'Heartbleed' OpenSSL flaw puts encrypted data in danger

SAN FRANCISCO, USA – Computer security specialists on Tuesday, April 8, raised alarm about a freshly discovered bug in online data-scrambling software that hackers can turn to their advantage.

The bug  – dubbed "Heartbleed" – in OpenSSL encryption software lets attackers illicitly retrieve passwords and other bits of information from working memory on computer servers, according to cyber-defense specialists at Fox-IT.

OpenSSL is used to protect passwords, credit card numbers and other data coursing through the Internet.

"There is no limit on the number of attacks that can be performed," Fox-IT said in a blog post that listed steps business IT handlers can take to thwart incursions.

Information considered at risk includes source codes, passwords, and "keys" that could be used to impersonate websites or unlock encrypted data.

"These are the crown jewels, the encryption keys themselves," said the heartbleed.com website devoted to details of the vulnerability.

We found a bug in #OpenSSL http://t.co/kfmPdkaBqA #heartbleed Patch now. — Codenomicon, Ltd. (@CodenomiconLTD) April 8, 2014

"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."

Codenomicon, one of the other security research teams that found the security flaw and who set up the Heartbleed.com website, noted that they tested the flaw on their own systems.

Codenomicon found that, "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Security researchers also reported being able to dig out Yahoo password information by taking advantage of the bug. Yahoo released a statement Tuesday saying it had fixed the problem at its main online properties.

Fox-IT estimated that the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

OpenSSL is used by more than half of websites, but not all versions have the vulnerability, according to heartbleed.com.

The group behind open-source OpenSSL put out a security alert urging users to upgrade to an improved version of the software and gave credit for finding the bug to Neel Mehta of Google Security.

Filippo Valsorda, a cryptography consultant, also set up an online checker for the Heartbleed security flaw to help determine if a site still has the issue or has been remedied. An FAQ is also available for users to better understand how the online checker operates. 

A blog post at the Tor Project website advised those with strong privacy needs to avoid the Internet for a few days at least to give websites and servers time to improve defenses and reset security credentials. – with reports from Agence France-Presse/Rappler.com