Newly discovered Heartbleed computer virus lets hackers read everything in your computer

computer virusHannah Kuchler reports for Financial Times, April 9, 2014, that Internet security engineers recently discovered a nasty computer “heartbleed bug” that allows hackers to eavesdrop on communications, steal data directly from the services and users (i.e., your computer’s hard drive), and impersonate services and users.

The bug was found in an encryption method used on about two-thirds of all websites, including Google, Amazon, Yahoo and Facebook, potentially exposing web traffic, user data and stored content to cyber criminals.

Although the bug has been around for three years, we are told there is so far no evidence that a hacker has exploited the flaw.

OpenSSL has released an update to repair the flaw and companies must update their software to be safe. Those companies include:

  • Google, which said it had fixed the flaw in key Google services and Facebook by adding protections even before the heartbleed bug was publicly disclosed.
  • Amazon Web Services, whose clients include sites from Netflix to Unilever, said it had applied “mitigations” so customers did not need to act.
  • Yahoo said it had “made the appropriate corrections” to its main properties and was working to fix its other sites.
  • Matthew Prince, chief executive at Cloudflare, a company that provides a security barrier for about 5% of web requests, said it had fixed its encryption after being alerted last week.

But even those who fix the software cannot necessarily see if a hacker has already used the vulnerability to access their systems. Netcraft, which monitors what code is used in each site, said more than half a million trusted websites were vulnerable to the bug.

Prince said “This is very bad and it may be extremely bad. This is one of the really bad internet bugs ever.” He warns that the flaw could affect “almost everyone” as the software is used by more than 60% of all websites. The flaw could have allowed hackers to read everything in a computer’s memory. Researchers had found the vulnerability could be used to read people’s Yahoo emails, but Prince says they still do not know if the keys to other secure information have also been found, which could render protection of anything from intellectual property to credit card details useless. “The nightmare scenario that everyone is worried about is if it also allows access to the store of core cryptographic keys which allow organisations to keep data stores. If the keys have been accessible, companies may have to replace all these secret codes that guard their information.”

I suggest that you not wait for companies to fix their software. Go to your various online accounts and change your passwords!

UPDATE (April 11, 2014):

As reported by the Daily Mail, a German computer programmer Dr Robin Seggelmann has come forward admitting that he had written the Heartbleed code which contained an error overlooked by reviewers, and added to the OpenSSL software on New Year’s Eve in 2011. No one spotted the mistake until earlier this month.

Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox. All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren’t issuing the advice. Yahoo is the only major site that has explicitly said its users should change their password.

Sites that don’t use the OpenSSL software are not affected by the flaw. This includes PayPal, Microsoft accounts and Twitter.

However, there are still thousands of websites who are yet to fix the problem, or officially announce the fix – leaving their users in limbo.

Password and security experts have created tools to see which sites are at risk including the Heartbleed Test and Heartbleed Checker.

UPDATE (April 12, 2014):

Surprise! (Not)

Michael Riley reports for Bloomberg that Obama’s National Security Agency knew for at least two years about the Heartbleed bug but kept the bug secret, and regularly exploited it to gather “critical” intelligence, two people familiar with the matter said.

The Obama Pathological Liar’s administration, of course, denies it.

~Eowyn

Rate this post

Please follow and like us:
error0
 

Leave a Reply

avatar
  Subscribe  
Notify of
Jules
Guest
Jules

If the website owner has not security patched against this backdoor trojan, changing online accounts’ passwords will not safeguard or even mitigate the exploits from this virus. The cryptographic keys on the vendors SSL software are stolen by the heartbleed bug which can include the codes on individual user accounts. The hacker need only rewrite the encrypted code of a password to access your present or future private information. Both your vendor and you wouldn’t know there is a security vulnerability.

Anonymous
Guest
Anonymous

I’ll be the NSA has been having a good time with this and kept it to themselves…

Jules
Guest
Jules

Hi Dr Eowyn, The bad news: The Heartbleed malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software. The method used to inject code into various processes is stealthy, in that the Heartbleed malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications. Heartbleed is not designed to deactivate automatically, but supports a “kill” function that… Read more »

Seumas
Guest
Seumas

I have to say I question if this “virus” even exists, what proof do we have that it does? Not that it really matters, because “computer security” is what one might call a oxymoron, computers have a fundamental flaw that makes them vulnerable, that flaw is internet connectivity, anything that has any level of connectivity to the internet is already hackable, the only difference is how much someone wants to try to get in. Any system designed to connect, can be connected to with the right tricks, firewalls can be mitigated, SSL and SSH can be broken through, etc. This… Read more »