PhotoA software flaw in a server extension called "heartbeat" is creating data leakage, dubbed "heartbleed," which in turn is causing severe heartburn for hundreds of thousands of web and email server administrators worldwide.

The flaw afflicts servers that use a package called OpenSSL, one of several extensions that enable SSL -- secure socket layers -- to encrypt data moving to and and from their sites. 

What that means for consumers is that personal information -- including passwords, account numbers and other sensitive data -- can be, and perhaps already has been, exploited by hackers.  

Sites ranging from the FBI to Yahoo and everything in between have been affected. The flaw also potentially affects ATM machines that communicate via the web. Google is not affected by the problem and data on Google servers is safe, several experts agree.

What to do

So, what's a consumer to do? Unfortunately, the answer is "not much." Experts say that this would be a good time to take a few days off from doing your banking and e-commerce chores, to avoid revealing your password and other data to anyone who hasn't already stolen it.

Unfortunately, other experts say this would be a good time to reconcile your bank and investment accounts daily. 

If you must use an ATM, it's safest to use one at your bank, rather than an out-of-network machine. While this may not eliminate web-based data transfers, it should at least minimize them.

This is not the time to change your user ID and password. It's best to wait a few days until the vulnerability has been patched. Changing your password now simply makes the new one vulnerable to thieves.

Ironically, SSL is used to secure websites, by encrypting data traveling between the user and online sites. Normally, sites that use SSL are much more secure than sites that don't. 

This is one of those times when the front door is locked tightly but the back door is open and swinging in the wind. 

Sites around the world are racing to update their server software but it's not an easy fix and it may take several days for larger sites to have everything locked down again.

Common server operating systems that may be affected by the problem include Debian, CentOS, RedHat, SUSE Linux and Ubuntu.


Share your Comments