The green padlock that appears before a website address has long been an indicator of a website's secure connection. Not anymore.
Security experts have discovered a flaw in the software that provides extra protection for websites. Yahoo, Facebook, Google and Amazon are all working to fix the problem, which could render users' sensitive information—passwords, Social Security numbers, bank information—vulnerable.
The technology: The technology used to protect websites is known as OpenSSL. It provides encryption for an estimated 66 percent of all servers on the Internet. OpenSSL is an open source code that is developed and maintained by a community of developers, not just a single company. Many users may be unfamiliar with all of this tech jargon, but know to look for a secure connection by watching the prefix change from "http" to "https", with the "s" standing for "secure."
The bug: The flaw was discovered in parts of the OpenSSL protocol, which encrypts sessions between consumer devices and websites known as the "heartbeat" because it pings messages back and forth. Researchers dubbed the bug “Heartbleed.”
The bug, which has existed for two years, makes it possible for attackers to recover up to 64 KB of memory from a server or client computer running a vulnerable OpenSSL. It lets hackers recover the Web server's private key, which allows them to decrypt and access all of the data in memory. Because the data in memory is constantly changing, the hackers have to repeatedly send commands to retrieve it with the hope of capturing sensitive data. (This is called Russian Roulette.)
There are no guarantees that hackers haven't already stolen private keys to decrypt the data in memory—even if servers are running the patched, latest released version of OpenSSL. The only way for companies to be certain is to revoke all keys after updating to the latest version of OpenSSL and reissue new keys.
The impact: The scope of this is immense. An estimated two-thirds of the Internet's Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many sites are scrambling to correct the problem, but it may be too late for some users whose sensitive information already may have been exposed. Plus, users now face a dilemma: How do they know they can trust a website to be secure?
Protection tips for users:
• Avoid transactions that involve sensitive data for a day or so. That includes online banking or other purchases. This may seem like overkill, but it will allow companies to correct the problem on their end.
• Change your passwords, after a day or two. Immediately changing your passwords could provide the new password to a website that hasn't fixed the flaw. Wait for notification from websites—usually a post or an alert—that the flaw has been corrected. (Major companies such as Yahoo already have released such notices.) Then change your passwords.
• Create strong passwords for all accounts that have numbers, uppercase and lowercase letters, and symbols.
• Use different passwords for work and personal email accounts, bank accounts and online retailers. If a hacker cracks one password, he won’t have access to others.
• Never use identifying information for a password. That includes the last four digits of your Social Security number, your maiden name, date of birth, middle name, child’s name, pe's name or anything else easily discovered or guessed
• Check your credit reports early and often. Review your credit reports from the three reporting agencies—TransUnion, Experian and Equifax—twice a year. Visit annualcreditreport.com, the government-mandated source for free credit reports. Investigate suspicious activity and stay on top of it until the matter is resolved.
Finally, check with your providers to see if you are covered for identity management services. If you suspect you're a victim of identity theft or wish to proactively manage your identity, check with your insurance company, financial institution, or employee benefits provider. Many companies offer LifeStages™ Identity Management Services from CyberScout for low or no cost. To learn more, call 1-888-682-5911.