Tuesday, April 15, 2014

As of April 11, 2014

Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web -- the one that keeps your email, banking, shopping, passwords and communications private.

Here's what you need to know.


It's called the Heartbleed bug, and it is essentially an information leak.

It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there's a good chance that site is using the encryption software that was impacted by the Heartbleed bug.

"It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare. "If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won't surprise me."


For more than two years now, Heartbleed has allowed outsiders to peek into the personal information that was supposed to be protected from snoopers.

The bug allows potential hackers to take advantage of a feature that computers use to see if they're still online, known as a "heartbeat extension." But a malicious heartbeat signal could force a computer to divulge secret information stored in its memory.

At the very least, Heartbleed exposes your usernames and passwords. It also compromises the session keys that keep you logged into a website, allowing an outsider to pose as you -- no passwords required. And it allows attackers to pose as a real website and dupe you into giving up your personal details.

Making matters worse, the Heartbleed bug leaves no traces -- you may never know when or if you've been hacked.

"You could watch traffic go back and forth," said Wayne Jackson III, CEO of open source software company Sonatype. "This is a big deal. When you think about the consequences of having visibility into Amazon and Yahoo, that's pretty scary."


Most major websites are targets, because they rely on this program. A survey conducted by W3Techs show that 81% of sites run on web server programs Apache and Nginx, and both are vulnerable to the Heartbleed bug.

Many popular sites, including Amazon (AMZN, Fortune 500), Google (GOOG, Fortune 500), Yahoo (YHOO, Fortune 500) and OKCupid, use those encryption tools. Those four sites have updated their websites with a fix for the bug, but many others have not patched their sites yet.


Log out of all websites: email, social media, banking -- everything. But beyond that, it's a waiting game. The websites themselves need to update to a new version of the encryption software to fix the bug. That's why changing all your passwords right away isn't a good idea. Websites are all racing to fix the issue, and if you act too quickly, you might change your password on a site that is still vulnerable.

Italian cryptographer Filippo Valsorda launched the "Heartbleed Test," which purports to tell you if websites are still compromised.

Passomatic, a startup that lets you change several passwords at once, said all its partners have made the fix. Among them are eBay (EBAY, Fortune 500), Expedia (EXPE), Facebook (FB, Fortune 500), Instagram, Netflix (NFLX), Reddit, Wikipedia and Yelp (YELP).


Undoing the damage that has potentially already been done won't be easy. Websites are patching the hole, but the job won't be complete until all websites purge all the old keys they've been using to encrypt data.

That means hackers and and potential government spies who were secretly aware of this flaw would have ogotten access to special keys they can use repeatedly until a website revokes them. And there's where it gets complicated. CloudFlare's Prince said the encryption system was never meant to dispose lots of keys at once.

"There will be servers that still have this for years," he said.



The Internet bug Heartbleed doesn't just affect websites. It also has shown up in the gadgets we use to connect to the Internet.

Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well.

That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

"That's why this is being dubbed the biggest exploit of the last 12 years. It's so big and encompassing," said Sam Bowling, a senior infrastructure engineer at the web hosting service Singlehop.

What does exposure actually mean? What could be hacked? Here is a rundown, provided by researchers at security provider SilverSky and Singlehop.

Work phone: At least four types of Cisco IP phones were affected. If the phones are not behind a protective network firewall, someone could use Heartbleed to tap into your phone's memory banks. That would yield audio snippets of your conversation, your voicemail password and call log.

Company video conference: Some versions of Cisco's WebEx service are vulnerable. Hackers could grab images on the shared screen, audio and video too.

VPN: Some versions of Juniper's virtual private network service are compromised. If anyone tapped in, they could grab whatever is on your computer's memory at the time. That includes entire sessions on email, banking, social media -- you name it.

Smartphone: To let employees access work files from their iPhones and Android devices, some companies opt for Cisco's AnyConnect Secure Mobility Client app for iOS, which was impacted by Heartbleed. An outsider could have seen whatever you accessed with that app.

Switches: One type of Cisco software that runs Internet switches is at risk. They're notoriously hard to access, but they could let an outsider intercept traffic coming over the network.

Cisco, Juniper and Apple (AAPL, Fortune 500) did not respond to questions from CNNMoney. But on its site, Juniper told customers, "We are working around the clock to provide fixed versions of code for our affected products."

But fixing the bug on those devices won't be easy. Cisco and Juniper can't just press a button and immediately replace the vulnerable software running on the machines. The onus is on each person or company using those devices. And that's where the problem lies.

"Many small and medium businesses aren't likely to ever upgrade, and they're going to have a tremendous amount of exposure for a very long time," said John Viega, an Web security expert and an executive at security provider SilverSky.

That is why changing passwords isn't necessarily enough to overcome the potential damage caused by the Heartbleed bug. Even if a website isn't vulnerable when communicating with its customers, the company's servers might still be exposed.

The problem doesn't seem to be widespread on the consumer side, though. Linksys and D-Link make many of the routers we use to connect to the Web from home, and they say none of their devices are affected. However, Netgear (NTGR) has not posted updates or returned for comment.



Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.

As sites fix the bug on their end, it's time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private -- email, banking, shopping, and passwords.

Don't change all your passwords yet, though. If a company hasn't yet updated its site, you still can't connect safely. A new password would be compromised too.

Many companies are not informing their customers of the danger -- or asking them to update their log-in credentials. So, here's a handy password list. It'll be updated as companies respond to CNN's questions.

Change these passwords now (they were patched)

Google, YouTube and Gmail
Yahoo, Yahoo Mail, Tumblr, Flickr

Don't worry about these (they don't use the affected software, or ran a different version)

Apple, iCloud and iTunes
AOL and Mapquest
Bank of America
Capital One Bank
Charles Schwab
Chase Bank
Healthcare.gov (Health Department said "security protections prevent this vulnerability from occurring.")
Microsoft, Hotmail and Outlook
PNC Bank
TD Ameritrade
U.S. Bank
Wells Fargo

Don't change these passwords yet (still unclear, no response)

American Express



How to Check If Your Favorite Websites Are Vulnerable to the Heartbleed OpenSSL Bug

How to Protect Your Android from Heartbleed Guide

Android, iOS, and Windows Apps Affected by Heartbleed

Video Game Services Affected by Heartbleed

You Might Also Like