http://news.yahoo.com/passwords-vulnerable-security-flaw-found-222708914.html
Passwords vulnerable after security flaw found
By ANICK JESDANUN
6 hours ago
*
*
*
*
*
*
*
NEW YORK (AP) — Passwords, credit cards and other sensitive data are at risk
after security researchers discovered a problem with an encryption technology
used to securely transmit email, e-commerce transactions, social networking
posts and other Web traffic.
Related Stories
* 'Heartbleed' bug in web technology seen as major threat to user data
Reuters
* Internet “Heartbleed” Bug Exposing Passwords To Hackers CBS Dallas
Fort Worth (RSS)
* What You Need to Know About Heartbleed, the New Security Bug Scaring
the Internet The Atlantic Wire
* 'Heartbleed' bug puts encrypted data in dangerAFP
* Google, Microsoft Race to Assess Heartbleed Vulnerability The Wall
Street Journal
Security researchers say the threat, known as Heartbleed, is serious, partly
because it remained undiscovered for more two years. Attackers can exploit the
vulnerability without leaving any trace, so anything sent during that time has
potentially been compromised. It's not known, though, whether anyone has
actually used it to conduct an attack.
Researchers are advising people to change all of their passwords.
The flaw was discovered independently in recent days by researchers at Google
Inc. and the Finnish security firm Codenomicon.
The breach involves SSL/TLS, an encryption technology marked by the small,
closed padlock and "https:" on Web browsers to signify that traffic is secure.
With the Heartbleed flaw, traffic was subject to snooping even if the padlock
had been closed.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that
happens to be one of the most common on the Internet.
Researchers at Codenomicon say that OpenSSL is used by two of the most widely
used Web server software, Apache and nginx. That means many websites
potentially have this security flaw. OpenSSL is also used to secure email,
chats and virtual private networks, which are used by employees to connect
securely with corporate networks.
Despite the worries, Codenomicon said many large consumer sites don't have the
problem because of their "conservative choice" of equipment and software.
"Ironically smaller and more progressive services or those who have upgraded to
(the) latest and best encryption will be affected most," the security firm
added.
A fix came out Monday, but affected websites and service providers must install
the update.
Yahoo's Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials
at the service said they had no evidence of any breach and had immediately
implemented the fix.
"But this still means that the little lock icon (HTTPS) we all trusted to keep
our passwords, personal emails, and credit cards safe, was actually making all
that private information accessible to anyone who knew about the exploit,"
Tumblr's blog post read. "This might be a good day to call in sick and take
some time to change your passwords everywhere — especially your high-security
services like email, file storage, and banking, which may have been compromised
by this bug."
Yahoo Inc. said its other services, including email, Flickr and search, also
have the vulnerability. The company said some of the systems have already been
fixed, while work is being done on the rest of Yahoo's websites.
The company reiterated its standard recommendation for people to change
passwords regularly and to add a backup mobile number to the account. That
number can be used to verify a user's identity if there are problems accessing
the account because of hacking.
___
AP Technology Writer Michael Liedtke in San Francisco contributed to this
report.
