Heartbleed bug puts millions of online accounts in jeopardy
Published: April 10, 2014
Internet security experts on Wednesday urged consumers to prepare to update passwords for online accounts as banks scrambled to protect credit card numbers and other sensitive online information from an Internet bug dubbed Heartbleed.
Millions of email passwords and other information are vulnerable to computer hackers because of Heartbleed, a software coding flaw in a product released two years ago.
Heartbleed affects encryption technology that is supposed to protect online accounts for email, instant messaging and a wide range of electronic commerce. It allows hackers to get "keys" used to protect a person's information by going directly to servers storing that information.
PNC Financial Services Group, the region's largest financial institution, said its customers should have no cause for alarm.
"We have tested our online and mobile banking systems, and confirmed that they are not vulnerable," PNC spokeswoman Marcey Zwiebel said in an email. PNC has paid particular attention to online security since "denial of service" attacks by hackers in late 2012 that flooded PNC's website with traffic and prevented legitimate users from gaining access.
Among banks investigating the issue and working to protect customers' financial information, BNY Mellon and Huntington National Bank said they were looking at the problem but would not say whether their websites were affected.
BNY Mellon, with 7,600 employees in the region, "has been made aware of the Heartbleed Bug threat," spokesman Ron Gruendl said. "We are taking appropriate action to protect the company and our systems, and we will remain vigilant of the threat."
"The security of our customers' information is our top priority," said Bill Eiler of Huntington National Bank. "We have taken appropriate steps in relation to this threat to verify that our customer data is not exposed."
The disclosure this week of Heartbleed is a reminder of how vulnerable personal information is online, said Will Dormann, an analyst with the CERT Division of Carnegie Mellon University's Software Engineering Institute.
"Almost every piece of software that people use is going to have bugs," Dormann said. "People need to have the understanding that the software they're relying on, it's going to have issues. And security issues are going to be discovered."
It is difficult to know exactly what information may have been compromised, and there is little that individual consumers can do themselves to fix the problem, security experts said. They will have to wait for Internet companies to patch holes in software, which most expect to do this week, and then change all their online passwords.
"Today, or perhaps tomorrow, is a very good time to change all of your passwords and then rewrite them down on a Post-It note that you keep in your drawer, since that appears to be the only way to store information safely," said security expert Dave Aitel, CEO of Miami-based Immunity Inc.
A small team from the Finnish security firm Codenomicon discovered Heartbleed while working independently from a Google Inc. researcher who found the threat.
Yahoo Inc., which has more than 800 million users worldwide, is among Internet services that could be affected. The Sunnyvale, Calif., company said it fixed most of its popular services — including sports, finance and Tumblr — but is working on others it didn't identify.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on browsers to signify secure traffic. The flaw makes it possible to spy even if the padlock is closed. Interlopers could obtain keys to decipher encrypted data without website owners knowing the theft occurred.
The problem affects only a variant known as OpenSSL, but that happens to be one of the most common on the Internet.
About two-thirds of web servers rely on OpenSSL, potentially exposing information passing through hundreds of thousands of websites. Beside emails and chats, OpenSSL secures virtual private networks used by employees to connect with corporate networks.
Aitel and Dormann doubt whether two-thirds of the Internet is vulnerable, however. A full scan by the cybersecurity firm Errata Security showed Heartbleed hit about 600,000 out of 28 million servers, Aitel said.