A flaw has been discovered in one of the
Internet’s key security methods, potentially forcing a wide swath of
websites to make changes to protect the security of consumers.
The problem was first discovered by a team of
Finnish security experts and researchers at Google last week and
disclosed on Monday. By Tuesday afternoon, a number of large websites,
including Yahoo, Facebook, Google and Amazon Web Services, said they
were fixing the problem or had already fixed it.
Researchers were still looking at the impact
on consumers but warned it could be significant. Users’ most sensitive
information — passwords, stored files, bank details, even Social
Security numbers — could be vulnerable because of the flaw.
The most immediate advice from security
experts to consumers was to wait or at least be cautious before changing
passwords. Changing a password on a site that hasn’t been fixed could
simply hand the new password over to hackers. Experts recommended that,
before making any changes, users check a site for an announcement that
it has dealt with the issue. “This is a good reminder that there are
many risks online and it’s important to keep a watchful eye around what
you’re doing, just as you would in the physical world,” said Zulfikar
Ramzan, the chief technology officer of Elastica, a security company.
The extent of the vulnerability was unclear.
Up to two-thirds of websites rely on the affected technology, called
OpenSSL. But some organizations appeared to have had advance notice of
the issue and had already fixed the problem by Tuesday afternoon. Many
others were still working on restoring security.
Because attackers can use the bug to steal
information unnoticed, it is unclear how widely the bug has been
exploited — although it has existed for about two years. On Github, a
website where developers gather to share code, some were posting ways to
use the bug to dump information from servers. The Finnish security
researchers, working for Codenomicon, a security company in Saratoga,
Calif., and security researchers at Google found the bug in a portion of
the OpenSSL protocol — which encrypts sessions between consumer devices
and websites — called the “heartbeat” because it pings messages back
and forth. The researchers called the bug “Heartbleed.”
“It’s a serious bug in that it doesn’t leave
any trace,” said David Chartier, chief executive at Codenomicon. “Bad
guys can access the memory on a machine and take encryption keys,
usernames, passwords, valuable intellectual property, and there’s no
trace they’ve been there.”
Organizations were advised to download
immediately the newest version of the OpenSSL protocol, which includes a
fix, and quickly swap out their encryption keys. It also meant
organizations needed to change their corporate passwords, log out users
and advise them to change their own passwords.
Then companies began taking inventory of what
they may have lost. But because the flaw would allow attackers to
surreptitiously steal the keys that protect communication, user
passwords and anything stored in the memory of a vulnerable web server,
it was virtually impossible to assess whether damage had been done.
Security researchers say they found evidence
that suggests attackers were aware of the bug. Researchers monitoring
various “honey pots” — stashes of fake data on the web aimed at luring
hackers so researchers can learn more about their tools and techniques —
found evidence that attackers had used the Heartbleed bug to access the
fake data.
Actual victims may be out of luck. “Unless an
attacker blackmails you, or publishes your information online, or
steals a trade secret and uses it, you won’t know if you’ve been
compromised,” Mr. Chartier said. “That’s what makes it so vicious.”
Mr. Chartier advised users to consider their
passwords compromised and urged companies to deal with the issue
quickly. “Companies need to get new encryption keys and users need to
get new passwords,” he said.
Security researchers say it is most important
for people to change passwords to sensitive accounts like their online
banking, email, file storage and e-commerce accounts, after first making
sure that the website involved has addressed the security gap.
By Tuesday afternoon, many organizations were
heeding the warning. Companies across the web, including Yahoo, Amazon
and PayPal, began notifying users of the bug and what was being done to
mitigate it. Tumblr, the social network owned by Yahoo, said it had
issued fixes and warned users to immediately swap out their passwords.
“This still means that the little lock icon
(HTTPS) we all trusted to keep our passwords, personal emails and credit
cards safe was actually making all that private information accessible
to anyone who knew about the exploit,” the security team at Tumblr,
which is part of Yahoo, wrote on its site.
“This might be a good day to call in sick and take some time to change
your passwords everywhere — especially your high-security services like
email, file storage and banking, which may have been compromised by this
bug.
Comments
Post a Comment