Major Security Bug Found in Web Encryption Tool

A security flaw found in a popular Internet encryption tool has sent companies and government agencies scrambling to plug the leak.

The bug in OpenSSL, a widely used encryption method, was discovered earlier this week by researchers at Google (GOOG) and cyber-security firm Codenomicon. According to a website created by Codenomicon, Neel Mehta of Google Security first reported it to the OpenSSL team.

In a notice on Tuesday, Amazon.com (AMZN) informed its Amazon Web Services customers that it applied fixes to resolve the OpenSSL vulnerability. Some of Amazons AWS services were unaffected.

Researchers believe Heartbleed, a nickname given to the OpenSSL flaw, already allowed cyber thieves to grab Yahoo (YHOO) usernames and passwords. The search giant said it addressed the problem for most of its properties, including Yahoo Search, Yahoo Mail, Flickr and Tumblr, by Tuesday afternoon.

As soon as we became aware of the issue, we began working to fix it, a Yahoo spokesperson said. Our team has successfully made the appropriate corrections across the main Yahoo propertiesand we are working to implement the fix across the rest of our sites right now. Were focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users data.

Based on a web tool from security firm Qualys, other major websites like eBay (EBAY), Google and Microsofts (MSFT) Outlook email service are not vulnerable to the Heartbleed attack.

The Canada Revenue Agency temporarily shut down its online services on Wednesday due to security concerns, just three weeks before an April 30 deadline for citizens to file taxes.

The security flaw was found in some versions of OpenSSL, a type of open-source software many websites use to encrypt communication over the Internet. Heartbleed could compromise usernames, passwords and credit card numbers that are stored on a servers memory.

Using the loophole, cyber criminals are able to request chunks of data. While they cant specify what information they want, such as one persons username and password, hackers can gather enough data to piece it together.

Alex McGeorge, head of threat intelligence at security firm Immunity Inc., said e-commerce transactions and other online activities remain secure as they happen, although hackers could recover enough information to decrypt data as its sent to and from a server.

Originally posted here:
Major Security Bug Found in Web Encryption Tool

Related Posts
This entry was posted in $1$s. Bookmark the permalink.