Photo by: Will Gentry
It was recently revealed that millions of credit card numbers, passwords and private databanks online have been vulnerable for years due to the Heartbleed bug.
“Since the initial news of Heartbleed last week, the big question that remained was around the ease of exploiting this vulnerability,” Fred Kost, vice president of security solutions at security tools firm Ixia, said, in the article, “Heartbleed may have led to compromises at Mumsnet and Canada Revenue Agency,” published in Infosecurity Magazine. “With the latest news, the Heartbleed vulnerability went from being theoretical to very real, as attackers have been able to extract a private key from memory, further putting 1.5 million users at risk.”
The Heartbleed bug is a vulnerability in the OpenSSL cryptographic software library. This vulnerability makes it possible to steal information that is normally protected by the SSL/TLS software.
Since the bug was discovered last week, the severity of the potential breaches continues to rise. According to Jason Healey, a cyber security scholar at the Washington-based Atlantic Council, the hackers also created fake websites matching original ones in order to gain access to passwords.
Heartbleed has affected over 500,000 websites, feeding a growing concern that everyday websites like Gmail and Facebook could have been compromised.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable –they can all be broken into,” Healy said to the Washington Post. “The kinds of bad things it enables is largely limited only be the imagination of the bad guys.”
In the days immediately following the Heartbleed discovery, websites hurried to fix the bug. The patches were just temporary, however. The latest information suggests sites are still vulnerable – the hackers could have stolen the valid security keys. The next step is for all the affected sites to revoke their security certificates and issue new ones.
Junior Information Systems major Mitch Aufiero gave his recommendation on how websites can better expose their vulnerabilities so they can see what needs to be fixed.
“I know a lot of softwares pay people money to attempt to hack them,” Aufiero said. “Maybe websites should pay people to hack into their website and then let them know how they did it.”
Users can visit the website filippo.io and take the Heartbleed test to determine if a website is still vulnerable or if the site has updated their security, and is safe for users to update their passwords.
“I strongly recommend passwords that are eight characters or longer,” Aufiero said.
Some experts hypothesize that the threat could have existed unnoticed for up to two years, and that hackers have been exploiting data the entire time.
0
0
Be First to Comment