海角大神

Website operators worldwide rushed Wednesday to patch a critical cyber-security vulnerability dubbed 鈥淗eartbleed鈥� that could affect websites slathered across two-thirds of the Internet, making information thought to be encrypted and secure 鈥� credit card data, passwords and private communications 鈥� an open book to criminals.

But even as website operators apply the patches, worried consumers eager to protect their own sensitive data are being advised to give the websites time to reestablish security before changing their own individual passwords.

The Heartbleed bug allows 鈥渁nyone on the Internet鈥� to read the computer memory of website server computers that use vulnerable versions of OpenSSL, which is among the world鈥檚 most popular website encryption software, say cyber-security researchers who discovered the vulnerability.

Most concerning, they say, is that Heartbleed has existed 鈥渋n the wild鈥� 鈥� that is, openly on the Internet, for two years 鈥� yet because of the nature of the bug it鈥檚 virtually impossible to tell whether anyone using it has actually attacked the web鈥檚 corporate workhorses 鈥� the website, e-mail, database, and chat servers.

鈥淏y attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys,鈥� reported the Carnegie Mellon CERT website affiliated with the Department of Homeland Security.

So while major websites may be able to conduct a quick fix by updating their software, they are unlikely to know with any certainty whether critical data, including their digital certificates used to authenticate and encrypt data traveling between the websites and the site鈥檚 users, have been compromised.

鈥淲e attacked ourselves from outside, without leaving a trace," wrote researchers from Codenomicon, a Finnish cyber-security research firm on a website that details its features . 鈥淲ithout using any privileged information or credentials we were able steal from ourselves the secret keys used for our [encryption] certificates, user names and passwords, instant messages, e-mails and business-critical documents and communication."

Researchers from Google also identified the vulnerability about the same time and independently alerted the developers of the website encryption software. Netcraft, a firm that monitors website technology, reports that more than a half million sites are currently vulnerable, noted on his blog.

鈥淲e count at least a few hundred thousand servers using affected library versions, so it poses a significant threat,鈥� Mark Schloesser, security researcher for Rapid7, a Boston-based cyber-security firm, said in a statement. 鈥淎s the same problem affects other protocols, services such as mail servers and databases, we assume that, overall, we're looking at millions of vulnerable systems connected to the public Internet.鈥�

Encryption software for the so-called 鈥渟ecure socket layer,鈥� or SSL, has made safe online transactions possible and led to burgeoning e-commerce business worldwide. Websites using such software show online users a padlock icon usually in the bottom corner of their web browser 鈥� and an HTTPS (S is for Secure) in the address bar of the browser 鈥� showing communications are safe from prying eyes.

Attacks on the SSL are hardly unknown. Last month, developers of another encryption system called GnuTLS reported a 鈥渃atastrophic bug that left hundreds of open-source applications open to similar attacks,鈥� Ars Technica, a cyber-security website, reported. Apple, in February, also reportedly repaired a critical vulnerability to its iOS and OS X operating systems that also made it possible for hackers to sidestep HTTPS protections.

But Heartbleed is unique in the massive scope of its impact: It permits a hacker to compromise the server, and it unveils the secret encryption keys used to encrypt the traffic, including names and passwords of the users and the actual content, without being detectable.

At this point, a fixed version of the software is available, and major website operators were reportedly rushing to apply the patch. Amazon, Google, PayPal, and others also announced fixes, as did Yahoo.

鈥淎s聽soon as we became aware of the issue, we began working to fix it,鈥� Yahoo told CNET Tuesday afternoon. 鈥淥ur team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now.鈥�

It鈥檚 not clear yet either whether criminals have actually been actively exploiting the Heartbleed vulnerability 鈥� or whether they just didn鈥檛 know about it 鈥� since such exploits are practically undetectable.

鈥淲e鈥檝e seen huge growth in the number of data breaches in the past year, but criminals are mostly using other more traditional techniques, which may mean there just wasn鈥檛 a huge awareness among the underground of this flaw,鈥� says Orla Cox, a security researcher with Symantec Security Response based in Dublin, Ireland. 鈥淭he fact that they鈥檙e carrying out these noisier attacks means they probably weren鈥檛 aware of this stealthier possibility.鈥�

Some researchers who have set out traps, or 鈥渉oney pots,鈥� may have detected activity related to the vulnerability, the New York Times reported.

But Ms. Cox and other experts aren鈥檛 convinced and say the bigger threat is likely to be just down the road. That鈥檚 because while big companies with their own IT staffs may be able to fix the problem swiftly and replace their digital security certificates, smaller websites may not be so fast 鈥� and could remain for quite some time wide open to any criminals exploiting the vulnerability, they warn.

鈥淚鈥檓 more concerned about the future than the past,鈥� says Tal Klein of Adallom, a Menlo Park, Calif., cyber-security firm for cloud-based software services like Google Apps and Microsoft Office 365. The company, which monitors user activity for abnormal activity, hasn鈥檛 seen indicators of the vulnerability being exploited. But Mr. Klein says he鈥檚 concerned.

鈥淲e still expect there to be sites that remain unpatched for a significant amount of time that are more likely to become vulnerable in the next few weeks,鈥� he says.

Symantec鈥檚 Cox offers a caveat, though. Her familiarity with Heartbleed indicates that it might not be quite so easy for criminals to capture the crown jewels of a website 鈥� the encryption keys 鈥� that unveil all that private data.

鈥淚t鈥檚 definitely a serious vulnerability, but not necessarily a doomsday scenario,鈥� she says. 鈥淭hat鈥檚 because while it鈥檚 pretty easy to attack Heartbleed, it鈥檚 still relatively difficult to extract 鈥� the encryption key, and for that reason may not be quite as severe as painted.鈥�

There鈥檚 been a lot of confusion over what online shoppers should do to protect themselves, with many experts advising that individuals change their passwords for all e-mail, online shopping, and banking accounts. But researchers interviewed by the Monitor recommended waiting a bit before changing passwords since it may take some time for websites to be repaired. If passwords are changed immediately on a vulnerable site 鈥� then the new password is vulnerable, Mr. Klein notes.

In many cases, websites can be expected to contact users if there is a need to reset passwords, the experts say. But they also add that resetting passwords regularly is a good idea.

There are also some tech aids for consumers already popping up. Users of the Chrome web browser can already install a 鈥淐hromebleed鈥� plug-in that will alert them to any website not updated and still vulnerable to the Heartbleed exploit. There鈥檚 also the vulnerability of a site by just copying and pasting the website address into a box.

One tidbit of good news for the Obama administration 鈥� it appears as though the main federal HealthCare.gov site was not one of those vulnerable sites as of Wednesday afternoon, according to the Filippo check.