Dangerous Internet Security Flaw
A warning for anyone who logs onto the Internet. It may be time to change your passwords. A massive security breach called "Heartbleed" could put your personal information in jeopardy. An alarming lapse in Internet security has exposed millions of passwords, credit card numbers and other sensitive items of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery. The breakdown revealed this week affects the encryption technology that is supposed to protect online accounts for emails, instant messaging and a wide range of electronic commerce. Security researchers who uncovered the threat, known as “Heartbleed,” are particularly worried about the breach because it went undetected for more than two years.
The bug compromised web encryption technology used on many major websites. CNN reports that "many major websites including Google, Facebook, Yahoo and Amazon have said they've taken steps to secure their sites." Also included are many other websites ranging social media sites, company sites, commerce sites, hobby sites, sites to install software from or even sites run by the government may be impacted.
Internet security researchers say people should not rush to change their passwords until sites have confirmed they have already applied measures to address Heartbleed. That is probably the best advice for web users nervous about the reports of a potential vulnerability for email and other online accounts. Immediately changing passwords could feed a new password into a website that has not fixed the flaw, according to Mark Seiden, an independent computer security consultant.
Heartbleed, could reveal anything which is currently being processed by a web server – including usernames, passwords and cryptographic keys being used inside the site. Those at risk include Deutsche Bank, Yahoo and its subsidiary sites Flickr and Tumblr, photo-sharing site Imgur, and the FBI. About half a million sites worldwide are revealed to be insecure. "Catastrophic is the right word," commented Bruce Schneier, an independent security expert. "On the scale of 1 to 10, this is an 11."
Yahoo was one of the sites worst affected by Heartbleed, but the firm has now fixed its main properties, including subsidiaries Flickr and Tumblr, and says it is "working to implement the fix across the rest of our sites". "We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data," a Yahoo spokesperson added. Tumblr, which is affected, issued a warning to its users on Tuesday night. Although the firm said it had "no evidence of any breach", and has now fixed the issue on its servers, it recommends users take action.
The bug exists in a piece of open source software called OpenSSL, which is meant to encrypt communications between a user's computer and a web server. But security researchers have no way to prove whether or not the flaw, which has existed since at least March 2012, has been exploited. "Risk to users exist until organisations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs," says Trey Ford, global security strategist at Rapid7. "Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website."
For websites, the fix-it process involves installing software patches on the computers in their data centers, then swapping out the confidential software key used to secure messages and transactions. The private key essentially shakes hands, digitally, with a public key. When they make an authenticated handshake — the signal of trust — the encrypted information is sent on its way. Swapping out the old private key for a new one is an extra step of caution, just in case the software flaw allowed cyber thieves to pilfer the private key. “There’s nothing users can do until the web services have made their sites secure,” Mr. Seiden said. Users will largely need to depend on individual sites to notify them about whether the flaw has been addressed. Many major web services, like Yahoo, have already released such notices.
People are warned though that they if they change their passwords right away it could make the problem worse. If the web server hasn't been updated to fix the flaw, says Mark Schloesser, a security researcher with Rapid7, based in Atlanta, Georgia. Doing so "could even increase the chance of somebody getting the new password through the vulnerability," Schloesser said, because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker. Rapid7's Schoessler recommended that users check whether a specific site remains vulnerable to Heartbleed with a tool put together by developer Filippo Valsorda.
The Heartbleed scare, even if it doesn’t turn out to hurt many consumers, is a reminder of the importance of updating password. Changing passwords occasionally is a good idea, as is using a different password for each site. If passwords are lost because of a security breach at a company, identity thieves have a far greater opportunity for trouble.
If you are in the market for a new house and would like information on homes for sale, or are first time home buyer not working with a Realtor and would like to schedule a consultation with a qualified Oakland County and Macomb County Realtor, please complete the Lang Premier Properties contact form to have a real estate agent contact you.
Lang Premier Properties are Birmingham Realtors specializing in Oakland County Real Estate. Stephanie is an agent with Max Broock in Birmingham, Michigan. See what past clients have to say about Stephanie Lang. Lang Premier Properties looks out for your best interests when you purchase a new custom luxury home. We always recommend working with an experienced luxury real estate agent when buying a new luxury estate.