Experts Find a Door Ajar in an Internet Security Method Thought Safe
By NICOLE PERLROTH
April 8, 2014, 5:08 pm
Updated | A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.
The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.
Researchers were still looking at the impact on consumers but warned it could be significant. Users’ most sensitive information — passwords, stored files, bank details, even Social Security numbers — could be vulnerable because of the flaw.
The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue. “This is a good reminder that there are many risks online and it’s important to keep a watchful eye around what you’re doing, just as you would in the physical world,” said Zulfikar Ramzan, the chief technology officer of Elastica, a security company.
The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security.
Because attackers can use the bug to steal information unnoticed, it is unclear how widely the bug has been exploited — although it has existed for about two years. On Github, a website where developers gather to share code, some were posting ways to use the bug to dump information from servers. The Finnish security researchers, working for Codenomicon, a security company in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol — which encrypts sessions between consumer devices and websites — called the “heartbeat” because it pings messages back and forth. The researchers called the bug “Heartbleed.”
“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”
Organizations were advised to download immediately the newest version of the OpenSSL protocol, which includes a fix, and quickly swap out their encryption keys. It also meant organizations needed to change their corporate passwords, log out users and advise them to change their own passwords.
Then companies began taking inventory of what they may have lost. But because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done.
Security researchers say they found evidence that suggests attackers were aware of the bug. Researchers monitoring various “honey pots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.
Actual victims may be out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Mr. Chartier said. “That’s what makes it so vicious.”
Mr. Chartier advised users to consider their passwords compromised and urged companies to deal with the issue quickly. “Companies need to get new encryption keys and users need to get new passwords,” he said.
Security researchers say it is most important for people to change passwords to sensitive accounts like their online banking, email, file storage and e-commerce accounts, after first making sure that the website involved has addressed the security gap.
By Tuesday afternoon, many organizations were heeding the warning. Companies across the web, including Yahoo, Amazon and PayPal, began notifying users of the bug and what was being done to mitigate it. Tumblr, the social network owned by Yahoo, said it had issued fixes and warned users to immediately swap out their passwords.
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” the security team at Tumblr, which is part of Yahoo, wrote on its site. “This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”