Online security breach is described as 'catastrophic'
Alert is result of internet bug Heartbleed being uncovered
Heartbleed is able to bypass websites' security measures to access passwords and personal information
Internet users have been warned to change all their computer and phone passwords following what could be a ‘catastrophic’ security breach.
Major technology firms have urged the public to immediately update their online security.
The alert is the result of the discovery of an internet bug called ‘Heartbleed’, which is able to bypass computer security settings.
LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren't affected
HOW TO BEAT THE BUG
If a password is in any dictionary in any language then it will take just three minutes to crack, warned computer expert Tony McDowell.
The worst passwords are the likes of ‘password’, ‘123456’, ‘qwerty’, or your child’s name. Using the same password for every site can leave you even more vulnerable to hackers, he added.
His advice is to use a phrase rather than a word. For example, use ‘nameisabella’ rather than just ‘Isabella’ – and use a mixture of letters and numbers.
A password of ‘name!saBe1la’ would take a year to crack, said Mr McDowell, managing director of Encription Ltd.
‘Most hackers give up after 24 hours unless it is something they really want to gain access to,’ he added.
WHICH MAJOR SITES ARE AT RISK?
Potentially vulnerable sites:
Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander
Safe sites:
Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub
The tool is a guide to affected services; it is not a definitive list.
Sites listed as vulnerable may use unreported servers, meaning their status can't be officially verified.
As a result, personal information such as passwords and credit card details has been accessible.
Heartbleed, so called because it creates a ‘bleeding’ leak of security, is a flaw in OpenSSL, the software used by the majority of websites to keep data secure.
The programme works by encrypting data – such as emails, instant messages, bank details or passwords – making it look like nonsense to hackers.
When a line of communication is secure and information encrypted, the user sees a padlock on the page. When software is active, one computer may send a ‘heartbeat’ – a small packet of data – to check there is still another computer at the other end.
However, a flaw in the programming meant it was possible to trick the computer at the other end by sending it a packet of data that looked like one of these heartbeats. This made it possible for hackers to impersonate the website and steal the encryption keys, revealing the data being sent.
The bug was found simultaneously by a Google security researcher and a small Finnish security firm named Codenomicon and disclosed on Monday night.
Many companies have installed a ‘patch’ to fix the flaw, but there are still many that are vulnerable as service providers must install the update.
Furthermore, it is not known whether hackers had used it before the bug came to light – it went undiscovered for two years – as doing so would not leave a trail.
WHAT IS OPEN SSL?
OpenSSL is open-source software that is widely used to encrypt web communications.
It is used to protect websites, instant messaging, email servers and other communications.
It is also used to protect credit card details on select services.
Research by analytics firm Netcraft found almost 500,000 websites could be affected
One of the worst affected sites was Yahoo!, who posted a warning on their blogging site Tumblr to say: ‘The little lock icon we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible.’
A spokesman for Codenomicon said: ‘If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested.
‘In that sense it’s a good idea to change the passwords on all the updated web portals.’
However, researcher Mark Schloesser said changing a password on websites that have not fixed the bug could reveal ‘both the old and new passwords’ to an attacker.
MORE...
Are YOUR details at risk from 'heartbleed' hackers? Tool reveals web services that may be vulnerable to security flaw
Major security alert over ‘heartbleed’ eavesdropping bug that could have infected TWO THIRDS of sites
When contacted by the Mail last night, Britain’s major banks would not comment on whether passwords should be changed.
HSBC said they were ‘monitoring’ the situation and a Lloyds spokesman said they would not comment on security issues.
HOW DANGEROUS IS IT?
The 'Heartbleed' bug puts encrypted communications at risk
The Heartbleed bug lets anyone on the web read the memory of the systems protected by vulnerable versions of the OpenSSL software.
It compromises secret keys used to identify the service providers and to encrypt web traffic.
This includes the names and passwords of the users and the actual content, such as credit card numbers.
Attackers can 'eavesdrop' on communications between servers, steal data directly from the them, and use the information to impersonate services and users on other sites or platforms.
James Lyne, global head of research at security firm Sophos told MailOnline: 'This fault undermines the fundamental trust on the internet for anyone running the vulnerable software and it is widely integrated into the technology we all use every day.
'While the fault has now been fixed, providers must apply it manually, so many still are vulnerable.
'Worse still, the defect was in the code for over two years before being discovered by security researchers - attackers could have discovered this at any time during that period and retrieved large volumes of data without anyone knowing.
'At this point the best thing for consumers to do is to assume their passwords and alike have been leaked. They may not have been, but since it's very hard to actually tell retrospectively, it is better to be safe than sorry.
'As providers rush to patch [the flaw], consumers should apply typical IT security best practice: ensure you change passwords - once you know the issue has been fixed by your provider; update your computers; and don't use the same password across multiple sites or services.
'This is not the first defect of its kind and it certainly won't be the last, but it is one of the more serious faults we've seen in recent Internet history.'
daily mail
No comments:
Post a Comment