Flaw Found in Key Method for Protecting Data on the Internet

BBW

Administrator Emeritus
Jul 7, 2010
betwixt and between
BB
What do you all know about this that I've just read on the NY Times April 8th, 2014 @ 5:08PM in an article written by Nicole Perlroth in the Bits blog: http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?module=BlogPost-Title&version=Blog%20Main&contentCollection=Security&action=Click&pgtype=Blogs&region=Body

The tiny padlock next to web addresses that promised to protect our most sensitive information — passwords, stored files, bank details, even Social Security numbers — is broken.

A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.

On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.

The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google.

Researchers are calling the bug “Heartbleed” because it affects the “heartbeat” portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers.

The bug allows attackers to access the memory on any web server running OpenSSL and take all sorts of information...
 

BBW

Administrator Emeritus
Jul 7, 2010
betwixt and between
BB
Yeah, yeah - I hear you both loud and clear - and it would be perfect for NewCameraNews!

That said, I'm not exactly clear what it all means.
 

olli

Super Moderator Emeritus
Sep 28, 2010
Sofia, Bulgaria
olli
Seems odd that we haven't heard a lot more about it if it's that big a deal. I would have expected banks and financial sites to be on this like a shot but I've heard nothing. Also, I don't understand why Yahoo would issue an alert for Tumblr but not for Yahoo. And, as a Tumblr user, I've heard nothing from them.
 

BBW

Administrator Emeritus
Jul 7, 2010
betwixt and between
BB
At the moment it is on the front page of the NY Times this morning updated: http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?_php=true&_type=blogs&hp&_r=0

It has happened to quite a few companies.

Updated | A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.

The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.

Researchers were still looking at the impact on consumers but warned it could be significant. Users’ most sensitive information — passwords, stored files, bank details, even Social Security numbers — could be vulnerable because of the flaw...

...The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security.

...By Tuesday afternoon, many organizations were heeding the warning. Companies across the web, including Yahoo, Amazon and PayPal, began notifying users of the bug and what was being done to mitigate it. Tumblr, the social network owned by Yahoo, said it had issued fixes and warned users to immediately swap out their passwords.

“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” the security team at Tumblr, which is part of Yahoo, wrote on its site. “This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”
 

john m flores

All-Pro
Aug 13, 2012
From the sounds of it, changing passwords will only help if:

A-The site in question has already been exploited and your password already taken
B-The site in question has fixed the flaw

Modern life is so hard! I miss the good ole days of using the Dewey Decimal System, microfilm, and phonebooks to get information.
 
  • Like
Reactions: BBW

BBW

Administrator Emeritus
Jul 7, 2010
betwixt and between
BB
Yes, but are you old enough to remember those days John??? I have to admit that I hated microfilm and microfiche or whatever the heck it was...

I often consider getting rid of all Internet based transactions, however it is difficult in these times.
 

mattia

Regular
Dec 20, 2013
Yes, but are you old enough to remember those days John??? I have to admit that I hated microfilm and microfiche or whatever the heck it was...

I often consider getting rid of all Internet based transactions, however it is difficult in these times.
I'm 34, and I still remember microfiche, the DDS and phone books.
 
  • Like
Reactions: BBW

grebeman

Old Codgers Group
Luke, I've only got to glance to my right and there's one standing on a sideboard. It was used a few times when I lived more rurally than I do now. My Uncle and Aunt used there's all the time since they had no electricity supply to their property, so sort of is the answer to your question.

Until I was 13 years old I lived in a house with no electricity supply, but we did have gas, so I did my homework by gas lamp.

Barrie
 

stillshunter

Super Moderator Emeritus
Nov 5, 2010
Down Under
Mark
Hmmm…I regret how fragile our society and our individual lives have become. What would happen to the first world after two weeks without an electricity supply? Just two weeks? :hmmm:

Putting the physicality to one side, I read an excellent book recently called The Shallows: How the Internet is changing the way we think, read and remember. Very thought-provoking about how the breadth of our knowledge is gained only at the expense of its depth.

Putting my Luddite tendencies to another side :blush: I use internet banking but I do so with great apprehension. I do not trust anything online - and operate under the premise that everything is compromised….seems healthier that way. But hey I still look forward to doing much of my 'big business' inside the branch of my local bank - luckily I'm with a rural bank that still talks to you…and even seems to enjoy it.

And yep, I still fondly remember the adventure of finding a book at the library by flicking through drawers of the library catalog. Libraries smelt different then and life just went slower and a little more deliberately.
 
Jan 31, 2011
Newcastle, Australia
Sue
I didn't have a quill pen... but I learned to write with a dipping pen. I don't think we got ballpoints until I was in high school.

Like BB I sometimes want to give up the internet. I never used to be so sedentary. But nearly all my social life begins and ends with it... arrangements, contacts, conversations... and friends are scattered far and wide... so no, I won't be giving it up any time soon. I have a friend who never wanted it, and until about 6 years ago, did not have access. She has a friend in the UK, and they would write letters and ring. I managed to persuade her to get an account. she still only uses it for her bridge club scores which are posted on the club website, and for getting and sending email. Thats a luddite.

I use internet banking with my main bank. Periodically there's a glitch but they have systems in place because I always get notifications almost immediately. I love BPay and not having to stand in line somewhere to pay bills, and not needing to have much cash on my person.

I dunno... the internet was quieter before it became commercialised, and it was safer, but it wasn't nearly as interesting. It was inevitable that thieves would find ways to separate people from their money and possessions and identities. I just hope I live long enough to not have it happen to me.
 

stillshunter

Super Moderator Emeritus
Nov 5, 2010
Down Under
Mark
I love BPay and not having to stand in line somewhere to pay bills, and not needing to have much cash on my person.
Well I'm normally in that line anyway waiting to pick up my parcel from the friendly Post Office clerk…I like our chats actually…and I pay my bills while there. Keeps him and his family in a job too :thumbup:
I, for one, am not looking forward to the drones delivering my precious photo gear parcels by opening their mechanical claw midair.
 

Latest posts

Latest threads

Top Bottom