Local businesses including Newtown Savings Bank and the Connecticut Better Business Bureau have been busy alerting business owners about the “Heartbleed” security flaw that targets computer servers running the most widely used Internet encryption security system.
According to BBB, security engineers discovered Heartbleed exploits a flaw in OpenSSL, which allowed them to view passwords and user names when they tested the virus.
It is used to secure business transactions, e-mail, instant messaging services, social media sites and any other sort of web-based system that must secure the data that is transmitted to and from its servers.
Once the specialists understood how it worked, they avoided publicizing the discovery until OpenSSL’s developers could create an update that eliminates the security loophole.
Yahoo was among the first-named websites where Heartbleed was detected. Yahoo and other major companies that rely on OpenSSL reportedly moved quickly to fix the vulnerability.
SSL is used on web servers, but not on PCs or mobile devices.
The flaw is believed to have originated two years ago, but researchers say it generates no trace of its presence. There is no word on how many servers were infected.
Connecticut BBB recommends businesses consult a qualified information technology (IT) professional, to see whether their servers are affected, and if so, remove it and apply the updated, secure version of OpenSSL.
Consumers and businesses should change passwords, and regularly scan computers with an updated security application. In addition, install operating system updates and software patches, which often address emerging security flaws.
Within 24 hours of the news about Heartbleed, Newtown Savings Bank officials were assuring customers that none of the bank’s sites are or have been vulnerable to the threat. Bank customers were notified, however, that many popular Internet sites have been vulnerable.
“If you use the same password to access your accounts as you use on other websites, please change the password you use to access your accounts on NSBonline,” the NSB advisory states. The bank also refers customers to visit C-net for details.
Using a full screen device, customers can change passwords by clicking the Password Reset link to the right of where they would normally input their password.
Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc researcher who also discovered the threat.
“I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,” Mr Chartier said.
Some computer security experts are still advising people to consider changing all their online passwords.
“I would change every password everywhere because it’s possible something was sniffed out,” said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. “You don’t know because an attack wouldn’t have left a distinct footprint.”
Google is so confident that it inoculated itself against Heartbleed flaw before any damage could be done that the Mountain View, Calif., company is telling its users they do not have to change the passwords they use to access Gmail, YouTube, and other product accounts. More than 425 million Gmail accounts alone have been set up worldwide.
Facebook, which has more than 1.2 billion accountholders, also believes its online social network has purged the Heartbleed threat. But the Menlo Park, Calif., company encouraged people to “take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites.”
Online short messaging service Twitter Inc and e-commerce giant Amazon.com Inc. also say their websites were not exposed to Heartbleed. Ebay Inc, which runs the PayPal payment service as well as online shopping bazaars, says most of its services avoided the flaw.
Yahoo Inc and Google are among the most prominent Internet services to say they have already insulated most of the most popular services from Heartbleed.
At Yahoo, the repairs have been made on a list of services that includes its home page, search engine, e-mail, finance and sport sections, Flickr photo-sharing service and its Tumblr blogging service.
In an April 9 blog post, Google said it had applied the Heartbleed patch on its search engine, Gmail, YouTube, Wallet, and Play store for mobile apps and other digital content.
Yahoo is advising its users to “rotate their passwords” and add a backup mobile number to the account. That number can be used to verify a user’s identity if there are problems accessing the account because of hacking.
Associated Press content was used in this report. The report was updated April 18 removing references to Heartbleed being a virus.