InternetNZ chief executive Jordan Carter warned yesterday website owners might find their sites had been breached and private information, including log-ons and passwords, stolen after the Heartbleed vulnerability was identified.
He advised website owners to check their sites and patch them where required. Individual users should change their passwords as a matter of course.
''Website owners shouldn't panic but quick action is required by those using vulnerable versions of OpenSSL.''
Researchers have observed sophisticated hacking groups conducting automated scans of the internet in search of web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.
OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.
Mr Carter said the vulnerability in OpenSSL software, commonly used to secure websites, was easy to exploit and virtually impossible to detect when it had been exploited. Any website using a vulnerable version of OpenSSL might have been attacked by criminals stealing data or eavesdropping on communications to and from the site.
''Now this vulnerability is widely known, the likelihood of criminals using this exploit are significantly higher.''
Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.
By Tuesday, Kaspersky had identified such scans coming from ''tens'' of actors, and the number increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.
''The problem is insidious,'' Mr Baumgartner told Reuters.
''Now it is amateur hour. Everybody is doing it.''
OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.
''There is nothing users can do to fix their computers,'' said Mikko Hypponen, chief research officer with security software maker F-Secure.
Representatives for Facebook, Google and Yahoo Inc told Reuters they had taken steps to mitigate the impact on users.
Google spokeswoman Dorothy Chou told Reuters: ''We fixed this bug early and Google users do not need to change their passwords.''
Ty Rogers, a spokesman for Amazon.com, said ''Amazon.com is not affected.''
Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.
Fixing Heartbleed
(1)Establish if your site's servers are vulnerable. This can be done by visiting https://www.ssllabs.com/ssltest.
(2)Patch the vulnerable servers.
(3)Revoke/reissue certificates. This is an important step as the servers might have been compromised for some time, without detection.
