Make us your home page
Instagram

Today’s top headlines delivered to you daily.

(View our Privacy Policy)

Passwords vulnerable after security flaw found

NEW YORK — Passwords, credit cards and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic.

Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It's not known, though, whether anyone has actually used it to conduct an attack.

Researchers are advising people to change all of their passwords.

"I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software.

The flaw was found independently in recent days by researchers at Google and the Finnish security firm Codenomicon.

The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

Despite the worries, Codenomicon said many large consumer sites don't have the problem because of their "conservative choice" of equipment and software. "Ironically smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm added.

A fix came out Monday, but affected websites and service providers must install the update.

Many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.

Passwords vulnerable after security flaw found 04/08/14 [Last modified: Wednesday, April 9, 2014 12:22am]
Photo reprints | Article reprints

Copyright: For copyright information, please check with the distributor of this item, Associated Press.
    

Join the discussion: Click to view comments, add yours

Loading...
  1. Trump sprinkles political attacks into Scout Jamboree speech

    GLEN JEAN, W.Va. — Ahead of President Donald Trump's appearance Monday at the National Scout Jamboree in West Virginia, the troops were offered some advice on the gathering's official blog: Fully hydrate. Be "courteous" and "kind." And avoid the kind of divisive chants heard during the 2016 campaign such as "build …

    President Donald Trump addresses the Boy Scouts of America's 2017 National Scout Jamboree at the Summit Bechtel National Scout Reserve in Glen Jean, W.Va., July 24, 2017. [New York Times]
  2. Trump, seething about attorney general, speculates about firing Sessions, sources say

    WASHINGTON — President Donald Trump has spoken with advisers about firing Attorney General Jeff Sessions, as he continues to rage against Sessions' decision to recuse himself from all matters related to the Russia investigation.

  3. John McCain to return to Senate for health care vote

    WASHINGTON — The Senate plans to vote Tuesday to try to advance a sweeping rewrite of the nation's health-care laws with the last-minute arrival of Sen. John McCain — but tough talk from President Donald Trump won no new public support from skeptical GOP senators for the flagging effort that all but …

  4. Last orca calf born in captivity at a SeaWorld park dies

    Tourism

    ORLANDO — The last killer whale born in captivity under SeaWorld's former orca-breeding program died Monday at the company's San Antonio, Texas, park, SeaWorld said.

    Thet orca Takara helps guide her newborn, Kyara, to the water's surface at SeaWorld San Antonio in San Antonio, Texas, in April. Kyara was the final killer whale born under SeaWorld's former orca-breeding program. The Orlando-based company says 3-month-old Kyara died Monday. [Chris Gotshall/SeaWorld Parks & Entertainment via AP]
  5. Blake Snell steps up, but Rays lose to Orioles anyway (w/video)

    The Heater

    ST. PETERSBURG — Blake Snell stepped up when he had to Monday and delivered an impressive career-high seven-plus innings for the Rays. That it wasn't enough in what ended up a 5-0 loss to the Orioles that was their season-high fifth straight is symptomatic of the mess they are in right now.

    Tim Beckham stands hands on hips after being doubled off first.