Shropshire I.T. experts warn people to take notice of advice after security flaw revealed
IT experts in Shropshire are urging people to take heed of warnings to change their passwords after the discovery that software used by thousands of web servers to safeguard data has a major security flaw.
The Heartbleed Bug was discovered in OpenSSL, software believed to be used by around 500,000 of the web’s secure servers to protect sensitive data as it travels back and forth.
People have been urged to change their passwords and anyone needing strong anonymity or privacy on the internet, to stay away from it for the next few days.
Chris Pallett, of Bespoke Computing Ltd in Telford, said the issue must be taken seriously and all website owners should have acted quickly in fixing the flaws to allow password changes to be effective.
He said: “The implied security risk of this Heartbleed bug is credible. Whilst security experts have not indicated the loss of any sensitive information, the sheer volume of internet servers affected by this issue means it needs to be taken seriously.
“Moving forward people need to look at changing everything they use a password for. Even your average Joe has a fair few passwords to remember so if necessary people should use password management software to securely keep them recorded.
“This is a complicated situation because there are websites and web corporations out there who may not have checked to see if they are vulnerable, patched their systems, and let you know it has been fixed. If you change your passwords ahead of it being fixed then the problem will not be solved so if you have concerns you should contact the website owner.
“It is a difficult situation but once the flaw is fixed the passwords should be changed.”
Mr Pallett said there is also a website available for testing the vulnerability of websites – http://filippo.io/Heartbleed/ – which may give people peace of mind.
The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.
In a blog entry about their findings the researchers said the “serious vulnerability” allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.
The Yahoo blogging platform Tumblr has advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”,and security advisers have given similar warnings.
“Changing passwords is something everyone – and every business – should be doing on a regular basis to prevent security issues,” added Mr Pallett. “This can mean people struggle to remember them but there is software available or secure password vaults on your phone, it is not worth facing a security breach just because you feel you will not remember a changed password.”