomputer, installed in 2016, at the German Climate Computing Center (DKRZ, or Deutsches Klimarechenzentrum) on June 7, 2017 in Hamburg, Germany. The DKRZ provides HPC (high performance computing) and associated services for climate research institutes in Germany. Its high performance computer and storage systems have been specifically selected with respect to climate and Earth system modeling. With a total of 100,000 processor cores, Mistral has a peak performance of 3.6 PetaFLOPS. With a capacity of 54 PBytes, its parallel file system is currently one of the largest in the world. The DKRZ's robot-operated tape archive has currently a capacity of 200 petabytes and allows for long-term archiving of climate simulations such as those carried out with respect to reports by the Intergovernmental Panel on Climate Change. (Photo by Morris MacMatzen/Getty Images)
Source: Morris MacMatzen/Getty Images News/Getty Images

This just keeps getting worse. The Heartbleed bug is already considered one of the biggest threats the Internet has ever seen, and now looks to be even worse than first thought. Even the Department of Homeland Security has issued a statement about Heartbleed, essentially to say, "We're on top of it." Which they are, kind of.

Posted by the DHS's National Cybersecurity & Communications director Larry Zelvin, the statement details the many, many internal teams that are responding to the crisis. It's eye-opening that so many DHS internal teams are dedicated to cyber issues alone, and it's comforting for us to know what we should be doing in response.

According to the statement:

While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems.

Then, Mr. Zelvin calls on the public to do its part in "ensuring our nation’s cybersecurity." To make it easier for us, some of whom are cybersecurity neophytes — myself included — the Department listed some important tips for protecting cybersecurity and information online.

  • Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.
  • Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages
  • After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.
While these updates and tips from the DHS are reassuring, recent discoveries about the Heartbleed bug are not. On Friday, security experts warned that the bug could threaten more than Web servers, as the vulnerable OpenSSL code can be found in mobile phones; email servers; security products like firewalls; the software that runs webcams, and even online games. 

Meanwhile, Cisco Systems Inc. and Juniper Networks Inc., two of the largest manufacturers of network equipment used by corporations and small businesses, confirmed Thursday that some of their products contain the Heartbleed bug.  

For now, companies and government agencies continue to scramble to determine which products are vulnerable. Though experts advise you to avoid using any device with the vulnerable software in it, they offer a bit of reassurance: It would take a lot of effort for a hacker to extract any useful data off of your iPhone. Which is, um, reassuring...

Must Reads