Heartbleed Hack Will Steal Crown Jewels of Data

REPLAY VIDEO
Your next video will start in
Pause

Recommended Videos

  • Info

  • Comments

  • VIDEO TEXT

April 10 (Bloomberg) –- Codenomicon CEO David Chartier discusses Heartbleed, an encryption flaw which has been found in a secure connection protocol used by millions of websites to encrypt sensitive information, and what you can do to keep your information safe. He speaks to Anna Edwards and Mark Barton on Bloomberg Television’s “Countdown.” (Source: Bloomberg)

Phone from san francisco.

Thank you for joining us.

Give us some context.

How serious is this issue for users and people who operate businesses on the internet?

This is probably one the most serious bugs we have seen in the last five years.

The reason it's so serious is, it involves -- allows an attacker to come in and take your crown jewels or your encryption keys which are used to scramble all your data so it cannot be seen.

It also allows the attacker to access the memory of the machine , using open ssl.

We have been able to take usernames and passwords from our own system and we did the test and lots of other data that ended up in the memory.

As you mentioned in your report, what makes it really serious is, you cannot tell if you have been hacked.

It doesn't leave any forensic trail to go after and see if somebody has been there.

David, will it be the advice of businesses that operate using the web, from small businesses, small retailers, may be managing their own website, to large retailers.

There are websites where you can go and check where your are vulnerable to this.

Exactly.

If you're running a business, basically your i.t. department or provider should be able to tell you very quickly what version of open ssl you are running.

If you're running an old version, you need to patch that very quickly.

You need to throw out the encryption keys you are using and have new keys issued.

Then you can tell your end users to change their passwords.

Should consumers change passwords now or wait until they have had confirmation from service providers that all the necessary patches have been put in place?

To actually need to wait.

They need to ask their service provider if they have done the patch and wait for it by on when they should change their password.

You don't want to change it too soon, because then it doesn't help you.

You should follow the guidance of your provider.

We have seen security reaches at u.s. retailers, the nsa scandal, and now this.

Are you still checking online and sending e-mails this morning?

I'm still doing it.

The internet today is a lot safer than it was a week ago.

Hundreds of houses of the main websites of social media and commerce sites have now upgraded and fixed this bug.

The community, the i.t. security community throughout the world has really been active at getting out the word.

Hundreds of thousands of sites are using it, but the word is going very quickly and people are updating this and fixing it.

The internet is a lot safer today than it was a week ago.

That is the big take away for everybody.

Thank you very much, david.

This text has been automatically generated. It may not be 100% accurate.

Advertisement

BTV Channel Finder

Channel_finder_loader

ZIP is required for U.S. locations

Bloomberg Television in   change