Heartbleed Bug opens internet for hackers
InternetNZ has advised website owners urgently check whether people’s usernames and passwords may have been stolen following a major global security scare.
There are fears a newly-disclosed vulnerability in encryption software may have left vast tracts of the internet, including email services, internet banking and social media, open to hackers.
The BBC has reported the so-called “Heartbleed Bug” may have put millions of web servers at risk. The Daily Mail reported this morning that services operated by Twitter, Yahoo and ASB Bank owner, the Commonwealth Bank of Australia, were all affected.
InternetNZ chief executive Jordan Carter said website owners should be aware their site’s security may have been breached and private information, including logons and passwords, stolen as a result of the vulnerability in a software product known as OpenSSL.
“Website owners shouldn’t panic, but quick action is required by those using vulnerable versions of OpenSSL,” he said. The non-profit society also reiterated its advice that internet users regularly changed their passwords.
The vulnerability was discovered by researchers working for Google and security firm Codenomicon. They gave the bug - officially known as CVE-2014-0160 - the appropriately evocative and frightening name Heartbleed.
OpenSSL has released an emergency patch for the bug, called Heartbeat. But the vulnerability is in fairly ubiquitous software around the web and it will take time for the patch to disseminate. A tool from SSL Labs, a repository of SSL documents and tools, lets people check any web address for the OpenSSL vulnerability.
Carter said the bug was easily to exploit and it was virtually impossible to detect whether a site had been compromised. Any website using a vulnerable version of OpenSSL could have been attacked by criminals to steal data or eavesdrop on communications and now that the vulnerability was widely known, the likelihood of criminals exploiting it were significantly higher, he said.
Most major services were not affected or rapidly upgraded their servers to incorporate the OpenSSL patch, however. Some have also tried to reassure customers that their information wasn't really at risk from Heartbleed anyway.
For example, a spokesperson at password management service LastPass, which implemented the patch early this morning, told technology news website CNET, "Nearly all your data is also encrypted with a key that LastPass servers never get, so this bug could not have exposed customers’ encrypted data."
It's possible that Heartbleed might not be as fatal as feared. Adam Langley, a Google security expert who helped close the OpenSSL hole, said on Twitter that his testing didn't reveal information as sensitive as secret keys.
Yahoo's Tumblr blogging service uses OpenSSL. In a blog post, officials at the service said they had no evidence of any breach and had immediately implemented the fix.
"But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr's blog post read. "This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
Yahoo said its other services, including email, Flickr and search, also have the vulnerability. The company said some of the systems have already been fixed, while work was being done on the rest of Yahoo's websites.
The company reiterated its standard recommendation for people to change passwords regularly and to add a backup mobile number to the account. That number can be used to verify a user's identity if there are problems accessing the account because of hacking.
Codenomicon said the Heartbleed Bug allowed attackers to “eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”, though it was not clear whether it had been exploited.