Heartbleed: First reports of exploits emerge, warns US government agency

US Department of Homeland Security warns of first reports of Heartbleed OpenSSL exploits found in the wild

The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a part of the Deparment of Homeland Security, has warned that the first sightings of exploits seeking to take advantage of well-publicised security flaws in OpenSSL have appeared in the wild.

OpenSSL is an open-source security tool widely used to encrypt passwords when people log-in to a system. A flaw in the implementation of OpenSSL could allow the private key used in a Secure Sockets Layer (SSL) communication to be exposed. An attacker could then decrypt and read any secure data passed on the network link.

In a freshly revised alert, the organisation warned that there are already indications that exploits have emerged to take advantage of the security flaw.

"ICS-CERT is aware of a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication," claims the advisory.

It continues: "According to this report, the vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.

Ironically, while the ICS-CERT, one part of the US government, is battling to minimise the fall-out from the security flaw, another part of the US government - the US National Security Agency, predictably enough - has covertly been exploiting the flaw for at least two years, according to reports out today.