April 11, 2014
Popular websites have been scrambling to update software and Internet users have been encouraged to change their passwords following the news of an encryption flaw known as the Heartbleed bug, which is already being categorized as one of the biggest security threats the Internet has ever experienced. The bug has affected a number of websites and services (although the extent is not clear), and may have exposed account info including passwords and credit card numbers going back two years. UPDATE: Cisco and Juniper said yesterday that some of their networking products contain the bug, which means sensitive info may have been obtained while moving across corporate networks, home networks and the Internet.
“The hole in the Internet was supposed to be fixed quietly,” reports The Wall Street Journal. “Researchers at Google Inc. who found the bug told the team in charge of the code, OpenSSL Project, last week, said Mark Cox, an OpenSSL manager. OpenSSL then planned to tell trusted website operators how to fix the bug before making it public Wednesday. Some big sites, including Facebook and Akamai Technologies Inc., did get a heads up, people familiar with the research said.”
But fearing that the security hole had leaked to hackers, managers disclosed it on Monday. This reportedly caught companies including Google and Yahoo unprepared.
4/11 UPDATE: “Many websites — including those run by Yahoo Inc., Amazon.com Inc. and Netflix Inc. — quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses,” reports WSJ in a related article. “These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.”
The Heartbleed bug is said to have affected approximately two-thirds of Internet servers on Monday. The bug is believed to have affected OpenSSL versions released in the recent two years, meaning hackers can potentially access previously encrypted data from vulnerable servers.
“The episode illustrates the delicate task of managing the Internet’s plumbing to keep it safe for banks, social networks and retailers,” notes WSJ. “When companies find flaws, they have to decide how to tell as many people as possible without tipping off hackers.”
Users of sites and services such as Facebook, Gmail and Yahoo’s Tumblr have been advised to change their passwords. Just weeks before the filing deadline, Canada’s tax agency closed its filing website as a precaution. Webites for Netflix and Airbnb were reportedly vulnerable for a time, but have since updated their software. The Four Seasons hotel chain site was also listed as vulnerable, although it is unclear if updates have been completed.
“It’s easily the worst vulnerability since mass-adoption of the Internet,” said Matthew Prince, CEO of San Francisco cybersecurity firm CloudFlare. “It’s going to be really bad.”
Mashable has posted a list of social, email, banking and commerce sites that are vulnerable. According to the list, which is being updated regularly, it is recommended that you change your password to the following sites and services as soon as possible:
- Amazon Web Services
- Intuit (TurboTax)
- Yahoo Mail