Hannah Kuchler reports for Financial Times, April 9, 2014, that Internet security engineers recently discovered a nasty computer “heartbleed bug” that allows hackers to eavesdrop on communications, steal data directly from the services and users (i.e., your computer’s hard drive), and impersonate services and users.
The bug was found in an encryption method used on about two-thirds of all websites, including Google, Amazon, Yahoo and Facebook, potentially exposing web traffic, user data and stored content to cyber criminals.
Although the bug has been around for three years, we are told there is so far no evidence that a hacker has exploited the flaw.
OpenSSL has released an update to repair the flaw and companies must update their software to be safe. Those companies include:
- Google, which said it had fixed the flaw in key Google services and Facebook by adding protections even before the heartbleed bug was publicly disclosed.
- Amazon Web Services, whose clients include sites from Netflix to Unilever, said it had applied “mitigations” so customers did not need to act.
- Yahoo said it had “made the appropriate corrections” to its main properties and was working to fix its other sites.
- Matthew Prince, chief executive at Cloudflare, a company that provides a security barrier for about 5% of web requests, said it had fixed its encryption after being alerted last week.
But even those who fix the software cannot necessarily see if a hacker has already used the vulnerability to access their systems. Netcraft, which monitors what code is used in each site, said more than half a million trusted websites were vulnerable to the bug.
Prince said “This is very bad and it may be extremely bad. This is one of the really bad internet bugs ever.” He warns that the flaw could affect “almost everyone” as the software is used by more than 60% of all websites. The flaw could have allowed hackers to read everything in a computer’s memory. Researchers had found the vulnerability could be used to read people’s Yahoo emails, but Prince says they still do not know if the keys to other secure information have also been found, which could render protection of anything from intellectual property to credit card details useless. “The nightmare scenario that everyone is worried about is if it also allows access to the store of core cryptographic keys which allow organisations to keep data stores. If the keys have been accessible, companies may have to replace all these secret codes that guard their information.”
I suggest that you not wait for companies to fix their software. Go to your various online accounts and change your passwords!
~Eowyn
