Heartbleed portends larger security threats
From: The Washington Post Editorial Board
TENS OF MILLIONS of Americans have been affected by the theft of their personal information in the digital age. In a recent major data breach at Target stores, numbers and names were taken from about 40 million customers, and many millions more suffered compromises in other personal information such as e-mail addresses or phone numbers. The victims trusted their retail stores, their credit- and debit-card issuers, their banks, and such security measures as a four-digit personal identification numbers, to protect their information.
At least the credit- and debit-card system was somewhat understood by those who suffered in the Target scam, which siphoned data from the store card-swiping machines. Who understands the vulnerability of OpenSSL? This is a small piece of incredibly important software that is largely hidden from users. It protects encrypted data on Web sites and is in use around the world. Remember that little padlock you saw when you typed in a credit card number or personal information when making a purchase online? It meant “secure,” or safe, right? Wrong.
Last week, it was discovered that a bug had crept into OpenSSL that could allow intruders to read encrypted data contained in memory, such as passwords or credit cards. The bug has been called “Heartbleed” and could allow attackers to eavesdrop on communications, steal data and even impersonate users and Web services. Computer security expert Bruce Schneier called it “catastrophic” and said that on a scale of one to 10, “this is an 11.” News about the bug has sent people racing once again to protect themselves and change their passwords to avoid further damage or loss.
Read Complete Editorial