2nd UPDATE — What you need to know about the Heartbleed, the bug that's caused a major online security headache
By BREE FOWLER
The Associated Press
Print This | Email This
Most Popular this week
No people, large animals to be harmed in electronic warfare training, Navy says — but it has its risks
For war games next year, Navy wants to post trucks with electromagnetic radiation equipment on West End
Heartbleed flaw emphasizes the need to change passwords — in a bitWait a day or so.
Then change the passwords on the web services you use.
That is probably the best advice for web users unnerved by reports of a potential vulnerability for email and other online accounts because of the security flaw called Heartbleed.
Immediately changing passwords could feed a new password into a website that has not fixed the flaw, according to Mark Seiden, an independent computer security consultant.
For websites, the fix-it process involves installing software patches on the computers in their data centers, then swapping out the confidential software key used to secure messages and transactions.
The private key essentially shakes hands, digitally, with a public key.
When they make an authenticated handshake — the signal of trust — the encrypted information is sent on its way.
Swapping out the old private key for a new one is an extra step of caution, just in case the software flaw allowed cyberthieves to pilfer the private key.
“There's nothing users can do until the web services have made their sites secure," Seiden said.
Users will largely need to depend on individual sites to notify them about whether the flaw has been addressed.
Many major web services, like Yahoo, have already released such notices.
The Heartbleed scare, even if it doesn't turn out to hurt many consumers, is a reminder of the importance of password hygiene.
Changing passwords occasionally is a good idea, as is using a different password for each site.
If passwords are lost because of a security breach at a company, identity thieves have a far greater opportunity for mischief.
To vary passwords, Mr. Seiden suggests choosing a formula that is a variation on a theme. Pick out a core password of a mixture of six letters and numbers that are not a word.
Then, your passwords become variations on that core, which is reused. For example, Seiden said, you pick the second and third letter of a service, to avoid being obvious.
If the service is Yahoo, the letters are “a” and “h.”
Those are added at the front or back of your core password, or one letter at the front and the other at the back.
Next time, perhaps, you choose the letter below those two on a computer keyboard.
“This is a good time to review your password practices in general,” Seiden said.
“Any kind of formula can help. It's what I use.”
The damage caused by the "Heartbleed" bug is currently unknown. The security hole exists on a vast number of the Internet's Web servers and went undetected for more than two years. While it's conceivable that the flaw was never discovered by hackers, it's nearly impossible to tell.
There isn't much that people can do to protect themselves until the affected websites implement a fix.
Here are answers to some common questions about Heartbleed and how you can protect yourself:
Q: What is Heartbleed and why is it a big deal?
A: Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
It's unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.
Q: How does it work?
A: Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
Q: So if the problem has been identified, it's been fixed and I have nothing to worry about. Right?
A: It depends on the website. A fixed version of OpenSSL has been released, but it's up to the individual website administrators to put it into place.
Yahoo Inc., which has more than 800 million users around the world, said Tuesday that most of its popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn't identify.
Q: So what can I do to protect myself?
A: Ultimately, you'll need to change your passwords, but that won't do any good until the sites you use adopt the fix. It's also up to the Internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords.
Q: I plan to file my income taxes online. Is that safe considering how much personal information is involved?
A: The IRS released a statement on Wednesday saying that it's not effected by the bug or aware of any related security flaws. It advised taxpayers to continue filing their returns as they normally would in advance of the April 15 deadline.
But Canada's tax agency on Wednesday temporarily cut off public access to its electronic filling services just three weeks before its tax deadline citing Heartbleed-related security concerns.
The Canada Revenue Agency said it's working to restore secure access as soon as possible. The agency said consideration will be given to taxpayers who are unable to comply with their filing requirements because of the interruption.
PREVIOUS STORY — Online security flaw exposes millions of passwords (and what you can do to protect yourself)
By NICOLE PERLROTH
c.2014 New York Times News Service
NEW YORK — A flaw has been discovered in one of the Internet's key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.
The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday.
By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.
Researchers were still looking at the impact on consumers but warned it could be significant.
Users' most sensitive information — passwords, stored files, bank details, even Social Security numbers — could be vulnerable because of the flaw.
The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords.
Changing a password on a site that hasn't been fixed could simply hand the new password over to hackers.
Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue.
“This is a good reminder that there are many risks online and it's important to keep a watchful eye around what you're doing, just as you would in the physical world,” said Zulfikar Ramzan, the chief technology officer of Elastica, a security company.
The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL.
But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security.
Because attackers can use the bug to steal information unnoticed, it is unclear how widely the bug has been exploited — although it has existed for about two years.
On Github, a website where developers gather to share code, some were posting ways to use the bug to dump information from servers.
The Finnish security researchers, working for Codenomicon, a security company in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol — which encrypts sessions between consumer devices and websites — called the “heartbeat” because it pings messages back and forth. The researchers called the bug “Heartbleed.”
“It's a serious bug in that it doesn't leave any trace,” said David Chartier, chief executive at Codenomicon.
“Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there's no trace they've been there.”
Organizations were advised to download immediately the newest version of the OpenSSL protocol, which includes a fix, and quickly swap out their encryption keys. It also meant organizations needed to change their corporate passwords, log out users and advise them to change their own passwords.
Then companies began taking inventory of what they may have lost. But because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done.
Security researchers say they found evidence that suggests attackers were aware of the bug. Researchers monitoring various “honey pots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.
Actual victims may be out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won't know if you've been compromised,” Mr. Chartier said. “That's what makes it so vicious.”
Mr. Chartier advised users to consider their passwords compromised and urged companies to deal with the issue quickly. “Companies need to get new encryption keys and users need to get new passwords,” he said.
Security researchers say it is most important for people to change passwords to sensitive accounts like their online banking, email, file storage and e-commerce accounts, after first making sure that the website involved has addressed the security gap.
By Tuesday afternoon, many organizations were heeding the warning. Companies across the web, including Yahoo, Amazon and PayPal, began notifying users of the bug and what was being done to mitigate it. Tumblr, the social network owned by Yahoo, said it had issued fixes and warned users to immediately swap out their passwords.
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” the security team at Tumblr, which is part of Yahoo, wrote on its site.
“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”
Last modified: April 10. 2014 7:34AM