Heartbleed bug puts millions of online accounts in jeopardy
Internet security experts on Wednesday urged consumers to prepare to update passwords for online accounts as banks scrambled to protect credit card numbers and other sensitive online information from an Internet bug dubbed Heartbleed.
Millions of email passwords and other information are vulnerable to computer hackers because of Heartbleed, a software coding flaw in a product released two years ago.
Heartbleed affects encryption technology that is supposed to protect online accounts for email, instant messaging and a wide range of electronic commerce. It allows hackers to get “keys” used to protect a person's information by going directly to servers storing that information.
PNC Financial Services Group, the region's largest financial institution, said its customers should have no cause for alarm.
“We have tested our online and mobile banking systems, and confirmed that they are not vulnerable,” PNC spokeswoman Marcey Zwiebel said in an email. PNC has paid particular attention to online security since “denial of service” attacks by hackers in late 2012 that flooded PNC's website with traffic and prevented legitimate users from gaining access.
Among banks investigating the issue and working to protect customers' financial information, BNY Mellon and Huntington National Bank said they were looking at the problem but would not say whether their websites were affected.
BNY Mellon, with 7,600 employees in the region, “has been made aware of the Heartbleed Bug threat,” spokesman Ron Gruendl said. “We are taking appropriate action to protect the company and our systems, and we will remain vigilant of the threat.”
“The security of our customers' information is our top priority,” said Bill Eiler of Huntington National Bank. “We have taken appropriate steps in relation to this threat to verify that our customer data is not exposed.”
The disclosure this week of Heartbleed is a reminder of how vulnerable personal information is online, said Will Dormann, an analyst with the CERT Division of Carnegie Mellon University's Software Engineering Institute.
“Almost every piece of software that people use is going to have bugs,” Dormann said. “People need to have the understanding that the software they're relying on, it's going to have issues. And security issues are going to be discovered.”
It is difficult to know exactly what information may have been compromised, and there is little that individual consumers can do themselves to fix the problem, security experts said. They will have to wait for Internet companies to patch holes in software, which most expect to do this week, and then change all their online passwords.
“Today, or perhaps tomorrow, is a very good time to change all of your passwords and then rewrite them down on a Post-It note that you keep in your drawer, since that appears to be the only way to store information safely,” said security expert Dave Aitel, CEO of Miami-based Immunity Inc.
A small team from the Finnish security firm Codenomicon discovered Heartbleed while working independently from a Google Inc. researcher who found the threat.
Yahoo Inc., which has more than 800 million users worldwide, is among Internet services that could be affected. The Sunnyvale, Calif., company said it fixed most of its popular services — including sports, finance and Tumblr — but is working on others it didn't identify.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on browsers to signify secure traffic. The flaw makes it possible to spy even if the padlock is closed. Interlopers could obtain keys to decipher encrypted data without website owners knowing the theft occurred.
The problem affects only a variant known as OpenSSL, but that happens to be one of the most common on the Internet.
About two-thirds of web servers rely on OpenSSL, potentially exposing information passing through hundreds of thousands of websites. Beside emails and chats, OpenSSL secures virtual private networks used by employees to connect with corporate networks.
Aitel and Dormann doubt whether two-thirds of the Internet is vulnerable, however. A full scan by the cybersecurity firm Errata Security showed Heartbleed hit about 600,000 out of 28 million servers, Aitel said.
The Associated Press contributed. Chris Fleisher is a Trib Total Media staff writer. Reach him at 412-320-7854 or firstname.lastname@example.org.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- Steelers won’t negotiate Roethlisberger extension until after season
- Steelers cut linebacker Kion Wilson, sign cornerback Toler
- LaBar: John Cena leaving WWE for Hollywood?
- Five questions facing Steelers entering training camp
- More than 800 marijuana plants seized in Washington County
- National city organization chooses Pittsburgh for 2016 gathering
- Injured eagle in Somerset County returns to the wild
- Suspended Penn-Trafford teacher charged with stalking student
- Penn State to announce new athletic director
- North Huntingdon woman charged with threatening to burn down officer’s house
- Kerry says no deal yet for 7-day truce in Gaza