April 10 - There is little users can do to hide from the latest internet bug- a flaw in a security system used by the majority of web sites. Bobbi Rebell reports.
A new threat to passwords and everything they protect. Heartbleed is a flaw in openSSL, the open-source encryption standard. That is what gives users a secure line to send information, like email. Computers check to see if there is another computer at the other end of the secure connection- so it sends out what's known as a heartbeat- hackers can send a packet of data that looks like a heartbeat- but tricks the computer into sending data stored in its memory- like a password. Hackers can even steal encryption keys. Julia Horwitz of the Electronic Privacy Information Center: SOUNDBITE: JULIA HORWITZ, CONSUMER PROTECTION COUNSEL, ELECTRONIC PRIVACY INFORMATION CENTER (ENGLISH) SAYING: "The encryption software that has the bug in it is the most popular form of web encryption on the internet. So something like more than two-thirds of the internet that is encrypted is encrypted using openSSL TLS which is what the encryption software is." OpenSSL software is used on servers that host websites, but not PCs or mobile devices. So even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators. So there's not much consumers can do alone. Big players like Facebook, Yahoo and Google have told Reuters they have taken steps to lower the impact on users. And Google says users do not have to change passwords. Amazon says Amazon.com has not been affected- but some of its cloud services that support apps like Netflix and Pinterest had been vulnerable. But even knowing whether you've been hit- is tough. SOUNDBITE: JULIA HORWITZ, CONSUMER PROTECTION COUNSEL, ELECTRONIC PRIVACY INFORMATION CENTER (ENGLISH) SAYING: "It doesn't leave a trace, so it's hard to track it and see when it's been used, and where it's been. So, as far as we can tell it's been in operation for about two years maybe a little more than two years which means that potentially any of the services that use openSSL in order to encrypt have been exposed to this bug and therefore the users of those services." For consumers, changing passwords will help- but they have to be changed again after sites patch vulnerability and update certificates - otherwise the new one is vulnerable.