Friday, April 11, 2014

VIDEO: What is the Heartbleed bug threatening Internet users everywhere? - GMA News

A software bug called "Heartbleed," which may compromise communication security over the Internet, is causing concern among users and tech giants alike. Researchers say users' personal information like passwords, bank details and social security numbers could be compromised because of the bug and that there is little Internet users can do to protect themselves, at least not until exploitable websites upgrade their software.
 

Julia Horwitz, at the Electronic Privacy Information Center explained to Reuters that when there is an encrypted connection between computers, as there might be when transferring info to one's bank or secure e-mail, layers of code exist to ensure that data remains impenetrable from hacking.

However, says Horwitz, Heartbleed 'pokes' a hole in that code and allows hackers to collect data.

"It's very hard to trace and because it mimics the normal functionality of secured computer networks. So, if you're trying to figure out whether your secured connection has been bugged, it's almost impossible to tell," said Horwitz.

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-th! irds of all web servers, but the issue has gone undetected for about two years, increasing the levels of concern, says Horwitz.

"It's quite a lot of data and the most sensitive kind of data, so I think that people are right to be surprised about the level of magnitude and to be a little worried."

Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced on Monday.

By Tuesday, Kaspersky had identified such scans coming from "tens" of actors, and the number increased on Wednesday after Rapid7 released a free tool for conducting such scans.

OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website! operators.

Representatives for Facebook Inc, Google and! Yahoo Inc told Reuters that they have taken steps to mitigate the impact on users.

Devices besides servers could apparently be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them.

They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs have either updated their software or published directions for users on how to mitigate potential attacks.

Steve Marquess, president of the OpenSSL Software Foundation, said he could not identify other computer programs that used OpenSSL code that might make devices vulnerable to attack.

Bruce Schneier, a well-known cryptologist and chief technology officer of Co3 Systems, called on Internet firms to issue new certificates and keys for encrypting Internet traffic, which would render stolen keys useless.

Symantec Corp and GoDaddy, two major providers of ! SSL technology, said they do not charge for re-keying their certificates.

Mark Maxey, a director with cybersecurity firm Accuvant, said it is no easy task for large organizations to implement the multiple steps to clean up the bug, which means it will take some a long time to do so. — Reuters

Source : http://www.gmanetwork.com/news/story/356499/scitech/technology/video-what-is-the-heartbleed-bug-threatening-internet-users-everywhere