'Heartbleed' bug in web technology threatens user data - Telegraph.co.uk
"We have tested some of our own services from an attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication."
The US government's Department of Homeland Security has advised businesses to review their servers to see if they are using vulnerable versions of the OpenSSL software. Updates are available to address the vulnerability, and a number of large websites – including Yahoo, Facebook, Google and Amazon Web Services – are fixing the problem or have already fixed it.
Codenomicon said many large consumer sites don't have the problem because of their "conservative choice" of equipment and software. "Ironically, smaller and more progressive services, or those who have upgraded to the latest and best encryption, will be affected most," it said.
Nevertheless, hundreds of thousands of web and email servers around the world need to be patched as soon as possible, to protect them from attack by hackers who will rush to exploit the vulnerability that it is now publicly known, according to Chris Eng, vice president of research at software security firm Veracode.
Yahoo's Tumblr blogging service, for example, uses OpenSSL. In a blog post on Tuesday, the company said it had no evidence of any breach and had immediately implemented the fix.
"This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr's blog post read.
"This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
A blog entry about the Heartbleed bug published by the Tor Project, which produces software that masks users' locations and browsing habits, reiterated this message:
"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle," it said.
Security expert Bruce Schneier added: "Catastrophic is the right word. On the scale of 1 to 10, this is an 11."
Put the internet to work for you.
