Bug hits Internet security broadly

Meant as guard, software flawed

SAN FRANCISCO - The discovery of a flaw in software that was supposed to provide extra protection for thousands of websites has experts scrambling to understand how vulnerable the sites are.

On Tuesday, Tumblr, owned by Yahoo Inc., became the largest website to disclose that it had been hit by the “Heartbleed Bug” and urged users to change not just the password for its site but for all others as well.

Signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem, hackers could just as easily steal the new password.

Although security analysts wouldn’t go as far as telling users to stay off the Internet completely, they said users should avoid doing anything sensitive like online banking. If it’s necessary to go online, check to see whether a service has said whether they are affected or whether they have fixed the problem.

“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max’ moment. It’s a bit of anarchy right now because we don’t know right now who has the keys and certificates on the Internet right now.”

The Heartbleed Bug is a vulnerability in OpenSSL, a technology used to provide encryption of an estimated 66 percent of all servers on the public Internet. OpenSSL is an open-source code developed and maintained by a community of developers, rather than by a single company.

Although such jargon is unfamiliar to average users, most people online probably have seen the green padlock icon in the address bar of their browser, followed by “https” that indicates that the OpenSSL added security has been enabled.

The vulnerability was discovered separately last week by Neel Mehta, a security researcher at Google Inc., and a team of engineers at Codenomicon, a security website that has since created a site with information about Heartbleed.

“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” said Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cyber security firm in Hawthorne, N.J.

It appears the bug was introduced into OpenSSL by a programming mistake that got pushed out as websites around the world updated their version of OpenSSL.

After the discovery last week, news spread quickly around the Web as the implications became clearer. As Tumblr made its announcement, security experts found numerous “exploits” or simple pieces of software widely available online that hackers could use to attack sites left vulnerable by Heartbleed.

By running such exploits, a hacker could in just a few seconds download countless emails, passwords, user IDs and much other personal information.

“It’s a very simple script,” said Chris Eng, vice president of research at application security testing firm Veracode. “And there’s still a lot of websites out there that are vulnerable.”

An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols.

But Internet users now face a dilemma: How do they know they can trust a site? Experts worry that hackers can use the security information they gathered to create fake copies of real sites that will induce users to disclose more information.

“Avoid things like online banking and avoid sensitive sites if you’re not sure,” said Andrew Storms, director of DevOps at CloudPassage. “Some people will see it as overkill. But I think that’s the simplest guidance.”

Business, Pages 25 on 04/10/2014

Upcoming Events