The Canadian tax authority and leading UK website for parents Mumsnet have both announced they have had data stolen by hackers exploiting the Heartbleed bug.
Mumsnet – which says it has 1.5 million registered members – said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.
The Canada Revenue Agency said that 900 people’s social insurance numbers had been stolen.
These are the first confirmed losses.
The Mumsnet said that user data was at risk when her own username and password were used to post a message online.
The site added that it was forcing its members to reset any password created on or before Saturday.
The Canada Revenue Agency said that 900 people’s social insurance numbers had been stolen
Canada’s tax agency was one of the first major organizations to cut services as a result of the flaw in OpenSSL – a cryptographic software library used by services to keep data transmissions private.
However, its action last Tuesday appears to have come too late.
“Regrettably, the CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the agency said on a message posted to its homepage.
“Based on our analysis to date, social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability.”
“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
The Heartbleed bug was made public a week ago by Google and Codenomicon, a small Finnish security firm, which independently identified the problem.
OpenSSL is used to digitally scramble data as it passes between a user’s device and an online service in order to prevent others eavesdropping on the information.
It is used by many, but not all, sites that show a little padlock and use a web address beginning “https”.
The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.
Although that is a relatively small amount, the attackers can repeat the process to increase their haul.
Mumsnet has been criticized for one aspect of its handling of the breach – its email to members contains an inline link that it suggests they click to reset their passwords.
By contrast Canada’s tax agency said it would not call or email the individuals it believed to be affected by its breach in order to avoid giving criminals a chance to exploit the situation.
Instead it said it would send out registered letters.
The National Security Agency (NSA) has denied it knew about or exploited the Heartbleed online bug.
The denial came after a Bloomberg News report alleging the NSA used the flaw in OpenSSL to harvest data.
OpenSSL is online-data scrambling software used to protect data such as passwords sent online.
Last year, Edward Snowden claimed the NSA deliberately introduced vulnerabilities to security software.
The Hearbleed bug, which allows hackers to snatch chunks of data from systems protected by OpenSSL, was revealed by researchers working for Google and a small Finnish security firm, Codenomicon, earlier this month.
OpenSSL is used by roughly two-thirds of all websites and the glitch existed for more than two years, making it one of the most serious internet security flaws to be uncovered in years.
“[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report,” NSA spokeswoman Vanee Vines said in an email, adding that “reports that say otherwise are wrong.”
A White House official also denied the US government was aware of the bug.
The NSA has denied it knew about or exploited the Heartbleed online bug
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” White House national security spokeswoman Caitlin Hayden said in a statement.
“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet,” she insisted.
Caitlin Hayden added: “If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”
According to Bloomberg News, the NSA secretly made Heartbleed part of its “arsenal”, to obtain passwords and other data.
The publication claimed the agency has more than 1,000 experts devoted to finding such flaws – who found the Heartbleed glitch shortly after its introduction.
The NSA was already in the spotlight after months of revelations about its huge data-gathering capabilities.
Documents leaked by former NSA contractor Edward Snowden indicated the organization was routinely collecting vast amounts of phone and internet data, together with partner intelligence agencies abroad.
President Barack Obama has ordered reforms that would halt government bulk collection of US telephone records, but critics argue this does not go far enough.
Separate to its denials regarding the NSA, the US government also said it believes hackers are trying to make use of the flaw.
The Department of Homeland Security advised the public to change passwords for sites affected by the flaw, once they had confirmed they were secure, although it added that so far no successful attacks had been reported.
Several makers of internet hardware and software also revealed some of their products were affected, including network routers and switches, video conferencing equipment, phone call software, firewalls and applications that let workers remotely access company data.
The US government also said that it was working with other organizations “to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing and financial systems”.
The Heartbleed bug makes it possible for a knowledgeable hacker to impersonate services and users, and potentially eavesdrop on the data communications between them.
It only exposes 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted. Crucially, an attack would not leave a trace, making it impossible to be sure whether hackers had taken advantage of it.
The US Department of Homeland Security has warned that it believes hackers are trying to make use of the Heartbleed bug.
It advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.
However, an official added that there had not been any reported attacks or malicious incidents.
The alert comes as several makers of net hardware and software revealed some of their products had been compromised.
