In one of the biggest global web security risks yet seen, a huge flaw in network protection software may have let hackers steal the user data it’s meant to guard, leaving around two thirds of the entire internet (and most of its users) at risk.
The flaw, dubbed the ‘Heartbleed Bug’ lets hackers see a user’s password, copy it and access any information on their private account.
Among the systems confirmed to be affected are Imgur, OKCupid, Eventbrite, and the FBI’s website, all of which run affected versions of OpenSSL. Connections to Google are not vulnerable, researchers say.
The Heartbleed bug is a security hole discovered in OpenSSL, widely used network software that encrypts sensitive web data. The flaw allows hackers to steal data directly from the memory chips of servers all over the world, and has been in existence for roughly two years.
That data leakage means that servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.
“Given that over half of the world’s webservers use Apache, and Apache uses OpenSSL, the majority of people are using applications built on top of OpenSSL on a regular basis,” explained Steve Pate, the Chief Architect at cloud services company HyTrust.
Commenting in his blog, security analyst and Chief Technology Officer of Co3 Systems Bruce Schneier said: “Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
“At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.”
Changing passwords ‘won’t guarantee security’
As details emerge about a software flaw that allows attackers to steal information, including cryptographic keys, from servers, KPMG’s Stephen Bonner argues that panicking consumers into changing their passwords is not necessarily the right response. Instead, he suggests that organisations hosting sensitive information should identify the weak points in their web footprint and fix these, before advising customers on the appropriate action to take.
Bonner, a partner in KPMG’s Information Protection and Business Resilience team, says: “Too much credence is being given to the idea that the Heartbleed Bug can be beaten if customers change the passwords they use to shop and communicate online. It’s an easy option, but one that ignores the real questions around what businesses should be doing to safeguard their internet footprint.
“The web is a world without borders, meaning that companies must map their entire online presence, identify where vulnerabilities exist and work with their software suppliers to ensure the Heartbleed Bug is blocked at any point of entry. After all, the software flaw may have a fix available, but it’s only when every gateway is guarded with the relevant patch that customer password changes will be effective. The fact remains that if passwords are changed beforehand they are just as vulnerable.
“If a company identifies vulnerabilities, the next step should be to assess the impact and take action to protect any sensitive data. If they find that they are secure, logic suggests that customers should be assured this is the case. After all, having different passwords on each service and changing them on a regular basis makes good sense, but the rush to urge immediate action creates a sense of panic that helps no one.”
Watch this video from Bloomberg explaining how the bug works- and what can be down to prevent it: