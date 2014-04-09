By Jim Finkle
BOSTON, April 9 Security experts warn there is
little Internet users can do to protect themselves from the
recently uncovered "Heartbleed" Internet threat that exposes
data to hackers, at least not until vulnerable websites take
steps to secure their communications.
The Heartbleed bug in widely used web encryption technology
known as OpenSSL affects software on servers that host websites.
That software is not used on personal computers or mobile
devices, so even though the bug exposes passwords and other data
entered on those devices to hackers, it must be fixed by website
operators.
"There is nothing users can do to fix their computers. They
have to rely on the administrators of the websites they use,"
said Mikko Hypponen, chief research officer with security
software maker F-Secure of Helsinki.
The bug has potential to affect users of some of the world's
biggest websites because OpenSSL is used on about two-thirds of
all web servers and has gone unnoticed for about two years. It
could lead to the theft of passwords, confidential
communications, credit card numbers and other confidential data.
"On a scale of 1 to 11, it's about an 11," well-known
cryptologist Bruce Schneier said of the severity of the bug,
speaking on the sidelines of the Source Security conference
where he spoke on surveillance and security issues. "It's easy
to do, it's so damaging and it leaves no trace."
It is possible that hackers stole the keys that encrypt
traffic as it travels between web servers and Internet users,
though researchers have yet to any evidence that actually
happened, said Schneier, chief technology officer of Co3 Systems
Inc.
He called on Internet firms to revoke the certificates and
keys used to encrypt Internet traffic with web browsers
including Firefox, Microsoft Corp's Internet Explorer
and Google Inc's Chrome.
Once they do that, they should upgrade to a new version of
OpenSSL that is not vulnerable to the bug, create new
certificates and keys, then advise their users to change
passwords, which may have been stolen by hackers, Schneier said.
Yahoo Inc and Facebook Inc told Reuters on
Tuesday that they use OpenSSL and have already taken steps to
mitigate any impact to their users, though it was not
immediately clear if they had followed all of the steps
recommended by Schneier.
The finding of the Heartbleed vulnerability, by researchers
with Google and Codenomicon, a small security firm, prompted the
U.S. Department of Homeland Security to advise businesses on
Tuesday to review servers to see if they were using vulnerable
versions of OpenSSL.
Hypponen said computer users could immediately change
passwords on accounts, but they would have to do so again if
their operators notify them that they are vulnerable and once
they have followed steps to clean up the mess.
"Take care of the passwords that are very important to you,"
he said. "Maybe change them now, maybe change them in a week.
And if you are worried about your credit cards, check your
credit card bills very closely."
(Reporting by Jim Finkle; Editing by Leslie Adler)