Make us your home page
Instagram

Today’s top headlines delivered to you daily.

(View our Privacy Policy)

Passwords vulnerable after security flaw found

NEW YORK — Passwords, credit cards and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic.

Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It's not known, though, whether anyone has actually used it to conduct an attack.

Researchers are advising people to change all of their passwords.

"I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software.

The flaw was found independently in recent days by researchers at Google and the Finnish security firm Codenomicon.

The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

Despite the worries, Codenomicon said many large consumer sites don't have the problem because of their "conservative choice" of equipment and software. "Ironically smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm added.

A fix came out Monday, but affected websites and service providers must install the update.

Many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.

Passwords vulnerable after security flaw found 04/08/14 [Last modified: Wednesday, April 9, 2014 12:22am]
Photo reprints | Article reprints

Copyright: For copyright information, please check with the distributor of this item, Associated Press.
    

Join the discussion: Click to view comments, add yours

Loading...
  1. Video: Rays Souza on that oh-so-bad dive, and reaction from Twins fans

    Blogs

    What was Rays RF Steven Souza Jr. thinking when he made that oh-so-bad dive for a ball in the seventh inning Friday? Well, we'll let him tell you ...

  2. What was Rays RF Steven Souza Jr. thinking on that comically bad dive?

    Blogs

    What could Rays RF Steven Souza Jr. been thinking in the seventh inning Friday when he dove for a ball and came up yards short?

    Actually, he insisted after all the laughing, teasing and standing ovation from the Twins fans was done, it was a matter of self-preservation.

  3. Judge tosses life sentences for D.C. sniper Lee Boyd Malvo

    Nation

    McLEAN, Va. — A federal judge on Friday tossed out two life sentences for one of Virginia's most notorious criminals, sniper Lee Boyd Malvo, and ordered Virginia courts to hold new sentencing hearings.

    A federal judge has tossed out two life sentences for D.C. sniper shooter Lee Boyd Malvo. [Associated Press, 2004]
  4. Zbigniew Brzezinski, President Carter's national security adviser, dies

    News

    Zbigniew Brzezinski, the hawkish strategic theorist who was national security adviser to President Jimmy Carter in the tumultuous years of the Iran hostage crisis and the Soviet invasion of Afghanistan in the late 1970s, died on Friday at a hospital in Virginia. He was 89.

    Zbigniew Brzezinski, former national security adviser to President Jimmy Carter, participates in Senate Foreign Relations Committee hearing on Capitol Hill on March 5, 2009, in Washington, D.C. [Photo by Mark Wilson/Getty Images]
  5. USF eliminated by UCF in AAC baseball; Florida, FSU, Miami win

    Colleges

    CLEARWATER — Roughly 16 hours after a ninth-inning collapse against East Carolina in the American Athletic Conference's double-elimination baseball tournament, USF returned to Spectrum Field presumably set for a reboot.

    It simply got booted instead.

    ’NOLES win: Tyler Holton gets a hug from Drew Carlton after his strong eight innings help Florida State beat Louisville.