Hannah Kuchler reports for Financial Times, April 9, 2014, that Internet security engineers recently discovered a nasty computer “heartbleed bug” that allows hackers to eavesdrop on communications, steal data directly from the services and users (i.e., your computer’s hard drive), and impersonate services and users.
The bug was found in an encryption method used on about two-thirds of all websites, including Google, Amazon, Yahoo and Facebook, potentially exposing web traffic, user data and stored content to cyber criminals.
Although the bug has been around for three years, we are told there is so far no evidence that a hacker has exploited the flaw.
OpenSSL has released an update to repair the flaw and companies must update their software to be safe. Those companies include:
- Google, which said it had fixed the flaw in key Google services and Facebook by adding protections even before the heartbleed bug was publicly disclosed.
- Amazon Web Services, whose clients include sites from Netflix to Unilever, said it had applied “mitigations” so customers did not need to act.
- Yahoo said it had “made the appropriate corrections” to its main properties and was working to fix its other sites.
- Matthew Prince, chief executive at Cloudflare, a company that provides a security barrier for about 5% of web requests, said it had fixed its encryption after being alerted last week.
But even those who fix the software cannot necessarily see if a hacker has already used the vulnerability to access their systems. Netcraft, which monitors what code is used in each site, said more than half a million trusted websites were vulnerable to the bug.
Prince said “This is very bad and it may be extremely bad. This is one of the really bad internet bugs ever.” He warns that the flaw could affect “almost everyone” as the software is used by more than 60% of all websites. The flaw could have allowed hackers to read everything in a computer’s memory. Researchers had found the vulnerability could be used to read people’s Yahoo emails, but Prince says they still do not know if the keys to other secure information have also been found, which could render protection of anything from intellectual property to credit card details useless. “The nightmare scenario that everyone is worried about is if it also allows access to the store of core cryptographic keys which allow organisations to keep data stores. If the keys have been accessible, companies may have to replace all these secret codes that guard their information.”
I suggest that you not wait for companies to fix their software. Go to your various online accounts and change your passwords!
UPDATE (April 11, 2014):
As reported by the Daily Mail, a German computer programmer Dr Robin Seggelmann has come forward admitting that he had written the Heartbleed code which contained an error overlooked by reviewers, and added to the OpenSSL software on New Year’s Eve in 2011. No one spotted the mistake until earlier this month.
Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox. All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren’t issuing the advice. Yahoo is the only major site that has explicitly said its users should change their password.
Sites that don’t use the OpenSSL software are not affected by the flaw. This includes PayPal, Microsoft accounts and Twitter.
However, there are still thousands of websites who are yet to fix the problem, or officially announce the fix – leaving their users in limbo.
UPDATE (April 12, 2014):
Michael Riley reports for Bloomberg that Obama’s National Security Agency knew for at least two years about the Heartbleed bug but kept the bug secret, and regularly exploited it to gather “critical” intelligence, two people familiar with the matter said.
Obama Pathological Liar’s administration, of course, denies it.