Heartbleed Bug: Is Your Financial Info Vulnerable?

MAUREEN CAVANAUGH: This is KPBS Midday Edition, I'm Maureen Cavanaugh. It's a software bug with a website, and a logo. That is not even the strangest thing about Heartbleed, it's a security for vulnerability that no one is quite sure has actually been exploited by hackers. Major websites like Google and Netflix say that they've already patched security breach, but how much information may have already been compromised? That remains a mystery. I would like to welcome my guest Murray Jennex, a professor a professor at San Diego State of University College of is this administration, he specializes in information security and knowledge management. Murray it's good to see you. The Heartbleed bug apparently involves an encryption flaw. Can you give us a brief explanation of how this makes consumer information vulnerable? MURRAY JENNEX: Most consumers, when they connect to e-commerce or something over the web they use SSL, secure socket layer encryption. That creates a encrypted link. It's not really a bug, it's a flaw. This flaw is not in particular that part of the encryption, that link still works well. What happens is, after you do that communication, this flaw allows someone to go to the server and sends that information back to them. MAUREEN CAVANAUGH: I see, so how does this flaw differed from the kind of threat that the Target security breach was? Remember the one that we went through over the holidays? MURRAY JENNEX: This is different. No hacker put this in, this is actually put in by a maintenance programmer by accident. MAUREEN CAVANAUGH: He wrote it wrong? MURRAY JENNEX: Correct. MAUREEN CAVANAUGH: In other words, there is no real flaw between you and the merchandiser, but someone can go through the opposite end and say wait a minute, what was that information that someone just gave you and it would give it right back to them? MURRAY JENNEX: Right, after you did your transaction it allows the server to the query to see if you still wanted to talk to them and this is where the hacker or someone could ask the server just to dump the information to them. MAUREEN CAVANAUGH: You used an interesting term could, do we know if anyone has actually done that? Has anyone hacked information by doing this? MURRAY JENNEX: Today we don't know and we may never know. The reason is, there is no log and this is been in the system for two years. It's been a long time, I would just assume that someone has. Because again, since they host a test to go out to see if it has it, that tells me it's easy to find out. I'm pretty sure a hacker found it. MAUREEN CAVANAUGH: And there is no footprint left behind? MURRAY JENNEX: No footprint. MAUREEN CAVANAUGH: This news broke last week, what have websites done since then to try to fix this problem? MURRAY JENNEX: Actually, they headed to week the time if you are one of the big players, and they fixed it before it was released. Smaller websites it just found out about it last week and they been trying to catch up and fix it. This time they did something which I kind of found interesting that they released a test that people can go testing website. That is nice, but that also tells the bad guys they can check websites. And find out who is vulnerable and then go use this flaw. MAUREEN CAVANAUGH: Without leaving footprints. Now, websites that have fixed this, not websites like Google and Netflix and some of the big boys, as you said. They call it a patch, is this an easy fix? MURRAY JENNEX: It was, it was a very simple flaw. The programmer simply forgot to check the credentials of the query coming in to check information. All they had to do was put that little couple statements and and it would fix it quite quickly. MAUREEN CAVANAUGH: I see, people have been told to change passwords, should you change all of your passwords? MURRAY JENNEX: Probably, this is one of those flaws that I think affects probably 90% of people. Again it was nothing anyone personally did, but it's something affects a lot of people and if you are an android phone you are still at risk, because android phone uses open SSL. MAUREEN CAVANAUGH: Oh the android phone uses SSL? MURRAY JENNEX: yes it does. MAUREEN CAVANAUGH: Is there a patch that android phone users can use? MURRAY JENNEX: They have not announced it yet, but they have found it there. MAUREEN CAVANAUGH: Murray, you told us this is been around for approximately 2 years, this flaw in the encryption. I'm wondering, what good is it to change a password now? MURRAY JENNEX: Well, actually what I tell people as you should change your passwords now and in a couple of days change it again, and then probably changed a third time. That is because now that it has been announced that the guys notice there so they can go out and check. Again, you're right it does not do anything if someone is trying to get information to years ago but it will help now. MAUREEN CAVANAUGH: If it's such a simple flaw, in the software, how did manage to escape detection. MURRAY JENNEX: Well, open SSL is an open source software, what that means is no one company owns it. It's actually maintained by volunteers. So, the programmer volunteered his time to go at a couple of features into the open SSL program. So, he did a modification and one other person tested and they did not test for this particular issue of making sure that he was validating credentials and so two people basically put the whole world at risk. MAUREEN CAVANAUGH: Is there an awful lot of this critical software developed and disseminated ? MURRAY JENNEX: This is actually something I have been warning against and in information security our reliance on open source software, you do not know who maintains it. You're not paying anyone to maintain it, it's all volunteers. You're getting the quality of work that you're paying for sometimes. MAUREEN CAVANAUGH: You get what you pay for, and this one was free. MURRAY JENNEX: absolutely. MAUREEN CAVANAUGH: This has been called one of the biggest security threats that the internet has ever seen, can you agree with that? MURRAY JENNEX: I do agree, this is something put in not by a hacker that something put in by accident and it did not put any footprints in so it opened up the whole system. MAUREEN CAVANAUGH: People have been advised to check bank and credit card statements to make sure that no one has access to any of their information, when we know by now if this was a widespread thing? MURRAY JENNEX: Not really, we have had so much happened in the last six months between target and Experian and all of the different companies that have been hacked and basically, I would assume everyone has been affected. We have had over 200 million Social Security numbers release, and there's only 300 million in the US, that is close to everyone. Almost everyone has a credit card as well. The idea is, of all of these numbers out there, these hundreds of millions of stuff out there, it takes a while to sell that information and use it. It could be up to a year before your information is actually sold to someone. MAUREEN CAVANAUGH: Let me go behind the curtains to a sort of conspiracy theory, it's been reported that the NSA knew about this law but did not say anything about it, the NSA denies that allegation and says it's not knowing about it, which is worse? That they did or that they didn't? MURRAY JENNEX: It would not surprise me if they did not know about it because they are not really out there looking at credit card transactions. They are just monitoring the traffic and seeing who talks to who and who is what doing what, they're not really testing organization. It would not surprise me that they did not know, and if they did it would not have helped anyway, that is not the information that they gather. It's interesting to get ID information but they get that from any number of sources. They did not need this flaw to get what they were collecting. MAUREEN CAVANAUGH: So this is a true conspiracy theory that you must've seen, people blogging about that the government may have been using this vulnerability collect information, you're not buying that. MURRAY JENNEX: I am not buying that because the interesting thing is over the last few months of all these issues that have come up, none of them had been caused by hackers. There has been no super hack created, it has all been done by people who are responsible for security doing stupid things. MAUREEN CAVANAUGH: When you advise people and you must get a lot of people coming to when they hear things like this, what you advise them about protecting information online? MURRAY JENNEX: First off, because of all of these issues, I make people realize that they should not be doing online banking and sharing critical information on a gaming computer or one for browsing, I would separate them out. Second, I always told people to monitor statements. It has been, this is something that has been going on for years we know people do have this and it's a good way of making sure that you are saving your information has not been used. Then I recommend that you do change. As with passwords periodically. MAUREEN CAVANAUGH: So, we do have to do new passwords all over again. MURRAY JENNEX: It is good practice to change passwords periodically unless you have a good one and it's good to change that. Even though, it is a good idea to change every few months. MAUREEN CAVANAUGH: I've been speaking with Murray Jennex, professor at the San Diego State University College of Business Administration. Murray, thank you so much. You've been listening to KPBS Midday Edition.