Startling Discovery Shows Websites Are Open to Hackers

Body

The websites you visit are no longer as secure as you thought. A flaw in the encryption software used throughout the Internet opens the door to hackers—but don’t go changing all your passwords yet.

The problem was discovered Tuesday by Finnish researchers at Google and is reported today in a front-page New York Times story. Although television newscasters are warning that our passwords need to be changed immediately, this may not be the case. Managers at major websites such as Yahoo!, Facebook, and Amazon have been scrambling to close the encryption loopholes with “patches.”

Image
Information Technology Security Engineer Adam Goldstein, left, and Chief Information Security Officer Steven Nyman maintain Dartmouth’s defenses against cybercrime. (Photo by Eli Burakian ’00)

“At Dartmouth, we started working on this issue Tuesday and have identified approximately 47 servers in our data center that will require the patch. This work is being scheduled on a priority basis,” says Dartmouth Chief Information Security Officer Steven Nyman.

He says that for users on the Dartmouth wired network, or Dartmouth Secure wireless, the risk of having traffic and passwords compromised is low. He cautions that all users are still potentially at risk when they visit Internet websites (for shopping, banking, etc.). “Obviously, major companies will be patching for this as well, so the window of exposure going forward shouldn’t be that large,” Nyman says.

He does not advocate rushing headlong into a frenzy of password changing. ”Until patched, changing passwords won’t help if the user continues to connect to unpatched vulnerable servers within Dartmouth and outside. Since this vulnerability enables hackers to decrypt traffic, passwords aren’t the only thing at risk. Information, including email sent via the Internet, will be at risk if the mail servers are using this vulnerable version of OpenSSL encryption technology."

Nyman says consumers should be encouraged to change their password once a site has posted notice that it has been patched, thereby severing any links a hacker may have established. In the absence of any further information from a site’s owner, it is still a good idea to make a change, just to be on the safe side, he says.

Joseph Blumberg