The Department of Defense said the notorious Heartbleed bug has not compromised its classified networks.
Richard Hale, DoD's deputy chief information officer for cybersecurity, noted that Heartbleed "is starting to go away, but this is a massive undertaking." He also said that new software is now available to fix systems. This widely used software is on thousands of websites, including those run by the government
Hale said the government is "looking at all of its websites and ensuring that they are either not vulnerable or the vulnerability is fixed as quickly as possible."
Hale emphasized that Heartbleed has no effect on DOD classified networks, and minimal effect on DoD unclassified sites.
"We have an aggressive process to find this vulnerability and eliminate it immediately," Hale said. "Really, what the department did immediately was block the exploitation of this vulnerability at the boundary between the department's network and the Internet."
The Department of Homeland Security, through the National Protection and Programs Directorate, is leading a whole-of-government response to the threat posed by the Heartbleed. It is doing so by issuing guidance to the public and key stakeholders.
Government officials suggest that people refrain from logging into a website and changing their password until they've confirmed that a patch is in place on that website that protects users from Heartbleed.
If the Heartbleed patch is not in place, changing your password would be useless and could give an attacker the new password.
Officials also recommend starting with websites that contain the most sensitive personal information, such as banking and credit card sites and email and social media accounts. It's a good idea not to re-use passwords.
Over the next few weeks, people should closely monitor their accounts for suspicious activity. Among these activities are purchases they didn't make or messages they didn't send or post. People also should be aware that websites requiring the user to enter personal information such as credit card or bank account numbers should be secure. This means that the website's URL, or Web address, should begin with https.