From
http://www.washingtonpost.com/news/...-heartbleed-exposes-data-across-the-internet/
A newly discovered security bug has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers may have exploited during the more than two years it went undetected.
The bug, called Heartbleed, was found in a type of software called OpenSSL, which is used on servers to encrypt sensitive information to protect people’s privacy. At least 500,000 servers were reportedly vulnerable.
“You should care about this because — whether you realize it or not — a hell of a lot of the security infrastructure you rely on is dependent in some way on OpenSSL,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, said on
his blog. “This includes many of the websites that store your personal information. And for better or for worse, industry’s reliance on OpenSSL is only increasing.”
Through the security flaw, which is said to be one of the most serious uncovered in recent years, Heartbleed can access the contents of a server’s memory where private data is stored.
“Once an attacker has a website’s encryption keys, anything is fair game,” wrote Jill Scharr at
Yahoo Tech. “Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.”
A fix was circulated, but it was unclear how quickly and widely it was being implemented. Conflicting advice was given to consumers by Web sites and technology writers, some advising people to change usernames and passwords and others saying that such changes would be a big mistake.
“If a website is vulnerable, I could see things like your password, banking information and healthcare data, which you were under the impression you were sending securely to your website,” Michael Coates, director of product security for Shape Security, told
Reuters.
