A major security flaw at the heart of the internet may have been exposing users’ personal information and passwords to hackers for the past two years.
The Heartbleed bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user’s computer and a web server, a sort of secret handshake at the beginning of a secure conversation.
It was dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat.
It is one of the most widely used encryption tools on the internet, believed to be deployed by roughly two-thirds of all websites. If you see a little padlock symbol in your browser then it is likely that you are using SSL.
Half a million sites are thought to have been affected.
In his blog chief technology officer of Co3 Systems Bruce Schneier said: “The Heartbleed bug allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the name and passwords of the users and the actual content,” he said.
“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” he added.
The bug is so serious it has its own website Heartbleed.com which outlines all aspects of the problem.
Some security experts are saying that it would be prudent to change your passwords- although there is a degree of confusion as to when and if this needs to be done.
Some point out that there will be plenty of smaller sites that haven’t yet dealt with the issue and with these a password reset could do more harm than good, revealing both old and new passwords to any would-be attacker.
But now the bug is widely known even smaller sites will issue patches soon so most people should probably start thinking about resetting their passwords.
The exploit was not related to weak passwords but now there are calls for a mass reset of existing ones, many are reiterating the need to make sure they are as secure as possible.
There are half a million websites believed to be vulnerable so too many to list but there is a glut of new sites offering users the chance to check whether the online haunts they use regularly are affected.
The bad news, according to a blog from security firm Kaspersky is that “exploiting Heartbleed leaves no traces so there is no definitive way to tell if the server was hacked and what kind of data was stolen”.
Security experts say that they are starting to see evidence that hacker groups are conducting automated scans of the internet in search of web servers using OpenSSL.
And Kaspersky said that it had uncovered evidence that groups believed to be involved in state-sponsored cyber-espionage were running such scans shortly after news of the bug broke.
Search Clinic will soon post a blog on how to set and remember passwords- so please subscribe to the Search Clinic newsfeed.