Passwords vulnerable after serious security flaw found
Up to two-thirds of websites rely on the affected technology, called OpenSSL. Researchers were still looking at the impact on consumers but warned it could be significant.
The New York Times
What to do
• Wait a day or so, then change the passwords on the Web services you use. Immediately changing a password on a website that has not fixed the flaw might essentially hand the password to hackers.
• Changing passwords occasionally is a good idea, as is using a different password for each site.
• To vary passwords, try choosing a formula that is a variation on a theme. Pick out a core password of a mixture of six letters and numbers that are not a word. Then, your passwords become variations on that core, which is reused.
— The New York Times
NEW YORK — Passwords, credit cards, bank details — even Social Security numbers — are at risk after a flaw was discovered in one of the Internet’s key security methods.
Security researchers say the threat is serious because it involves the encryption technology used to securely transmit email, e-commerce transactions, social-networking posts and other Web traffic. Attackers can exploit the vulnerability without leaving any trace.
The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.
Researchers were still looking at the impact on consumers but warned it could be significant.
The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Change a password on a site that hasn’t been fixed, and you could be handing the new password over to hackers. So before you do anything, they recommended, research a site to see if it has dealt with the issue. If it has, make the change.
The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on the problem.
There is no indication that hackers have used the flaw to steal information, although it has existed for about two years. The Finnish security researchers, working for Codenomicon, a security company headquartered in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol — the basic security that encrypts sessions between consumer devices and websites — called the “heartbeat” because it pings messages back and forth. The researchers called the bug “Heartbleed.”
“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”
Organizations were advised to immediately download the newest version of the OpenSSL protocol, which included a fix, and quickly swap out their encryption keys. It also meant organizations needed to change their corporate passwords, log out users and advise them to change their own passwords.
Then companies began taking inventory of what they may have lost. But because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done.
Security researchers say they found evidence that suggests attackers were aware of the bug. Researchers monitoring various “honey pots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.
If there were actual victims, they would be out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Chartier said. “That’s what makes it so vicious.”
Chartier advised users to consider their passwords gone and said companies should deal with the issue right away if they had not already.
“Companies need to get new encryption keys and users need to get new passwords,” he said.
Security researchers are also warning people to start changing their passwords, particularly for sensitive accounts like their online banking, email, file storage and e-commerce accounts.
By Tuesday afternoon, many organizations were heeding the warning. Companies across the Web, including Yahoo, OKCupid, Amazon and PayPal, began notifying users of the bug and what was being done to mitigate it. Tumblr, the social network owned by Yahoo, said it had issued fixes and warned users to immediately swap out their passwords.
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” the security team at Tumblr wrote on its site. “This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”
Information from The Associated Press is included in this report.