Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.
The Yahoo blogging platform Tumblr has advised the publicto "change your passwords everywhere - especially your high-security services like email, file storage and banking".
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a productused to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
On the scale of one to 10, this is an 11
Bruce Schneier, Security technologist
If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.
Those affected include Canada's tax collecting agency, which halted online services"to safeguard the integrity of the information we hold".
Copied keys
Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
Password tips
The University of Surrey's Prof Alan Woodward is among security experts to have suggested internet users should now update their login details.
He suggests the following rules should be observed when picking a new password.
Don't choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble.
Choose words that don't appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
Have different passwords for different sites and systems
If hackers compromise one system you do not want them having the key to unlock all your other accounts.
Keep them safely
With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.
It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail - unless the hackers published their haul online.
"If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested," said Ari Takanen, Codenomicon's chief technology officer.
"In that sense it's a good idea to change the passwords on all the updated web portals."
Other security experts have been shocked by the revelation
"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
However, it appears that Yahoo was not included on this list and tech site Cnet has reportedthat some people were able to obtain
No comments:
Post a Comment