Internet Bug “Heartbleed” Leaves Millions Of Passwords Exposed
A new security bug could leave millions of people with their passwords exposed:
SAN FRANCISCO — An alarming lapse in Internet security has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery.
The breakdown revealed this week affects the encryption technology that is supposed to protect online accounts for emails, instant messaging and a wide range of electronic commerce.
Security researchers who uncovered the threat, known as “Heartbleed,” are particularly worried about the breach because it went undetected for more than two years.
Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc. researcher who also discovered the threat.
“I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,” Chartier said.
Chartier and other computer security experts are advising people to consider changing all their online passwords.
“I would change every password everywhere because it’s possible something was sniffed out,” said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. “You don’t know because an attack wouldn’t have left a distinct footprint.”
But changing the passwords won’t do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords.
“This is going to be difficult for the average guy in the streets to understand, because it’s hard to know who has done what and what is safe,” Chartier said.
Further details from The Wire, specifically how it impacts you:
Flair for drama? Take Tor’s advice on Heartbleed: ”If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”
In any case, its worth noting that even the best fixes to Heartbleed won’t completely secure all past web traffic from vulnerability. And, because individual servers have to be fixed manually, some sites might not get around to repairing the bug for quite awhile. In other words, take Heartbleed on a site-by-site basis. Very few sites have offered comprehensive information on what to do about Heartbleed to its users. One would hope that advice will be coming soon.
The basic advice for everyone appears to boil down to “change all your passwords.” That, of course, is a huge pain that even people who are computer literate and cautious about security issues will tend to procrastinate about. After all going to the myriad of websites that we all use that require passwords and then both changing them and remembering what the new passwords are isn’t exactly easy. There’s got to be a better way.
Wait a few days or more. The bug only strikes when you actively access an account. Changing your passwords now might make things worse. According to what I’ve read, Amazon is OK, or will be shortly, and Google is immune. There’s stuff all over the web about this. Here’s a good article, ‘Heartbleed’: for hundreds of thousands of servers at risk around the world from catastrophic bug
Just yesterday my OpenSuse Linux box received a patch for the bug. Not that I’m a server by any means, but my OpenSuse OS is used on servers, so I got the patch. Patching is only part of the problem though. The security certificates on the server side will have to be changed, too.
There’s a site one can go to, Heartbleed Test, to test a server for the problem. But it’s swamped. I’ve been trying to test the Bank of America site for the last 15 minutes, and the thing is still trying. ( I just killed the process. No point in adding to the swamp. And, of course, no word from BOA itself. Big surprise, that.)
I do online banking but for internet purchases I only use a preloaded American Express card minimizing my risk.