Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset

by **alleyrose** Thu Apr 10, 2014 8:04 am

Several technology companies are urging people to change all of their passwords after the discovery of a major security flaw.

Computer security specialists says a bug dubbed Heartbleed has been discovered in online data-scrambling software and hackers can use it to their advantage.

The Yahoo blogging platform, Tumblr, has advised the public to "change passwords everywhere - especially on high-security services like email, file storage and banking".

Cyber-defence specialists at Fox-IT say the bug found in OpenSSL encryption software lets attackers illicitly retrieve passwords and other information from working memory on computer servers.

OpenSSL is used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.

"There is no limit on the number of attacks that can be performed," Fox-IT said in a blog post that listed steps business IT handlers can take to thwart incursions.
Information considered at risk includes source codes, credit card numbers, passwords and "keys" that could be used to impersonate websites or unlock encrypted data.
"These are the crown jewels, the encryption keys themselves," said a heartbleed.com website devoted to details of the vulnerability.

"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."

Josh Taylor from ZDNet Australia says changing passwords will not make any difference unless the server or companies who have been exploited have fixed the problem.

"A lot of the big companies have now patched the exploit, but others haven't. So changing your password is pointless if the hole is still there," he said.

"The problem is that lots of these companies don't know they have been exploited. It's best just to assume that you have been.

"This bug has been sitting on a whole bunch of servers for many years and has only now been discovered."

Websites take action
Security researchers have reported being able to dig out Yahoo password information by taking advantage of the bug.

'We are all vulnerable to software bugs

Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset 340x180computer-custom-image-data

Heartbleed bug found in OpenSSL software prompts tech companies to urge passwords reset 340x180computer-custom-image-data

Yahoo has released a statement saying it has fixed the problem at its main online properties.
Facebook also says it has taken steps to mitigate any impact to users.

Some experts have called on internet firms to revoke the certificates and keys used to encrypt internet traffic with web browsers including Firefox, Internet Explorer and Google Chrome.
"There is nothing users can do to fix their computers," Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki, said.

"They have to rely on the administrators of the websites they use."

Fox-IT estimates the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

OpenSSL is used by more than half of all websites, but not all versions have the vulnerability, according to heartbleed.com.

The US Department of Homeland Security has advised businesses to review servers to see if they are using vulnerable versions of OpenSSL.