TOPICS > Nation > technology

Security bug Heartbleed could have provided key that unlocks personal online data

April 9, 2014 at 6:21 PM EST
A major lapse in internet security has potentially exposed millions of passwords, credit card numbers, bank information and commonly used websites. The security leak, called “Heartbleed,” was revealed this week but may have existed for years. Hari Sreenivasan learns more from Russell Brandom of The Verge.
LISTEN SEE PODCASTS

TRANSCRIPT

GWEN IFILL: You may have heard headlines today about a major lapse in Internet security and the possibility that millions of passwords, credit card numbers, bank information, and commonly used Web sites could have been exposed.

It involves a bug or security leak called Heartbleed, which can be used to read encrypted information.

Hari Sreenivasan gets a breakdown on what you need to know.

HARI SREENIVASAN: Essentially, Heartbleed can be used to read the memory of computer servers, the places behind a Web site that store your information, including the lock and key system which protects your usernames and passwords.

You probably see this encryption in the form of a green lock when you conduct a transaction and exchange information. The breach was revealed this week, but apparently has existed for a long time.

Russell Brandom of The Verge, an online site covering tech news, is here to help explain.

So, that was a rudimentary explanation, but how significant is this breach? And what can a hacker do if they exploit it?

RUSSELL BRANDOM, The Verge: Yes.

All of the experts I talked to were running out of, like, extreme language to talk about it, catastrophic. Bruce Schneier said, on a scale of one to 10, this was an 11. It’s just unlike anything we have seen.

Part of what’s so unnerving about it is, we don’t really know how much anyone got. It’s — the bug itself is a command that, when used on a server, it will spit back a little chunk of memory of whatever is in the working memory of the server. So what’s in the random chunk? We don’t know. It’s a little bit like phishing.

You just keep making a request, and you get back whatever you get back. But there is a lot of sensitive information in there.

HARI SREENIVASAN: So, what kind of information are most people sharing?  Is it the user — is it the password to their username?

RUSSELL BRANDOM: Well, yes, in the case of Yahoo!, people were testing it out, and they were seeing usernames and passwords.

More disconcerting to a lot of security professionals is the idea that you would get the private key behind the SSL certificate. That’s that green lock. This is the key to that lock. If someone got that, that means they can unlock it whenever they want. Even after the patch is made, and Heartbleed itself doesn’t work, that key can still be used to snoop in on traffic that’s coming between these servers.

HARI SREENIVASAN: So, what happens to me as a consumer? What do I do today after hearing all these headlines?

RUSSELL BRANDOM: It’s hard.

There isn’t a lot for consumers to do. This is a server-side breach. So, fundamentally, it’s a breach on the other end. It’s these people that you trusted with your information, maintaining the service, it’s an issue of their security, not your own security within your computer.

A lot of people are saying, change your password, which is always a good idea. I would say, change it once now and then once in a couple of weeks, just because, if someone does have the key to that lock, then the first time you change it, they might get that password too. So, early and often is the phrase, always a — always good.

HARI SREENIVASAN: So, are the large companies, the Yahoo!s, the Googles of the world — I mean, they can throw 10 nerds in a corner and fix this problem today. But what about all the small- to medium-sized companies, so to speak? What about the people who have outsourced creating their online storefront to someone else?

RUSSELL BRANDOM: Yes.

I mean, part of the concern is even the large companies can’t really fix it. Like, I mean, we saw Google fixed it because they got the information before it became public. But even then, there are some doubts about, you know, did anyone know before Google discovered it, which is still unclear.

I think, in terms of the mom-and-pop storefronts, the patch is out, and they can update their SSL certificates sort of today. And this is all across the across the world. I mean, I.T. professionals are doing that right now as we speak.

HARI SREENIVASAN: Why was this breach — part of what we were told in the last couple of days is this breach has actually existed for almost a couple of years.

RUSSELL BRANDOM: Yes.

The attack was possible since 2012, but it didn’t occur anyone to approach a server in exactly this way. Now, we know that the Google engineer who discovered it, along with working with another separate engineer, they finally were able to say, hey, wait, if someone does this, it will be a huge problem.

But that took a lot of creativity and a lot of time. The concern now is, did anyone before them think of this, and instead of doing the right thing and publishing it, they wanted to use it for nefarious ends maybe and use it to get around — get into servers that they shouldn’t have had access to?

We don’t have any evidence that that took place, but it’s obviously a huge concern for the security community.

HARI SREENIVASAN: And we don’t have evidence that it didn’t take place either.

RUSSELL BRANDOM: Yes, exactly.

HARI SREENIVASAN: All right, Russell Brandom from The Verge, thanks so much.

RUSSELL BRANDOM: Yes. My pleasure.