Affected equipment includes network routers and switches, video conferencing kit, phone call software, firewalls and apps that let workers remotely access company data.
The encryption flaw can potentially be exploited to steal passwords and secret keys used to protect computer users.
Experts say home kit is less at risk.
The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure
There had been reports that domestic home networking equipment – such as Wi-Fi routers – might also make use of unpatched versions of the OpenSSL cryptographic library used to digitally scramble sensitive data.
However, a security researcher at the University of Cambridge’s Computer Laboratory said he thought this would be a relatively rare occurrence.
News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon – a Finnish security company – revealed that a flaw had existed in OpenSSL for more than two years.
This had made it possible to impersonate services and users, and potentially eavesdrop on data communications.
The flaw only exposed 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted.
The website set up to publicize the danger noted that it was possible to carry out such an attack “without leaving a trace”, making it impossible to know for sure if criminals or cyberspies had taken advantage of it.
Media reports initially focused on the risk of logging into compromised online services such as webmail, cloud storage and banking, with some – but not all – companies suggesting users should reset their passwords.
Warnings from companies including Cisco, Juniper, Fortinet, Red Hat and Watchguard Technologies that some of their internet products are compromised may now place the spotlight on the corporate sector.
The US government has said that it was working with third-party organizations “to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing and financial systems”.
Meanwhile, officials suggested members of the public should “closely monitor your email accounts, bank accounts, social media accounts and other online assets for irregular or suspicious activity, such as abnormal purchases or messages”.
Tech giants are urging people to change all their passwords after the discovery of a major security flaw.
The Yahoo blogging platform Tumblr has advised the public to “change your passwords everywhere – especially your high-security services like email, file storage and banking”.
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a product used to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
If an organization employs OpenSSL, users see a padlock icon in their web browser – although this can also be triggered by rival products.
Those affected include Canada’s tax collecting agency, which halted online services “to safeguard the integrity of the information we hold”.
Tech giants are urging people to change all their passwords after the discovery of a major security flaw
Google Security and Codenomicon – a Finnish security company – revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
They nicknamed it the Heartbleed Bug because the flaw caused the “leak of memory contents” between servers and their clients.
It is not known whether the exploit had been used before the revelation, since doing so would not leave a trail – unless the hackers published their haul online.
“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested,” said Ari Takanen, Codenomicon’s chief technology officer.
“In that sense it’s a good idea to change the passwords on all the updated web portals.”
Other security experts have been shocked by the revelation
“Catastrophic is the right word. On the scale of one to 10, this is an 11,” blogged Bruce Schneier.
Google warned a select number of organizations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
Several security companies and independent developers have published online tests to help the public discover if the services are still exposed.
However, there is no simple way to find out if they were vulnerable before.
Organizations that used Microsoft’s Internet Information Services (IIS) web server software would not have been affected.
But Codenomicon has noted that more than 66% of the net’s active sites rely on the open source alternatives Apache and Nginx, which do use OpenSSL.
Even so, some of these sites would have also employed a feature called “perfect forward secrecy” that would have limited the number of their communications that could have been hacked.
Heartbleed bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.
The bug is in a software library used in servers, operating systems and email and instant messaging systems.
Called OpenSSL, the software is supposed to protect sensitive data as it travels back and forth.
It is not clear how widespread exploitation of the bug has been because attacks leave no trace.
Heartbleed bug is in OpenSSL software library used in servers, operating systems and email and instant messaging systems
“If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle,” said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.
A huge swathe of the web could be vulnerable because OpenSSL is used in the widely used Apache and Nginx server software. Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web’s secure servers are running versions of the vulnerable software.
The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.
In a blog entry about their findings the researchers said the “serious vulnerability” allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.
“This allows attackers to eavesdrop [on] communications, steal data directly from the services and users and to impersonate services and users,” wrote the team that discovered the vulnerability. They called it the “heartbleed” bug because it occurs in the heartbeat extension for OpenSSL.
The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on April 7 is no longer vulnerable to the bug.
“Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously,” wrote the researchers.
Installing an updated version of OpenSSL did not necessarily mean people were safe from attack, said the team. If attackers have already exploited it they could have stolen encryption keys, passwords or other credentials required to access a server, they said.
Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.