Heartbleed Forces Emergency Maintenance of House, Senate Sites
Posted at 12:05 p.m. on April 10, 2014
Members of Congress were among the millions of Americans who found out their data might be at risk as a result of the major Internet security flaw exposed earlier this week, the “Heartbleed” virus.
People visiting House.gov, member or committee websites on Wednesday night may have hit error messages as the technology support team of House Chief Administrative Officer Ed Cassidy performed emergency maintenance.
“There are no indications the House has suffered a security breach,” Cassidy said in an email sent to members and employees on Wednesday that was obtained by CQ Roll Call. “CAO engineers are updating the security protocols as part of the work they do to protect the House from cyber security threats.”
No breaches were found, CAO spokesman Dan Weiser confirmed in a Thursday morning email.
Internet security staff for Senate Sergeant-at-Arms Terrance W. Gainer also monitored for security breaches.
“Senate.gov web servers are well protected, Akamai has proactively patched their servers, and the few of our internal servers known to have been vulnerable have been patched,” SAA staff assured users in a notice posted on internal sites. “We are working to ensure that no other Senate systems are vulnerable.”
In a follow-up, Senate users were given specific instructions on changing passwords and ensured additional updates would be provided as more information was gained.
“At this time, neither I nor our IT security specialists are aware of any specific security compromises of our systems,” Gainer said in an email to CQ Roll Call on Thursday morning. This includes external facing Senate.gov and member/committee websites as well. However, as is being widely reported the extent of the impact of the potential for compromises is not yet known.”
Gainer said his staff will continue to monitor our systems and the world wide response to the consequences of the recently discovered vulnerability, and that some vendors “owe us a few responses about their systems.”
Nicknamed “Heartbleed” by the researchers that discovered it, the bug affects the encryption technology designed to protect online accounts. Heartbleed exposes consumers’ credit card, banking, email and social media passwords and usernames to hacking by affecting a security protocol known as SSL.
Security experts worry that the massive leak went undetected for more than two years.
An email circulating among House Democratic staffers on Wednesday morning, obtained by CQ Roll Call, assured staffers that the CAO’s House information resources team was checking all systems for exposure and would be making required updates, including an update to the web firewall, as quickly as possible.
Staffers were assured that there was nothing for individual offices to do other than be aware that the CAO was aggressively pursuing appropriate action.
“The House continually monitors all potential cybersecurity threats and takes appropriate steps to protect the integrity of its systems,” House Administration Chairwoman Candice S. Miller, R-Mich., said in a statement emailed to CQ Roll Call. “We are aware of this vulnerability and are taking action to ensure the House systems are protected.”
Staff for Rep. Robert A. Brady, D-Pa., ranking member of the House Administration Committee, told CQ Roll Call on Wednesday afternoon that they were assured the CAO’s office was aware of the potential security threat and working to make sure members were protected.