The widespread bug surfaced the Internet on Monday, forcing major sites to scurry for a patch in their servers. Affecting everything from emails and social media accounts to e-tailers and online banks, it permits cyber-criminals to access usernames, passwords, credit card information, and other sensitive information without leaving any trace. Heartbleed also allows access to a websites's cryptographic keys to impersonate the site and exploit more information.
A Google Inc. security engineer and researchers at the Finnish security firm Codenomicon discovered the server flaw, CNN reported.
Heartbleed went undetected for two years, according to the Washington Post, and was found in the OpenSSL software that's behind many HTTPS sites and is used by an estimated two-thirds of the Internet's servers to encrypt sensitive information. It has been reported that at least 500,000 servers were left vulnerable, although it's uncertain as to which have actually been affected.
The most notable open source web servers using OpenSSL are Apache and nginx. These web servers are used on 66% of all websites, according to Netcraft's April 2014 Web Server Survey.
Codenomicon created a website that provides an in-depth look at Heartbleed, stating that the bug "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users."
Codenomicon tested the vulnerability of their servers, hacking in without leaving a trace. "Without using any privileged information or credentials, we were able to steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails, and business critical documents and communication," the company wrote on their website.
There is little users can do to protect their information until websites patch their servers. All users are strongly urged to change their passwords and delete cookies on each website they frequent after it's confirmed that the site has patched its servers.
Among the sites where it's safe to change your password are Facebook, Google, YouTube, Gmail, Yahoo, Tumblr, Flickr, and OKCupid.
Amazon, AOL, Bank of America, Capital One, Chase, Citibank, HSBC, LinkedIn, Microsoft Hotmail and Outlook, PayPal, PNC, TD Bank, Twitter, U.S. Bank, and Wells Fargo have been unaffected as they use different software. However, American Express, Apple, iCloud and iTunes are still in the process of being patched, so do not change your password for those accounts since doing so would affect your new password as well.
There is no easy fix for the "small coding error," according to CNN. In order to protect data and encryption keys, websites must upgrade to the patched version of OpenSSL, revoke compromised SSL certificates, and have new certificates issued.
Mark Maxey, a director for cybersecurity firm Accuvant, told Reuters that, "Due to the complexity and difficulty in upgrading many of the affected systems, this vulnerability will be on the radar for attackers for years to come."
CNN has kept an ongoing tally of all websites that have been affected and patched so far. Click here to see which websites are safe and which to stay away from. You can also test websites using the Heartbleed test or the SSL Server Test.
If you are worried about your personal information on the Internet or have any questions, let us know in the comment section below.
0 comments: